New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PuTTY Saved Sessions Enumeration Module #5359
Conversation
Needs tidying up. Current version: * Searches for PuTTY registry keys * Downloades the Hostname, port, private key filename, username to log in as and any port forwarding instructions * If the private keys are accessible on the box, download them to loot To do: * Detect whether pageant is running or not and report back * Tidy up code (used another plugin as a template)
if file?(filename) | ||
ppk = read_file(filename) | ||
if ppk # Attempt to read the contents of the file | ||
stored_path = store_loot('putty.ppk.file', 'application/octet-stream', session, ppk) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even better if this detects if it is encrypted or plaintext key. If its unencrypted it can be stored in the database. :D
On a related note maybe metasploit-credential should be extended to handle encrypted keys. It could then have methods to allow them to be outputted in john-format (ala hashes) for cracking, and also have a 'passphrase' field which is used to decrypt it into an unencrypted key. Or something. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, will work on that. Should I leave this PR as is and then submit another one once that's done?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depends how long it takes :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might pick that one up separately if that's ok - can I leave this one as is and come up with something to convert to OpenSSH format keys later?
Updated original comment due to added functionality |
@bcook-r7 Is there anything more you'd like me to do with this? :-) |
No, looks great to me! The middle note was without a saved session.
|
Thanks for the nice module @stufus. |
No worries mate, thanks for landing it for me! Stu From: Brent Cook [mailto:notifications@github.com] Thanks for the nice module @stufus https://github.com/stufus |
Overview
This PR is for a post-exploitation enumeration module that extracts useful information from PuTTY and, to a lesser extent, Pageant. Although these are not widely used in the corporate environment in the same way that, for example, Microsoft Outlook would be, there is a large amount of encouragement to use SSH for management activities. The mechanism of choice for Windows users is PuTTY.
This is of particular interest for a red-teaming exercise, or other penetration test, because compromised users who use PuTTY and Pageant may be system administrators who use such tools to administer their infrastructure, or developers who use SSH as the transport to commit to code repositories. Users who regularly administer systems may choose to automate their login session by configuring the username and a private key to use within the saved session.
In addition, when connecting to a new system, PuTTY will attempt to verify the host fingerprint against the known trusted fingerprints and will display a warning box to the user if the host is not recognised. Once the user verifies that the remote key is legitimate, PuTTY stores the key in the registry and will not display the warning box to the user in future. This is particularly relevant because it is effectively a list of connections that the user has made previously, which are probably interesting hosts to look at. These are probably also hosts that the user has access to.
Activities
The table below shows the key areas and actions performed by this module.
Usage Example
This will produce the following output (some areas redacted for brevity):
Fields
The tables below give additional details of the provenance and nature of the data obtained from PuTTY.
Saved Sessions
Stored SSH Host Fingerprints
Summary
The image below shows, from a user experience perspective, where these fields are configured.
Ongoing work
The following activities are ongoing and I will submit a PR when I am done with them. You can look at the stufus/metasploit-framework and stufus/meterpreter forks if you want to see realtime progress on them: