Class: Msf::Plugin::TokenHunter::TokenCommandDispatcher

Inherits:
Object
  • Object
show all
Includes:
Ui::Console::CommandDispatcher
Defined in:
plugins/token_hunter.rb

Instance Attribute Summary

Attributes included from Ui::Console::CommandDispatcher

#driver

Attributes included from Rex::Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary collapse

Methods included from Ui::Console::CommandDispatcher

#active_module, #active_module=, #active_session, #active_session=, #build_range_array, #docs_dir, #framework, #initialize, #log_error, #remove_lines

Methods included from Rex::Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #update_prompt

Instance Method Details

#cmd_token_hunt_user(*args) ⇒ Object 


23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'plugins/token_hunter.rb', line 23

def cmd_token_hunt_user(*args)

  opts = Rex::Parser::Arguments.new(
    "-h"   => [ false,  "This help menu"],
    "-f"   => [ true,   "A file containing a list of users to search for (one per line)"]
  )

  opt_userfile  = nil
  opt_users     = []

  opts.parse(args) do |opt, idx, val|
    case opt
    when "-h"
      print_line("Usage: token_hunt_user [options] <username> [username] .. [username]")
      print_line(opts.usage)
      return
    when "-f"
      opt_userfile = val
    else
      opt_users << val
    end
  end

  if(opt_userfile)
    ::File.open(opt_userfile, "rb") do |fd|
      fd.each_line do |line|
        line.strip!
        next if line.empty?
        next if line =~ /^#/
        opt_users << line
      end
    end
  end

  opt_users.uniq!

  tokens_del = {}
  tokens_imp = {}

  framework.sessions.each_key do |sid|
    session = framework.sessions[sid]
    next if session.type != "meterpreter"

    print_status(">> Scanning session #{session.sid} / #{session.session_host}")

    if(! session.incognito)
      session.core.use("incognito")
    end

    if(! session.incognito)
      print_status("!! Failed to load incognito on #{session.sid} / #{session.session_host}")
      next
    end

    res = session.incognito.incognito_list_tokens(0)
    if(res)
      res["delegation"].split("\n").each do |user|

        opt_users.each do |needle|

          ndom,nusr = needle.split("\\")
          if(not nusr)
            nusr = ndom
            ndom = nil
          end

          if(not user.nil? and ndom and user.strip.downcase == needle.strip.downcase)
            print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")
            next
          end

          fdom,fusr = user.split("\\")

          if (not fusr.nil? and ! ndom and fusr.strip.downcase == nusr.strip.downcase)
            print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")
          end
        end

        tokens_del[user] ||= []
        tokens_del[user] << session.sid
      end


      res["impersonation"].split("\n").each do |user|

        opt_users.each do |needle|
          ndom,nusr = needle.split("\\")
          if(not nusr)
            nusr = ndom
            ndom = nil
          end

          if(not user.nil? and ndom and user.strip.downcase == needle.strip.downcase)
            print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")
            next
          end

          fdom,fusr = user.split("\\")
          if (not fusr.nil? and ! ndom and fusr.strip.downcase == nusr.strip.downcase)
            print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")
          end
        end

        tokens_imp[user] ||= []
        tokens_imp[user] << session.sid
      end
    end
  end
end

#commandsObject 


17
18
19
20
21
 
# File 'plugins/token_hunter.rb', line 17

def commands
  {
    'token_hunt_user'        => "Scan all connected meterpreter sessions for active tokens corresponding to one or more users"
  }
end

#nameObject 


13
14
15
 
# File 'plugins/token_hunter.rb', line 13

def name
  "Token Hunter"
end