Packrat: a post module to gather artifacts from a multitude of applications

[ghost]

… it can gather from applications on end user systems.

Artifacts include: chat logins and logs, browser logins and history and
cookies, email logins and emails sent and received and deleted, contacts
and many others. These artifacts are collected from applications
including: 12 browsers, 13 chat/IM/IRC applications, 6 email clients and
1 game.

These artifacts are then scraped for credentials,

The use case for this post-exploitation module is to specify the types
of artefacts you are interesed in, to gather the relevent files
depending on your aims.

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/smb/ms08_067_netapi
• ...
• Verify the thing does what it should
• Verify the thing does not do what it should not
• Document the thing and how it works (Example)

[wvu]

Please review and merge https://github.com/danhallsworth1/metasploit-framework/pull/1.

You will also want to run RuboCop against this module with our .rubocop.yml and clean up the most reasonable reported issues. You should write a module doc as well.

You can find our contributing guide here. We more or less follow the Ruby style guide.

Thanks!

[ghost]

Hi I forgot to add the data/packrat/artifacts.json directory in this pull request, I think that's why the checks have failed. I just put the 'artifact.json' file in the 'metasploit/data' directory. Do you need me to submit it again in the correct directory @wvu-r7

[wvu]

@danhallsworth1: You shouldn't need to do that. The merge took care of it. Check out the diff: https://github.com/rapid7/metasploit-framework/pull/11719/files. :)

The RSpec failures look unrelated. Do we know anything about this, @jmartin-r7?

[ghost]

ah amazing so is there anything I else I need to do now then? @wvu-r7

[wvu]

Please review and merge danhallsworth1#1.

You will also want to run RuboCop against this module with our .rubocop.yml and clean up the most reasonable reported issues. You should write a module doc as well.

You can find our contributing guide here. We more or less follow the Ruby style guide.

Thanks!

I would use a consistent style in the code. Now that the large hash is well-formed JSON and out of the way, we can focus on improving the functional code within the module. I suggest leveraging RuboCop.

Note that better code, especially when documented (as requested), leads to more maintainable code. And we will have to maintain it. :-)

Let me know if you need any assistance. Thanks!

[wvu]

As an example of what I mean by consistent, you are using do for the outside block but { for the inside block, and both blocks are multiline. Please use do as per https://github.com/rubocop-hq/ruby-style-guide#single-line-blocks.

I don't care so much about what the "right" style is so long as your code is consistent and clean.

Good coding is language-agnostic.

[ghost]

Okay thank you I’ll get that sorted then Get Outlook for iOS<https://aka.ms/o0ukef>

…

________________________________ From: n̸̺̳̮̖͚̺̺͍̪̰͎̰͇̯̙̋ͣͣ̆̇ͥ̕n̷̑͐̑ͩ̾͗ͣ͐̏҉̣̞̖͖͕̗̞̳̯͚̖n̶̵̫̣͓͈͓̥̣̬̠̗̤͔͖̘̫̪̱͇̤̏ͯ̿ͫͥ͐̍͂͛͊̓͜͢n̨̡̙̼̗̳̿̂ͤ̑͆ͧ́͂̈n̷̸̛͙̘̙̪͔͕͖̻̹͇̮̰̖̣͓̖̫ͪͥ̓̑͒͟͠ņͤͤͯ̌̒̽́̎ͦ̃̈͆̿͒̊ͣ͏̡͎̪̗̻̱̭̲̤͈̞̦͇͍̤̪̥̳̙͘ͅn̨͇̦̭̞̹̗̞̖̪̤̗ͩ́̋͛͂̂̿ͭͭ̈͢ʌ̸̵͉̱͍̤͍̫̰̘͚̲̝̩̤̙͗̑ͥ̃̈́͌̔̿̉͒ͦ̿̈̋́̚̚̕͢ͅʍ̸̭̰̬̖͚͓̠̮͙͓̝̥̞̥͉̏̈ͩͥͣͣ̆ <notifications@github.com> Sent: Friday, April 19, 2019 4:53:28 PM To: rapid7/metasploit-framework Cc: danhallsworth1; Mention Subject: Re: [rapid7/metasploit-framework] Add post module to gather artifacts from a multitude of applications (#11719) Please review and merge danhallsworth1#1<https://github.com/danhallsworth1/metasploit-framework/pull/1>. You will also want to run RuboCop<https://github.com/rubocop-hq/rubocop> against this module with our .rubocop.yml<https://github.com/rapid7/metasploit-framework/blob/master/.rubocop.yml> and clean up the most reasonable reported issues. You should write a module doc<https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation> as well. You can find our contributing guide here<https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md>. We more or less follow the Ruby style guide<https://github.com/rubocop-hq/ruby-style-guide>. Thanks! I would use a consistent style in the code. Now that the large hash is well-formed JSON and out of the way, we can focus on improving the functional code within the module. I suggest leveraging RuboCop. Note that better code, especially when documented (as requested), leads to more maintainable code. And we will have to maintain it. :-) Let me know if you need any assistance. Thanks! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#11719 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AI4APQUHDVZAJRHBFZR7EWTPRHTHRANCNFSM4HFRQQZQ>.

[wvu]

As an example of what I mean by clean, this blank line should be removed.

[ghost]

Hi i've made some of these changes and ran Robocop against it fixing the main issues its highlighted. I've got 2 uni exams coming up soon so wont be able to make the changes to this as soon as id like, but i'll still be working on it hope that's okay @wvu-r7

[wvu]

Totally fine with that. Thanks for taking the time to contribute. Thanks to your collaborators, too! And good luck on the exams. :)

[ghost]

Hi I’ve made these changes now and have made the documentation, ready to submit. What’s are the commands I need to do to submit these changes?

[timwr]

git add 
git commit
git push

?

[jrobles-r7]

To update this PR push to your branch danhallsworth1:packrat_post_module.

[wvu]

No, you don't want to submit a new PR. I'll close that so you can add the commits here.

[wvu]

I do something like this:

git add -p
git commit
git push origin packrat_post_module

[ghost]

I do something like this:

git add -p
git commit
git push origin packrat_post_module

Hi thanks those commands helped a lot, got everything submitted now thanks for the help

[wvu]

You have two modules in this PR. Please consolidate your changes into one.

[wvu]

You'll want to put code in code blocks.

[cbrnrd]

Pretty solid overall. What I commented is mostly small things (verbose context, code style, grammar, etc.) Thanks for taking the time to write this!

[cbrnrd]

Full list in module documentation. -> The full list of supported applications is in the module documentation.

[cbrnrd]

Clarify what's being matched by the regex

[cbrnrd]

Suggested change

	OptEnum.new('APPCATEGORY', [false, 'Category of applications to gather from', 'All', APPLICATION_ARRAY.map {|x| x[:category]}.uniq.unshift('All')]),
	OptEnum.new('APP_CATEGORY', [false, 'Category of applications to gather from', 'All', APPLICATION_ARRAY.map {|x| x[:category]}.uniq.unshift('All')]),

and refactor references

[cbrnrd]

delete empty line for consistency

[cbrnrd]

It may be a little hard to debug this module if you're just printing the variable data with no context. For this (and most other) vprint_*() calls, try to add some context to what you're printing

[cbrnrd]

Suggested change

	print_status "File with credentials saved: #{sql_credential_path}"
	print_status "File with credentials saved: #{sql_credential_path}"

[cbrnrd]

Use the same block styling for inline blocks:

children.each do |child_node|
  .......
end

[cbrnrd]

Suggested change

	next
	next if (category != datastore['APPCATEGORY'] && datastore['APPCATEGORY'] != 'All') || (application != datastore['APPLICATION'] && datastore['APPLICATION'] != 'All') || (file_type != datastore['ARTIFACTS'] && datastore['ARTIFACTS'] != 'All')

and delete end statement on the next line

[cbrnrd]

These can all be compressed into one line each:

extract_xml(saving_path, artifact_child, artifact, local_loc) if credential_type == 'xml'

extract_json(saving_path, artifact_child, artifact, local_loc) if credential_type == 'json'

extract_regex(saving_path, artifact_child, artifact, local_loc) if credential_type == 'text'

extract_sqlite(saving_path, artifact_child, artifact, local_loc) if credential_type == 'sqlite'

[cbrnrd]

Or you could turn it into a case/switch, up to you.

[cbrnrd]

Suggested change

	13 Browser:
	13 Browsers:

[wvu]

@cbrnrd: I'm not sure @danhallsworth1 is coming back, so any review you leave will be more work for me. :-)

[wvu]

@cbrnrd: How about I close this PR and open up a new one you can PR to? Then I can address the changes directly.

[h00die]

My only real issue with this module is that it's a huge pile of modules. In theory it would be broken down into parts, each functional item, then packrat could be a post script that runs them all.
This makes it easier to maintain, test, and doesn't lose functionality

[h00die]

Not to mention, and I didn't check, there's possible overlap in code and functionality between this and other modules that already exist

[wvu]

I have already written code for this PR, and I am unable to contribute further at the moment. Someone else will have to. Eh, opening a new PR. Let's find a way to carry this across the finish line.

[wvu]

See me over in #11998. Thanks.