Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PuTTY Saved Sessions Enumeration Module #5359

Merged
merged 17 commits into from Aug 14, 2015
Merged

PuTTY Saved Sessions Enumeration Module #5359

merged 17 commits into from Aug 14, 2015

Conversation

stufus
Copy link
Contributor

@stufus stufus commented May 17, 2015

Overview

This PR is for a post-exploitation enumeration module that extracts useful information from PuTTY and, to a lesser extent, Pageant. Although these are not widely used in the corporate environment in the same way that, for example, Microsoft Outlook would be, there is a large amount of encouragement to use SSH for management activities. The mechanism of choice for Windows users is PuTTY.

This is of particular interest for a red-teaming exercise, or other penetration test, because compromised users who use PuTTY and Pageant may be system administrators who use such tools to administer their infrastructure, or developers who use SSH as the transport to commit to code repositories. Users who regularly administer systems may choose to automate their login session by configuring the username and a private key to use within the saved session.

In addition, when connecting to a new system, PuTTY will attempt to verify the host fingerprint against the known trusted fingerprints and will display a warning box to the user if the host is not recognised. Once the user verifies that the remote key is legitimate, PuTTY stores the key in the registry and will not display the warning box to the user in future. This is particularly relevant because it is effectively a list of connections that the user has made previously, which are probably interesting hosts to look at. These are probably also hosts that the user has access to.

Activities

The table below shows the key areas and actions performed by this module.

Area Description
Enumerate Saved Sessions PuTTY offers the ability to save connection information (host, port, auto-login-username etc) for user convenience. Key information is extracted and recorded; this information includes the name of the saved session, host name to connect to, port to connect to, port forwarding rules that are configured and the filename of the SSH private key to be used for this connection (confusingly named PublicKeyFile by PuTTY, despite its contents including a private key). This module will display the saved sessions on the console, store them in notes (use notes -t putty.savedsession to view them) and generate a CSV file summarising them all and will store it in loot.
Retrieve private keys If any of the saved sessions reference a specific private key, this module will attempt to download that key file and, if successful, will store it in loot. It will also do some basic key parsing and display information about the retrieved keys.
Enumerate trusted SSH host fingerprints The first time a connection is made from PuTTY to a remote server, PuTTY will ask the user to confirm that the SSH host key fingerprint is correct. If the user accepts the key, PuTTY will store it to avoid asking the user in future. PuTTY actually stores the key type, the host and the port. This module will store the SSH host key fingerprints in notes (use notes -t putty.storedfingerprint to view), will display the hostnames and ports on the console and generates a CSV file containing them. This is of interest because it is effectively a list of previous connections from the target and might be useful to explore further.
Search for Pageant instance Pageant is PuTTY's SSH agent, which is used by other tools too (e.g. FileZilla). One alternative to configuring specific private keys is to store them in Pageant. At this stage, this module will simply inform you whether Pageant is running or not as the target user.

Usage Example

use post/windows/gather/enum_putty_saved_sessions
SET session -1
run

This will produce the following output (some areas redacted for brevity):

[*] Looking for saved PuTTY sessions
[*] Found 34 sessions

PuTTY Saved Sessions
====================

 Name       HostName        PublicKeyFile      UserName  PortNumber  PortForwardings
 ----       --------        -------------      --------  ----------  ---------------
 Test 1     127.0.0.1       R:\keys\test.ppk   stufus    22          L3006=localhost:3306
 Test 2     10.0.0.1                           goat      22          

 ...redacted...

[*] PuTTY saved sessions list saved to /usr/home/stufus/.msf4/loot/20150517164036_default_192.0.2.101_putty.sessions.c_130140.txt in CSV format & available in notes (use 'notes -t putty.savedsession' to view).
[*] Downloading private keys...
[+] PuTTY private key file for 'Test 1' (R:\keys\test.ppk) saved to: /usr/home/stufus/.msf4/loot/20150517152125_default_192.0.2.101_putty.ppk.file_396198.bin

PuTTY Private Keys
==================

 Name     HostName       UserName  PublicKeyFile         Type        Cipher      Comment
 ----     --------       --------  -------------         ----        ------      -------
 Test 1   127.0.0.1      stufus    R:\keys\test.ppk      ssh2 (rsa)  none        Generated test key

[*] Looking for previously stored SSH host key fingerprints
[*] Found 39 stored key fingerprints
[*] Downloading stored key fingerprints...

Stored SSH host key fingerprints
================================

 SSH Endpoint            Key Type(s)
 ------------            -----------
 127.0.0.1:22            rsa2
 10.0.0.1:22             rsa2, ecdsa-sha2-nistp256

 ...redacted...

[*] PuTTY stored host keys list saved to /usr/home/stufus/.msf4/loot/20150517152136_default_192.0.2.101_putty.storedfing_670457.txt in CSV format & available in notes (use 'notes -t putty.storedfingerprint' to view).

[*] Looking for Pageant...
[+] Pageant is running (Handle 0x601a0)
[*] Post module execution completed

Fields

The tables below give additional details of the provenance and nature of the data obtained from PuTTY.

Saved Sessions

Field Description
Name PuTTY allows you to individually name each saved session. Most users will provide a descriptive and useful name for their connections for their own convenience. There is a default session called 'Default Settings' which will only be created if the defaults are changed from PuTTY's defaults.
HostName This is the remote host to connect to. It can either be a DNS host name or an IP address. This module will retrieve whatever is stored by PuTTY.
PublicKeyFile It is possible to configure a private key (most people will use PuTTYGen.exe to create this) to be used with this connection. Confusingly, the field is named 'PublicKeyFile' but it is actually a path to the private key to be used for authentication purposes. This module will attempt to download this file and store it in loot if it can.
UserName This is the auto-login username. PuTTY will prompt for a username if one is not shown, but a user can specify a username to use.
PortNumber This is the TCP port to connect to. SSH default is 22.
PortForwardings This holds details of any SSH port forwarding. This is commonly used to form secure tunnels to protect otherwise insecure services, and any port forwarding is of interest because it would draw attention to particular hosts that may otherwise be inaccessible.

Stored SSH Host Fingerprints

Field Description
SSH Endpoint This is the host:port combination of the stored connection. This is particularly useful because it effectively is a list of previously accepted connections from that user. Those hosts may be of particular interest during a red-teaming or penetration test exercise.
Key Type(s) This is a comma-separated list of key types (e.g. RSA).

Summary

The image below shows, from a user experience perspective, where these fields are configured.

putty

Ongoing work

The following activities are ongoing and I will submit a PR when I am done with them. You can look at the stufus/metasploit-framework and stufus/meterpreter forks if you want to see realtime progress on them:

  • If an administrator, search through all users rather than just the current user.
  • Provide the ability to add an additional trusted SSH host fingerprint, either as a new host or to an existing one (useful for SSH MITM).
  • Meterpreter extension to hijack Pageant.

stufus added 13 commits May 15, 2015 16:23
@stufus
Initial version, working
f65207a 
Needs tidying up.

Current version:
* Searches for PuTTY registry keys
* Downloades the Hostname, port, private key filename, username to log in as and any port forwarding instructions
* If the private keys are accessible on the box, download them to loot

To do:
* Detect whether pageant is running or not and report back
* Tidy up code (used another plugin as a template)
@stufus
Fixed description
14035a4
@stufus
Added SSH host keys
4a88790
@stufus
Fixed module logic so that the key fingerprints now get displayed pro…
5d273d5 
…perly:
@stufus
Fixed logic & added notes storage
53311fd
@stufus
report_note only appears to allow one note per host/type combo...
8aa27ee
@stufus
Fixed notes using :unique_data
4a416bb
@stufus
Added PAGEANT_REGISTRY_KEY variable to enhance readability
18a9dfd
@stufus
Renamed module to remain consistent with other enum modules
1177f42
@stufus
Retrieves saved session lists etc to loot and exports information in …
b12db7b 
…CSV format
@stufus
Tidied up code
a4f67bc
@stufus
Added more detailed description
5e45667
@stufus
Rubocopped the file
f1955cb
Meatballs1
Meatballs1 reviewed May 17, 2015
View reviewed changes
modules/post/windows/gather/enum_putty_saved_sessions.rb
if file?(filename)
ppk = read_file(filename)
if ppk # Attempt to read the contents of the file
stored_path = store_loot('putty.ppk.file', 'application/octet-stream', session, ppk)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even better if this detects if it is encrypted or plaintext key. If its unencrypted it can be stored in the database. :D

On a related note maybe metasploit-credential should be extended to handle encrypted keys. It could then have methods to allow them to be outputted in john-format (ala hashes) for cracking, and also have a 'passphrase' field which is used to decrypt it into an unencrypted key. Or something. :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, will work on that. Should I leave this PR as is and then submit another one once that's done?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depends how long it takes :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might pick that one up separately if that's ok - can I leave this one as is and come up with something to convert to OpenSSH format keys later?

@stufus
Copy link
Contributor Author

stufus commented May 18, 2015

Updated original comment due to added functionality

This was referenced May 19, 2015
Merged
Closed
@bcook-r7 bcook-r7 self-assigned this Jun 29, 2015
@stufus
Copy link
Contributor Author

stufus commented Aug 14, 2015

@bcook-r7 Is there anything more you'd like me to do with this? :-)

@bcook-r7
Copy link
Contributor

No, looks great to me! The middle note was without a saved session.

msf post(enum_putty_saved_sessions) > notes -t putty.savedsession
[*] Time: 2015-08-14 17:51:27 UTC Note: host=192.168.56.102 type=putty.savedsession data={"Name"=>"test", "HostName"=>"192.168.56.1", "UserName"=>"test", "PublicKeyFile"=>"C:\\Users\\test\\Documents\\test.ppk", "PortNumber"=>"22", "PortForwardings"=>""}
[*] Time: 2015-08-14 17:59:24 UTC Note: host=192.168.56.102 type=putty.savedsession data={"Name"=>"test", "HostName"=>"", "UserName"=>"", "PublicKeyFile"=>"", "PortNumber"=>"22", "PortForwardings"=>"L1234=1.2.3.4:1234"}
[*] Time: 2015-08-14 18:09:34 UTC Note: host=192.168.56.102 type=putty.savedsession data={"Name"=>"test", "HostName"=>"192.168.56.1", "UserName"=>"test", "PublicKeyFile"=>"C:\\Users\\test\\Documents\\test.ppk", "PortNumber"=>"22", "PortForwardings"=>"L1234=1.2.3.4:1234"}

@bcook-r7 bcook-r7 merged commit 8b8ed04 into rapid7:master Aug 14, 2015
bcook-r7 pushed a commit that referenced this pull request Aug 14, 2015
Land #5359, add PuTTY session enumeration module
0a4651a
@bcook-r7
Copy link
Contributor

Thanks for the nice module @stufus.

@stufus
Copy link
Contributor Author

stufus commented Aug 15, 2015

No worries mate, thanks for landing it for me!

Stu

From: Brent Cook [mailto:notifications@github.com]
Sent: 14 August 2015 19:23
To: rapid7/metasploit-framework metasploit-framework@noreply.github.com
Subject: Re: [metasploit-framework] PuTTY Saved Sessions Enumeration Module (#5359)

Thanks for the nice module @stufus https://github.com/stufus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bcook-r7 bcook-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@stufus @bcook-r7 @Meatballs1