Module: Metasploit::Credential::Creation

Included in:
Importer::Core, Importer::Pwdump, Migrator
Defined in:
lib/metasploit/credential/creation.rb

Overview

Helper methods for finding or creating a tree of credentials. The method ensure that duplicate credentials are not created.

Instance Method Summary collapse

Instance Method Details

#active_db?Boolean

Returns true if ActiveRecord has an active database connection, false otherwise.

Returns:

  • (Boolean) 


12
13
14
 
# File 'lib/metasploit/credential/creation.rb', line 12

def active_db?
  ActiveRecord::Base.connected?
end

#create_cracked_credential(opts = {}) ⇒ Object

This method takes a few simple parameters and creates a new username/password credential that was obtained by cracking a hash. It reuses the relevant components form the originating Metasploit::Credential::Core and builds new Login objects based on the ones attached to the originating Metasploit::Credential::Core

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :username (String)

    the username to find or create the Public from

  • :password (String)

    the password to find or create the Password from

  • :core_id (Fixnum)

    the id for the originating Metasploit::Credential::Core



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/metasploit/credential/creation.rb', line 25

def create_cracked_credential(opts={})
  return nil unless active_db?
  username = opts.fetch(:username)
  password = opts.fetch(:password)
  core_id  = opts.fetch(:core_id)

  private  = nil
  public   = nil
  old_core = nil

  retry_transaction do
    private  = Metasploit::Credential::Password.where(data: password).first_or_create!
    public   = Metasploit::Credential::Public.where(username: username).first_or_create!
    old_core = Metasploit::Credential::Core.find(core_id)
  end

  core = nil

  retry_transaction do
    core = Metasploit::Credential::Core.where(public_id: public.id, private_id: private.id, realm_id: nil, workspace_id: old_core.workspace_id).first_or_initialize
    if core.origin_id.nil?
      origin      = Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: core_id).first_or_create!
      core.origin = origin
    end
    core.save!
  end

  old_core.logins.each do ||
    service_id = .service_id
     = Metasploit::Credential::.where(core_id: core.id, service_id: service_id).first_or_initialize
    if .status.blank?
      .status =  Metasploit::Model::::Status::UNTRIED
    end
    .save!
  end
end

#create_credential(opts = {}) ⇒ NilClass, Metasploit::Credential::Core

This method is responsible for creation Metasploit::Credential::Core objects and all sub-objects that it is dependent upon.

Examples:

Reporting a Bruteforced Credential

create_credential(
  origin_type: :service,
  address: '192.168.1.100',
  port: 445,
  service_name: 'smb',
  protocol: 'tcp',
  module_fullname: 'auxiliary/scanner/smb/smb_login',
  workspace_id: myworkspace.id,
  private_data: 'password1',
  private_type: :password,
  username: 'Administrator'
)

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :jtr_format (String)

    The format for John the ripper to use to try and crack this

  • :origin_type (Symbol)

    The Origin type we are trying to create

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Origin and Core to

  • :filename (String)

    The filename of the file that was imported

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

  • :private_data (String)

    The actual data for the private (e.g. password, hash, key etc)

  • :private_type (Symbol)

    The type of Private to create

  • :username (String)

    The username to use for the Public

Returns:

Raises:

  • (KeyError)

    if a required option is missing

  • (ArgumentError)

    if an invalid :private_type is specified

  • (ArgumentError)

    if an invalid :origin_type is specified



100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'lib/metasploit/credential/creation.rb', line 100

def create_credential(opts={})
  return nil unless active_db?

  if opts[:origin]
    origin = opts[:origin]
  else
    origin = create_credential_origin(opts)
  end

  core_opts = {
      origin: origin,
      workspace_id: opts.fetch(:workspace_id)
  }

  if opts.has_key?(:realm_key) && opts.has_key?(:realm_value)
    core_opts[:realm] = create_credential_realm(opts)
  end

  if opts.has_key?(:private_type) && opts.has_key?(:private_data)
    core_opts[:private] = create_credential_private(opts)
  end

  if opts.has_key?(:username)
    core_opts[:public] = create_credential_public(opts)
  end

  if opts.has_key?(:task_id)
    core_opts[:task_id] = opts[:task_id]
  end

  create_credential_core(core_opts)
end

#create_credential_core(opts = {}) ⇒ NilClass, Metasploit::Credential::Core

This method is responsible for creating Metasploit::Credential::Core objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

Returns:



143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
 
# File 'lib/metasploit/credential/creation.rb', line 143

def create_credential_core(opts={})
  return nil unless active_db?
  origin       = opts.fetch(:origin)
  workspace_id = opts.fetch(:workspace_id)

  private_id   = opts[:private].try(:id)
  public_id    = opts[:public].try(:id)
  realm_id     = opts[:realm].try(:id)

  core = nil
  retry_transaction do
    core = Metasploit::Credential::Core.where(private_id: private_id, public_id: public_id, realm_id: realm_id, workspace_id: workspace_id).first_or_initialize
    if core.origin_id.nil?
      core.origin = origin
    end
    if opts[:task_id]
      core.tasks << Mdm::Task.find(opts[:task_id])
    end
    core.save!
  end

  core
end

#create_credential_login(opts = {}) ⇒ NilClass, Metasploit::Credential::Login

This method is responsible for creating a Login object which ties a Metasploit::Credential::Core to the ‘Mdm::Service` it is a valid credential for.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :access_level (String)

    The access level to assign to this login if we know it

  • :address (String)

    The address of the ‘Mdm::Host` to link this Login to

  • :last_attempted_at (DateTime)

    The last time this Login was attempted

  • :core (Metasploit::Credential::Core)

    The Metasploit::Credential::Core to link this login to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Login to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :status (String)

    The status for the Login object

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Login to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Login to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
 
# File 'lib/metasploit/credential/creation.rb', line 184

def (opts={})
  return nil unless active_db?
  access_level       = opts.fetch(:access_level, nil)
  core               = opts.fetch(:core)
  last_attempted_at  = opts.fetch(:last_attempted_at, nil)
  status             = opts.fetch(:status)

   = nil
  retry_transaction do
    service_object = create_credential_service(opts)
     = Metasploit::Credential::.where(core_id: core.id, service_id: service_object.id).first_or_initialize

    if opts[:task_id]
      .tasks << Mdm::Task.find(opts[:task_id])
    end

    .access_level      = access_level if access_level
    .last_attempted_at = last_attempted_at if last_attempted_at
    .status            = status
    .save!
  end

  
end

#create_credential_origin(opts = {}) ⇒ NilClass, ...

This method is responsible for creating the various Credential::Origin objects. It takes a key for the Origin type and delegates to the correct sub-method.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :origin_type (Symbol)

    The Origin type we are trying to create

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Origin to

  • :filename (String)

    The filename of the file that was imported

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

Returns:

Raises:

  • (ArgumentError)

    if an invalid origin_type was provided

  • (KeyError)

    if a required option is missing



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
 
# File 'lib/metasploit/credential/creation.rb', line 231

def create_credential_origin(opts={})
  return nil unless active_db?
  case opts[:origin_type]
    when :cracked_password
      create_credential_origin_cracked_password(opts)
    when :import
      create_credential_origin_import(opts)
    when :manual
      create_credential_origin_manual(opts)
    when :service
      create_credential_origin_service(opts)
    when :session
      create_credential_origin_session(opts)
    else
      raise ArgumentError, "Unknown Origin Type #{opts[:origin_type]}"
  end
end

#create_credential_origin_cracked_password(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::CrackedPassword

This method is responsible for creating Origin::CrackedPassword objects. These are the origins that show that a password Credential was obtained by cracking a hash Credential that previously existed in the database.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :originating_core_id (Fixnum)

    The ID of the originating Credential core.

Returns:



256
257
258
259
260
261
262
263
 
# File 'lib/metasploit/credential/creation.rb', line 256

def create_credential_origin_cracked_password(opts={})
  return nil unless active_db?
  originating_core_id = opts.fetch(:originating_core_id)

  retry_transaction do
    Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: originating_core_id ).first_or_create!
  end
end

#create_credential_origin_import(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Manual

This method is responsible for creating Origin::Import objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :filename (String)

    The filename of the file that was imported

Returns:

Raises:

  • (KeyError)

    if a required option is missing



271
272
273
274
275
276
277
278
 
# File 'lib/metasploit/credential/creation.rb', line 271

def create_credential_origin_import(opts={})
  return nil unless active_db?
  filename = opts.fetch(:filename)

  retry_transaction do
    Metasploit::Credential::Origin::Import.where(filename: filename).first_or_create!
  end
end

#create_credential_origin_manual(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Manual

This method is responsible for creating Origin::Manual objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



286
287
288
289
290
291
292
293
 
# File 'lib/metasploit/credential/creation.rb', line 286

def create_credential_origin_manual(opts={})
  return nil unless active_db?
  user_id = opts.fetch(:user_id)

  retry_transaction do
    Metasploit::Credential::Origin::Manual.where(user_id: user_id).first_or_create!
  end
end

#create_credential_origin_service(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Service

This method is responsible for creating Origin::Service objects. If there is not a matching ‘Mdm::Host` it will create it. If there is not a matching `Mdm::Service` it will create that too.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



307
308
309
310
311
312
313
314
315
316
317
 
# File 'lib/metasploit/credential/creation.rb', line 307

def create_credential_origin_service(opts={})
  return nil unless active_db?
  module_fullname  = opts.fetch(:module_fullname)

  service_object = create_credential_service(opts)

  retry_transaction do
    Metasploit::Credential::Origin::Service.where(service_id: service_object.id, module_full_name: module_fullname).first_or_create!
  end

end

#create_credential_origin_session(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Session

This method is responsible for creating Origin::Session objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



326
327
328
329
330
331
332
333
334
 
# File 'lib/metasploit/credential/creation.rb', line 326

def create_credential_origin_session(opts={})
  return nil unless active_db?
  session_id           = opts.fetch(:session_id)
  post_reference_name  = opts.fetch(:post_reference_name)

  retry_transaction do
    Metasploit::Credential::Origin::Session.where(session_id: session_id, post_reference_name: post_reference_name).first_or_create!
  end
end

#create_credential_private(opts = {}) ⇒ NilClass, ...

This method is responsible for the creation of Private objects. It will create the correct subclass based on the type.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :jtr_format (String)

    The format for John the ripper to use to try and crack this

  • :private_data (String)

    The actual data for the private (e.g. password, hash, key etc)

  • :private_type (Symbol)

    The type of Private to create

Returns:

Raises:

  • (ArgumentError)

    if a valid type is not supplied

  • (KeyError)

    if a required option is missing



349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
 
# File 'lib/metasploit/credential/creation.rb', line 349

def create_credential_private(opts={})
  return nil unless active_db?
  private_data = opts.fetch(:private_data)
  private_type = opts.fetch(:private_type)

  private_object = nil

  retry_transaction do
    if private_data.blank?
      private_object = Metasploit::Credential::BlankPassword.where(data:'').first_or_create
    else
      case private_type
        when :password
          private_object = Metasploit::Credential::Password.where(data: private_data).first_or_create
        when :ssh_key
          private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
        when :ntlm_hash
          private_object = Metasploit::Credential::NTLMHash.where(data: private_data).first_or_create
          private_object.jtr_format = 'nt,lm'
        when :nonreplayable_hash
          private_object = Metasploit::Credential::NonreplayableHash.where(data: private_data).first_or_create
          if opts[:jtr_format].present?
            private_object.jtr_format = opts[:jtr_format]
          end
        else
          raise ArgumentError, "Invalid Private type: #{private_type}"
      end
    end
    private_object.save!
  end
  private_object
end

#create_credential_public(opts = {}) ⇒ NilClass, Metasploit::Credential::Public

This method is responsible for the creation of Public objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :username (String)

    The username to use for the Public

Returns:

Raises:

  • (KeyError)

    if a required option is missing



388
389
390
391
392
393
394
395
396
397
398
399
 
# File 'lib/metasploit/credential/creation.rb', line 388

def create_credential_public(opts={})
  return nil unless active_db?
  username = opts.fetch(:username)

  retry_transaction do
    if username.blank?
      Metasploit::Credential::BlankUsername.where(username:'').first_or_create!
    else
      Metasploit::Credential::Username.where(username: username).first_or_create!
    end
  end
end

#create_credential_realm(opts = {}) ⇒ NilClass, Metasploit::Credential::Realm

This method is responsible for creating the Realm objects that may be required.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :realm_key (String)

    The type of Realm this is (e.g. ‘Active Directory Domain’)

  • :realm_value (String)

    The actual Realm name (e.g. contosso)

Returns:

Raises:

  • (KeyError)

    if a required option is missing



409
410
411
412
413
414
415
416
417
 
# File 'lib/metasploit/credential/creation.rb', line 409

def create_credential_realm(opts={})
  return nil unless active_db?
  realm_key   = opts.fetch(:realm_key)
  realm_value = opts.fetch(:realm_value)

  retry_transaction do
    Metasploit::Credential::Realm.where(key: realm_key, value: realm_value).first_or_create!
  end
end

#create_credential_service(opts = {}) ⇒ NilClass, Mdm::Service

This method is responsible for creating a barebones ‘Mdm::Service` object for use by Credential object creation.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the ‘Mdm::Host`

  • :port (Fixnum)

    The port number of the ‘Mdm::Service`

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service“

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

Returns:

  • (NilClass)

    if there is no connected database

  • (Mdm::Service)

Raises:

  • (KeyError)

    if a required option is missing



432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
 
# File 'lib/metasploit/credential/creation.rb', line 432

def create_credential_service(opts={})
  return nil unless active_db?
  address          = opts.fetch(:address)
  port             = opts.fetch(:port)
  service_name     = opts.fetch(:service_name)
  protocol         = opts.fetch(:protocol)
  workspace_id     = opts.fetch(:workspace_id)

  host_object    = Mdm::Host.where(address: address, workspace_id: workspace_id).first_or_create
  service_object = Mdm::Service.where(host_id: host_object.id, port: port, proto: protocol).first_or_initialize

  service_object.name  = service_name
  service_object.state = "open"
  service_object.save!

  service_object
end

#invalidate_login(opts = {}) ⇒ void

This method returns an undefined value.

This method checks to see if a Login exists for a given set of details. If it does exists, we then appropriately set the status to one of our failure statuses.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the host we attempted

  • :port (Fixnum)

    the port of the service we attempted

  • :protocol (String)

    the transport protocol of the service we attempted

  • :public (String)

    A string representation of the public we tried

  • :private (String)

    A string representation of the private we tried

  • :status (Symbol)

    The status symbol from the Framework::LoginScanner::Result

Raises:

  • (KeyError)

    if any of the above options are missing



462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
 
# File 'lib/metasploit/credential/creation.rb', line 462

def (opts = {})
  return nil unless active_db?
  address     = opts.fetch(:address)
  port        = opts.fetch(:port)
  protocol    = opts.fetch(:protocol)
  public      = opts.fetch(:username, nil)
  private     = opts.fetch(:private_data, nil)
  realm_key   = opts.fetch(:realm_key, nil)
  realm_value = opts.fetch(:realm_value, nil)
  status      = opts.fetch(:status)


  pub_obj = Metasploit::Credential::Public.where(username: public).first.try(:id)
  priv_obj = Metasploit::Credential::Private.where(data: private).first.try(:id)
  realm_obj = Metasploit::Credential::Realm.where(key: realm_key, value: realm_value).first.try(:id)

  core = Metasploit::Credential::Core.where(public_id: pub_obj, private_id: priv_obj, realm_id: realm_obj).first

  # Do nothing else if we have no matching core. Otherwise look for a Login.
  if core.present?
     = core.logins.joins(service: :host).where(services: { port: port, proto: protocol } ).where( hosts: {address: address}).readonly(false).first

    if .present?
      .status = status
      .last_attempted_at = DateTime.now
      .save!
    end

  end

end