Integrate Creds to Modules (autofill)

[h00die]

Summary

Right now, creds is a stand-alone, 1 way feature (at least in framework). I mean this in that some modules push creds into the database, but the only thing you can do with them once there is to export hashes to crackers. I suspect a typical use case is:

1. get creds in the database (either through cracking a hash, manually adding, or module which pulls them)
2. Attempt to use those creds in a module by either re-typing them or copy+paste

I'd like to talk about adding a feature to creds command to auto-fill a credential to a module.

Example Usage

1. use auxiliary/server/capture/smtp
2. a user logs in to your smtp server with their domain credentials
3. creds now shows something like:

   
   msf6 > creds
   Credentials
   ===========

host origin service public private realm private_type JtR Format

---

1.1.1.1 2.2.2.2 25/tcp (smtp) rickjames slap Password
1.1.1.1 2.2.2.2 25/tcp (smtp) jurasic park Password

4. `use psexec`
5. `creds autofill 1`
6. `show options`
    1. your `SMBUser`/`SMBPass`/`SMBDomain` are now filled in. with `rickjames`, `slap`, `` (in this case since realm is empty)

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description

---

RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain . no The Windows domain to use for authentication SMBPass slap no The password for the specified username SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBUser rickjames no The username to authenticate as

This would alleviate having to copy/paste creds in the database.  This also makes SSH Keys stored in the database useful as we can auto-fill instead of needing to copy some bulk text out and make sure it looks right.

## Example 2

1. `use auxiliary/server/capture/smtp`
3. a user logs in to your smtp server with their domain credentials
4. `creds` now shows something like:

msf6 > creds Credentials

host origin service public private realm private_type JtR Format

---

1.1.1.1 2.2.2.2 25/tcp (smtp) rickjames slap Password
1.1.1.1 2.2.2.2 25/tcp (smtp) jurasic park Password

5. use `ssh_login`
6. `creds autofill 1-2`
7.  `show options`
8.  The `PASS_FILE` and `USER_FILE` now contain temporary files w/ the associated data from cred 1 and 2

# Issues

1. First would be the need to number the creds command, should be trivial, many tables have numerical integers in metasploit
2. Standardized (or looking for a bunch of possibilities) option names. Does a module have `user` `username` `smbUser`, `USER_FILE`? I'm sure there are others as well.

[bcoles]

Standardized (or looking for a bunch of possibilities) option names. Does a module have user username smbUser, USER_FILE? I'm sure there are others as well.

Quiet a few, based on a cursory glance at the libs. Although a a guess, Http[Password|Username] and SMB[User|Pass] would be quick wins for a lot of modules.

# grep -rn Opt lib/msf | fgrep -v Bool | grep -i passw | cut -d"'" -f2 | sort -u | grep -i pass
AESPassword
BasicAuthPass
DBPASS
FTPPASS
GitPassword
HttpPassword
HttpProxyPass
IAX_PASS
IMAPPASS
lib/msf/core/payload/windows/reverse_http.rb:338:        push 44              ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD)
NCSPASS
PASS_FILE
PASSWORD
POP2PASS
RC4PASSWORD
SMBPass
SMTPPASSWORD
USERPASS_FILE

# grep -rn Opt lib/msf | fgrep -v Bool | grep -i user | cut -d"'" -f2 | sort -u | grep -i user
BasicAuthUser
DBUSER
FROMUSER
FROMUSER_FILE
FTPUSER
GitUsername
HttpProxyUser
HttpUserAgent
HttpUsername
IAX_USER
IMAPUSER
lib/msf/core/payload/windows/reverse_http.rb:322:        push 43              ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME)
MaxGuessesPerUser
NCSUSER
POP2USER
RDP_USER
SMBUser
SMTPUSERNAME
UserAgent
USER_FILE
USERNAME
USERPASS_FILE

[JustAnda7]

Since this issue is open and no one is working I would like to contribute to it

[h00die]

Since this has a lot of moving components (lib, spec, modules), I would recommend making several PRs to address this. Obviously up to you on implementation, but I would recommend the first PR being the adding of numbers to the creds command output, and the saving of the results for later reference. Reference how search does it (and any spec it also uses).

[JustAnda7]

Please review the solution and suggest changes or improvements if any. Working on adding multiple entries.

[JustAnda7]

Is it okay if spec tests are changed because adding index to creds changed the total number of columns of table causing a test to fail. So I changed it to match the new additions for creds.

[h00die]

you can update the specs