2010-05-03 17:13:09 +00:00
|
|
|
#
|
|
|
|
|
# $Id$
|
|
|
|
|
# $Revision$
|
|
|
|
|
#
|
|
|
|
|
|
2009-12-03 15:27:07 +00:00
|
|
|
module Msf
|
2023-01-30 12:25:46 +11:00
|
|
|
class Plugin::TokenHunter < Msf::Plugin
|
2009-12-03 15:27:07 +00:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
class TokenCommandDispatcher
|
|
|
|
|
include Msf::Ui::Console::CommandDispatcher
|
2009-12-03 15:27:07 +00:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
def name
|
|
|
|
|
'Token Hunter'
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
def commands
|
|
|
|
|
{
|
2023-07-06 12:49:39 +01:00
|
|
|
'token_hunt_user' => 'Scan all connected Meterpreter sessions for active tokens corresponding to one or more users'
|
2023-01-30 12:25:46 +11:00
|
|
|
}
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
def cmd_token_hunt_user(*args)
|
|
|
|
|
opts = Rex::Parser::Arguments.new(
|
|
|
|
|
'-h' => [ false, 'This help menu'],
|
|
|
|
|
'-f' => [ true, 'A file containing a list of users to search for (one per line)']
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
opt_userfile = nil
|
|
|
|
|
opt_users = []
|
|
|
|
|
|
|
|
|
|
opts.parse(args) do |opt, _idx, val|
|
|
|
|
|
case opt
|
|
|
|
|
when '-h'
|
|
|
|
|
print_line('Usage: token_hunt_user [options] <username> [username] .. [username]')
|
|
|
|
|
print_line(opts.usage)
|
|
|
|
|
return
|
|
|
|
|
when '-f'
|
|
|
|
|
opt_userfile = val
|
|
|
|
|
else
|
|
|
|
|
opt_users << val
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
end
|
|
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
if opt_userfile
|
|
|
|
|
::File.open(opt_userfile, 'rb') do |fd|
|
|
|
|
|
fd.each_line do |line|
|
|
|
|
|
line.strip!
|
|
|
|
|
next if line.empty?
|
|
|
|
|
next if line =~ /^#/
|
|
|
|
|
|
|
|
|
|
opt_users << line
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
opt_users.uniq!
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
tokens_del = {}
|
|
|
|
|
tokens_imp = {}
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
framework.sessions.each_key do |sid|
|
|
|
|
|
session = framework.sessions[sid]
|
|
|
|
|
next if session.type != 'meterpreter'
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
print_status(">> Scanning session #{session.sid} / #{session.session_host}")
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
if !session.incognito
|
|
|
|
|
session.core.use('incognito')
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
if !session.incognito
|
|
|
|
|
print_status("!! Failed to load incognito on #{session.sid} / #{session.session_host}")
|
|
|
|
|
next
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
res = session.incognito.incognito_list_tokens(0)
|
|
|
|
|
next unless res
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
res['delegation'].split("\n").each do |user|
|
2013-09-30 13:47:53 -05:00
|
|
|
opt_users.each do |needle|
|
2023-01-30 12:25:46 +11:00
|
|
|
ndom, nusr = needle.split('\\')
|
|
|
|
|
if !nusr
|
2013-09-30 13:47:53 -05:00
|
|
|
nusr = ndom
|
|
|
|
|
ndom = nil
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 13:05:34 +11:00
|
|
|
if (!user.nil? && ndom && (user.strip.downcase == needle.strip.downcase))
|
2013-09-30 13:47:53 -05:00
|
|
|
print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")
|
|
|
|
|
next
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 13:07:16 +11:00
|
|
|
_fdom, fusr = user.split('\\')
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 13:05:34 +11:00
|
|
|
if (!fusr.nil? && !ndom && (fusr.strip.downcase == nusr.strip.downcase))
|
2013-09-30 13:47:53 -05:00
|
|
|
print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
tokens_del[user] ||= []
|
|
|
|
|
tokens_del[user] << session.sid
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
res['impersonation'].split("\n").each do |user|
|
2013-09-30 13:47:53 -05:00
|
|
|
opt_users.each do |needle|
|
2023-01-30 12:25:46 +11:00
|
|
|
ndom, nusr = needle.split('\\')
|
|
|
|
|
if !nusr
|
2013-09-30 13:47:53 -05:00
|
|
|
nusr = ndom
|
|
|
|
|
ndom = nil
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 13:05:34 +11:00
|
|
|
if (!user.nil? && ndom && (user.strip.downcase == needle.strip.downcase))
|
2013-09-30 13:47:53 -05:00
|
|
|
print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")
|
|
|
|
|
next
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 13:07:16 +11:00
|
|
|
_fdom, fusr = user.split('\\')
|
2023-01-30 13:05:34 +11:00
|
|
|
if (!fusr.nil? && !ndom && (fusr.strip.downcase == nusr.strip.downcase))
|
2013-09-30 13:47:53 -05:00
|
|
|
print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
tokens_imp[user] ||= []
|
|
|
|
|
tokens_imp[user] << session.sid
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
def initialize(framework, opts)
|
|
|
|
|
super
|
|
|
|
|
add_console_dispatcher(TokenCommandDispatcher)
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
def cleanup
|
|
|
|
|
remove_console_dispatcher('Token Hunter')
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
def name
|
|
|
|
|
'token_hunter'
|
|
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
|
2023-01-30 12:25:46 +11:00
|
|
|
def desc
|
2023-07-06 12:49:39 +01:00
|
|
|
'Search all active Meterpreter sessions for specific tokens'
|
2023-01-30 12:25:46 +11:00
|
|
|
end
|
2013-09-30 13:47:53 -05:00
|
|
|
end
|
2009-12-03 15:27:07 +00:00
|
|
|
end
|
