Module: Metasploit::Credential::Creation

Included in:
Importer::Core, Importer::Pwdump, Migrator
Defined in:
lib/metasploit/credential/creation.rb

Overview

Helper methods for finding or creating a tree of credentials. The method ensure that duplicate credentials are not created.

Instance Method Summary collapse

Instance Method Details

#active_db?Boolean

Returns true if ActiveRecord has an active database connection, false otherwise.

Returns:

  • (Boolean) 


12
13
14
 
# File 'lib/metasploit/credential/creation.rb', line 12

def active_db?
  ActiveRecord::Base.connected?
end

#create_cracked_credential(opts = {}) ⇒ Object

This method takes a few simple parameters and creates a new username/password credential that was obtained by cracking a hash. It reuses the relevant components form the originating Metasploit::Credential::Core and builds new Login objects based on the ones attached to the originating Metasploit::Credential::Core

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :username (String)

    the username to find or create the Public from

  • :password (String)

    the password to find or create the Password from

  • :core_id (Fixnum)

    the id for the originating Metasploit::Credential::Core



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
# File 'lib/metasploit/credential/creation.rb', line 25

def create_cracked_credential(opts={})
  return nil unless active_db?
  username = opts.fetch(:username)
  password = opts.fetch(:password)
  core_id  = opts.fetch(:core_id)

  private  = Metasploit::Credential::Password.where(data: password).first_or_create!
  public   = Metasploit::Credential::Public.where(username: username).first_or_create!
  old_core = Metasploit::Credential::Core.find(core_id)
  core     = Metasploit::Credential::Core.where(public_id: public.id, private_id: private.id, realm_id: nil, workspace_id: old_core.workspace_id).first_or_initialize

  if core.origin_id.nil?
    origin      = Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: core_id).first_or_create!
    core.origin = origin
  end
  core.save!


  old_core.logins.each do ||
    service_id = .service_id
     = Metasploit::Credential::Login.where(core_id: core.id, service_id: service_id).first_or_initialize
    if .status.blank?
      .status =  Metasploit::Model::Login::Status::UNTRIED
    end
    .save!
  end
end

#create_credential(opts = {}) ⇒ NilClass, Metasploit::Credential::Core

This method is responsible for creation Metasploit::Credential::Core objects and all sub-objects that it is dependent upon.

Examples:

Reporting a Bruteforced Credential

create_credential(
  origin_type: :service,
  address: '192.168.1.100',
  port: 445,
  service_name: 'smb',
  protocol: 'tcp',
  module_fullname: 'auxiliary/scanner/smb/smb_login',
  workspace_id: myworkspace.id,
  private_data: 'password1',
  private_type: :password,
  username: 'Administrator'
)

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :jtr_format (String)

    The format for John the ripper to use to try and crack this

  • :origin_type (Symbol)

    The Origin type we are trying to create

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Origin and Core to

  • :filename (String)

    The filename of the file that was imported

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

  • :private_data (String)

    The actual data for the private (e.g. password, hash, key etc)

  • :private_type (Symbol)

    The type of Private to create

  • :username (String)

    The username to use for the Public

Returns:

Raises:

  • (KeyError)

    if a required option is missing

  • (ArgumentError)

    if an invalid :private_type is specified

  • (ArgumentError)

    if an invalid :origin_type is specified



91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'lib/metasploit/credential/creation.rb', line 91

def create_credential(opts={})
  return nil unless active_db?

  if opts[:origin]
    origin = opts[:origin]
  else
    origin = create_credential_origin(opts)
  end

  core_opts = {
      origin: origin,
      workspace_id: opts.fetch(:workspace_id)
  }

  if opts.has_key?(:realm_key) && opts.has_key?(:realm_value)
    core_opts[:realm] = create_credential_realm(opts)
  end

  if opts.has_key?(:private_type) && opts.has_key?(:private_data)
    core_opts[:private] = create_credential_private(opts)
  end

  if opts.has_key?(:username)
    core_opts[:public] = create_credential_public(opts)
  end

  if opts.has_key?(:task_id)
    core_opts[:task_id] = opts[:task_id]
  end

  create_credential_core(core_opts)
end

#create_credential_core(opts = {}) ⇒ NilClass, Metasploit::Credential::Core

This method is responsible for creating Metasploit::Credential::Core objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

Returns:



133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
 
# File 'lib/metasploit/credential/creation.rb', line 133

def create_credential_core(opts={})
  return nil unless active_db?
  origin       = opts.fetch(:origin)
  workspace_id = opts.fetch(:workspace_id)

  private_id   = opts[:private].try(:id)
  public_id    = opts[:public].try(:id)
  realm_id     = opts[:realm].try(:id)

  tries = 3
  begin
    core = Metasploit::Credential::Core.where(private_id: private_id, public_id: public_id, realm_id: realm_id, workspace_id: workspace_id).first_or_initialize
    if core.origin_id.nil?
      core.origin = origin
    end
    if opts[:task_id]
      core.tasks << Mdm::Task.find(opts[:task_id])
    end
    core.save!
  rescue ActiveRecord::RecordNotUnique
    tries -= 1
    if tries > 0
      retry
    end
  end

  core
end

#create_credential_login(opts = {}) ⇒ NilClass, Metasploit::Credential::Login

This method is responsible for creating a Login object which ties a Metasploit::Credential::Core to the ‘Mdm::Service` it is a valid credential for.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :access_level (String)

    The access level to assign to this login if we know it

  • :address (String)

    The address of the ‘Mdm::Host` to link this Login to

  • :last_attempted_at (DateTime)

    The last time this Login was attempted

  • :core (Metasploit::Credential::Core)

    The Metasploit::Credential::Core to link this login to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Login to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :status (String)

    The status for the Login object

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Login to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Login to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
 
# File 'lib/metasploit/credential/creation.rb', line 179

def (opts={})
  return nil unless active_db?
  access_level       = opts.fetch(:access_level, nil)
  core               = opts.fetch(:core)
  last_attempted_at  = opts.fetch(:last_attempted_at, nil)
  status             = opts.fetch(:status)

  service_object = create_credential_service(opts)
   = Metasploit::Credential::Login.where(core_id: core.id, service_id: service_object.id).first_or_initialize

  if opts[:task_id]
    .tasks << Mdm::Task.find(opts[:task_id])
  end

  .access_level      = access_level if access_level
  .last_attempted_at = last_attempted_at if last_attempted_at
  .status            = status
  .save!
  
end

#create_credential_origin(opts = {}) ⇒ NilClass, ...

This method is responsible for creating the various Credential::Origin objects. It takes a key for the Origin type and delegates to the correct sub-method.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :origin_type (Symbol)

    The Origin type we are trying to create

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Origin to

  • :filename (String)

    The filename of the file that was imported

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

Returns:

Raises:

  • (ArgumentError)

    if an invalid origin_type was provided

  • (KeyError)

    if a required option is missing



222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
 
# File 'lib/metasploit/credential/creation.rb', line 222

def create_credential_origin(opts={})
  return nil unless active_db?
  case opts[:origin_type]
    when :cracked_password
      create_credential_origin_cracked_password(opts)
    when :import
      create_credential_origin_import(opts)
    when :manual
      create_credential_origin_manual(opts)
    when :service
      create_credential_origin_service(opts)
    when :session
      create_credential_origin_session(opts)
    else
      raise ArgumentError, "Unknown Origin Type #{opts[:origin_type]}"
  end
end

#create_credential_origin_cracked_password(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::CrackedPassword

This method is responsible for creating Origin::CrackedPassword objects. These are the oorigins that show that a password Credential was obtained by cracking a hash Credential that previously existed in the database.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :originating_core_id (Fixnum)

    The ID of the originating Credential core.

Returns:



247
248
249
250
251
252
 
# File 'lib/metasploit/credential/creation.rb', line 247

def create_credential_origin_cracked_password(opts={})
  return nil unless active_db?
  originating_core_id = opts.fetch(:originating_core_id)

  Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: originating_core_id ).first_or_create
end

#create_credential_origin_import(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Manual

This method is responsible for creating Origin::Import objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :filename (String)

    The filename of the file that was imported

Returns:

Raises:

  • (KeyError)

    if a required option is missing



260
261
262
263
264
265
 
# File 'lib/metasploit/credential/creation.rb', line 260

def create_credential_origin_import(opts={})
  return nil unless active_db?
  filename = opts.fetch(:filename)

  Metasploit::Credential::Origin::Import.where(filename: filename).first_or_create
end

#create_credential_origin_manual(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Manual

This method is responsible for creating Origin::Manual objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



273
274
275
276
277
278
 
# File 'lib/metasploit/credential/creation.rb', line 273

def create_credential_origin_manual(opts={})
  return nil unless active_db?
  user_id = opts.fetch(:user_id)

  Metasploit::Credential::Origin::Manual.where(user_id: user_id).first_or_create
end

#create_credential_origin_service(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Service

This method is responsible for creating Origin::Service objects. If there is not a matching ‘Mdm::Host` it will create it. If there is not a matching `Mdm::Service` it will create that too.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



292
293
294
295
296
297
298
299
 
# File 'lib/metasploit/credential/creation.rb', line 292

def create_credential_origin_service(opts={})
  return nil unless active_db?
  module_fullname  = opts.fetch(:module_fullname)

  service_object = create_credential_service(opts)

  Metasploit::Credential::Origin::Service.where(service_id: service_object.id, module_full_name: module_fullname).first_or_create
end

#create_credential_origin_session(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Session

This method is responsible for creating Origin::Session objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



308
309
310
311
312
313
314
 
# File 'lib/metasploit/credential/creation.rb', line 308

def create_credential_origin_session(opts={})
  return nil unless active_db?
  session_id           = opts.fetch(:session_id)
  post_reference_name  = opts.fetch(:post_reference_name)

  Metasploit::Credential::Origin::Session.where(session_id: session_id, post_reference_name: post_reference_name).first_or_create
end

#create_credential_private(opts = {}) ⇒ NilClass, ...

This method is responsible for the creation of Private objects. It will create the correct subclass based on the type.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :jtr_format (String)

    The format for John the ripper to use to try and crack this

  • :private_data (String)

    The actual data for the private (e.g. password, hash, key etc)

  • :private_type (Symbol)

    The type of Private to create

Returns:

Raises:

  • (ArgumentError)

    if a valid type is not supplied

  • (KeyError)

    if a required option is missing



329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
 
# File 'lib/metasploit/credential/creation.rb', line 329

def create_credential_private(opts={})
  return nil unless active_db?
  private_data = opts.fetch(:private_data)
  private_type = opts.fetch(:private_type)

  case private_type
    when :password
      private_object = Metasploit::Credential::Password.where(data: private_data).first_or_create
    when :ssh_key
      private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
    when :ntlm_hash
      private_object = Metasploit::Credential::NTLMHash.where(data: private_data).first_or_create
      private_object.jtr_format = 'nt,lm'
    when :nonreplayable_hash
      private_object = Metasploit::Credential::NonreplayableHash.where(data: private_data).first_or_create
      if opts[:jtr_format].present?
        private_object.jtr_format = opts[:jtr_format]
      end
    else
      raise ArgumentError, "Invalid Private type: #{private_type}"
  end
  private_object.save!
  private_object
end

#create_credential_public(opts = {}) ⇒ NilClass, Metasploit::Credential::Public

This method is responsible for the creation of Public objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :username (String)

    The username to use for the Public

Returns:

Raises:

  • (KeyError)

    if a required option is missing



360
361
362
363
364
365
 
# File 'lib/metasploit/credential/creation.rb', line 360

def create_credential_public(opts={})
  return nil unless active_db?
  username = opts.fetch(:username)

  Metasploit::Credential::Public.where(username: username).first_or_create
end

#create_credential_realm(opts = {}) ⇒ NilClass, Metasploit::Credential::Realm

This method is responsible for creating the Realm objects that may be required.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :realm_key (String)

    The type of Realm this is (e.g. ‘Active Directory Domain’)

  • :realm_value (String)

    The actual Realm name (e.g. contosso)

Returns:

Raises:

  • (KeyError)

    if a required option is missing



375
376
377
378
379
380
381
 
# File 'lib/metasploit/credential/creation.rb', line 375

def create_credential_realm(opts={})
  return nil unless active_db?
  realm_key   = opts.fetch(:realm_key)
  realm_value = opts.fetch(:realm_value)

  Metasploit::Credential::Realm.where(key: realm_key, value: realm_value).first_or_create!
end

#create_credential_service(opts = {}) ⇒ NilClass, Mdm::Service

This method is responsible for creating a barebones ‘Mdm::Service` object for use by Credential object creation.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the ‘Mdm::Host`

  • :port (Fixnum)

    The port number of the ‘Mdm::Service`

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service“

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

Returns:

  • (NilClass)

    if there is no connected database

  • (Mdm::Service)

Raises:

  • (KeyError)

    if a required option is missing



396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
 
# File 'lib/metasploit/credential/creation.rb', line 396

def create_credential_service(opts={})
  return nil unless active_db?
  address          = opts.fetch(:address)
  port             = opts.fetch(:port)
  service_name     = opts.fetch(:service_name)
  protocol         = opts.fetch(:protocol)
  workspace_id     = opts.fetch(:workspace_id)

  host_object    = Mdm::Host.where(address: address, workspace_id: workspace_id).first_or_create
  service_object = Mdm::Service.where(host_id: host_object.id, port: port, proto: protocol).first_or_initialize

  service_object.name  = service_name
  service_object.state = "open"
  service_object.save!

  service_object
end

#invalidate_login(opts = {}) ⇒ void

This method returns an undefined value.

This method checks to see if a Login exists for a given set of details. If it does exists, we then appropriately set the status to one of our failure statuses.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the host we attempted

  • :port (Fixnum)

    the port of the service we attempted

  • :protocol (String)

    the transport protocol of the service we attempted

  • :public (String)

    A string representation of the public we tried

  • :private (String)

    A string representation of the private we tried

  • :status (Symbol)

    The status symbol from the Framework::LoginScanner::Result

Raises:

  • (KeyError)

    if any of the above options are missing



426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
 
# File 'lib/metasploit/credential/creation.rb', line 426

def (opts = {})
  return nil unless active_db?
  address     = opts.fetch(:address)
  port        = opts.fetch(:port)
  protocol    = opts.fetch(:protocol)
  public      = opts.fetch(:public)
  private     = opts.fetch(:private)
  realm_key   = opts.fetch(:realm_key)
  realm_value = opts.fetch(:realm_value)
  status      = opts.fetch(:status)


  pub_obj = Metasploit::Credential::Public.where(username: public).first.try(:id)
  priv_obj = Metasploit::Credential::Private.where(data: private).first.try(:id)
  realm_obj = Metasploit::Credential::Realm.where(key: realm_key, value: realm_value).first.try(:id)

  core = Metasploit::Credential::Core.where(public_id: pub_obj, private_id: priv_obj, realm_id: realm_obj).first

  # Do nothing else if we have no matching core. Otherwise look for a Login.
  if core.present?
     = core.logins.joins(service: :host).where(services: { port: port, proto: protocol } ).where( hosts: {address: address}).readonly(false).first

    if .present?
      .status = status
      .last_attempted_at = DateTime.now
      .save!
    end

  end

end