-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Packrat: a post module to gather artifacts from a multitude of applications #11719
Conversation
… it can gather from applications on end user systems. Artifacts include: chat logins and logs, browser logins and history and cookies, email logins and emails sent and received and deleted, contacts and many others. These artifacts are collected from applications including: 12 browsers, 13 chat/IM/IRC applications, 6 email clients and 1 game. These artifacts are then scraped for credentials, The use case for this post-exploitation module is to specify the types of artefacts you are interesed in, to gather the relevent files depending on your aims.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please review and merge https://github.com/danhallsworth1/metasploit-framework/pull/1.
You will also want to run RuboCop against this module with our .rubocop.yml and clean up the most reasonable reported issues. You should write a module doc as well.
You can find our contributing guide here. We more or less follow the Ruby style guide.
Thanks!
This merge makes the changes on pull request 11719. Module has been tested and still works and also passes Robocop
Hi I forgot to add the data/packrat/artifacts.json directory in this pull request, I think that's why the checks have failed. I just put the 'artifact.json' file in the 'metasploit/data' directory. Do you need me to submit it again in the correct directory @wvu-r7 |
@danhallsworth1: You shouldn't need to do that. The merge took care of it. Check out the diff: https://github.com/rapid7/metasploit-framework/pull/11719/files. :) The RSpec failures look unrelated. Do we know anything about this, @jmartin-r7? |
ah amazing so is there anything I else I need to do now then? @wvu-r7 |
I would use a consistent style in the code. Now that the large hash is well-formed JSON and out of the way, we can focus on improving the functional code within the module. I suggest leveraging RuboCop. Note that better code, especially when documented (as requested), leads to more maintainable code. And we will have to maintain it. :-) Let me know if you need any assistance. Thanks! |
|
||
#used to grab files for each user on the remote host. | ||
grab_user_profiles.each do |userprofile| | ||
APPLICATION_ARRAY.each {|app_loop| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As an example of what I mean by consistent, you are using do
for the outside block but {
for the inside block, and both blocks are multiline. Please use do
as per https://github.com/rubocop-hq/ruby-style-guide#single-line-blocks.
I don't care so much about what the "right" style is so long as your code is consistent and clean.
Good coding is language-agnostic.
Okay thank you I’ll get that sorted then
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: n̸̺̳̮̖͚̺̺͍̪̰͎̰͇̯̙̋ͣͣ̆̇ͥ̕n̷̑͐̑ͩ̾͗ͣ͐̏҉̣̞̖͖͕̗̞̳̯͚̖n̶̵̫̣͓͈͓̥̣̬̠̗̤͔͖̘̫̪̱͇̤̏ͯ̿ͫͥ͐̍͂͛͊̓͜͢n̨̡̙̼̗̳̿̂ͤ̑͆ͧ́͂̈n̷̸̛͙̘̙̪͔͕͖̻̹͇̮̰̖̣͓̖̫ͪͥ̓̑͒͟͠ņͤͤͯ̌̒̽́̎ͦ̃̈͆̿͒̊ͣ͏̡͎̪̗̻̱̭̲̤͈̞̦͇͍̤̪̥̳̙͘ͅn̨͇̦̭̞̹̗̞̖̪̤̗ͩ́̋͛͂̂̿ͭͭ̈͢ʌ̸̵͉̱͍̤͍̫̰̘͚̲̝̩̤̙͗̑ͥ̃̈́͌̔̿̉͒ͦ̿̈̋́̚̚̕͢ͅʍ̸̭̰̬̖͚͓̠̮͙͓̝̥̞̥͉̏̈ͩͥͣͣ̆ <notifications@github.com>
Sent: Friday, April 19, 2019 4:53:28 PM
To: rapid7/metasploit-framework
Cc: danhallsworth1; Mention
Subject: Re: [rapid7/metasploit-framework] Add post module to gather artifacts from a multitude of applications (#11719)
Please review and merge danhallsworth1#1<https://github.com/danhallsworth1/metasploit-framework/pull/1>.
You will also want to run RuboCop<https://github.com/rubocop-hq/rubocop> against this module with our .rubocop.yml<https://github.com/rapid7/metasploit-framework/blob/master/.rubocop.yml> and clean up the most reasonable reported issues. You should write a module doc<https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation> as well.
You can find our contributing guide here<https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md>. We more or less follow the Ruby style guide<https://github.com/rubocop-hq/ruby-style-guide>.
Thanks!
I would use a consistent style in the code. Now that the large hash is well-formed JSON and out of the way, we can focus on improving the functional code within the module. I suggest leveraging RuboCop.
Note that better code, especially when documented (as requested), leads to more maintainable code. And we will have to maintain it. :-)
Let me know if you need any assistance. Thanks!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#11719 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AI4APQUHDVZAJRHBFZR7EWTPRHTHRANCNFSM4HFRQQZQ>.
|
grab_user_profiles.each do |userprofile| | ||
APPLICATION_ARRAY.each {|app_loop| | ||
download(userprofile, app_loop) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As an example of what I mean by clean, this blank line should be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi i've made some of these changes and ran Robocop against it fixing the main issues its highlighted. I've got 2 uni exams coming up soon so wont be able to make the changes to this as soon as id like, but i'll still be working on it hope that's okay @wvu-r7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally fine with that. Thanks for taking the time to contribute. Thanks to your collaborators, too! And good luck on the exams. :)
Hi I’ve made these changes now and have made the documentation, ready to submit. What’s are the commands I need to do to submit these changes? |
? |
To update this PR push to your branch |
No, you don't want to submit a new PR. I'll close that so you can add the commits here. |
I do something like this:
|
throughout the code e.g. loops, and made the changes suggested through robocop
Hi thanks those commands helped a lot, got everything submitted now thanks for the help |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You have two modules in this PR. Please consolidate your changes into one.
|
||
Users can enter APPLICATIONS to extract from example output shown below for email service incredimail | ||
|
||
msf post(windows/gather/credentials/packrat_credentials) > set SESSION 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll want to put code in code blocks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty solid overall. What I commented is mostly small things (verbose context, code style, grammar, etc.) Thanks for taking the time to write this!
'Description' => %q{ | ||
This module extracts artifcats from a large list of applications | ||
and can extract credentials storing content in loot. Full list in | ||
module documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-> Full list in module documentation.
The full list of supported applications is in the module documentation.
|
||
register_options( | ||
[ | ||
OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarify what's being matched by the regex
OptRegexp.new('REGEX', [false, 'Match a regular expression', '^password']), | ||
OptBool.new('STORE_LOOT', [false, 'Store artifacts into loot database (otherwise, only download)', 'true']), | ||
# enumerates the options based on the artifacts that are defined below | ||
OptEnum.new('APPCATEGORY', [false, 'Category of applications to gather from', 'All', APPLICATION_ARRAY.map {|x| x[:category]}.uniq.unshift('All')]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OptEnum.new('APPCATEGORY', [false, 'Category of applications to gather from', 'All', APPLICATION_ARRAY.map {|x| x[:category]}.uniq.unshift('All')]), | |
OptEnum.new('APP_CATEGORY', [false, 'Category of applications to gather from', 'All', APPLICATION_ARRAY.map {|x| x[:category]}.uniq.unshift('All')]), |
and refactor references
|
||
# Check to see if the artifact exists on the remote system. | ||
def location(profile, opts = {}) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
delete empty line for consistency
artifact_child[:xml_search].each do |xml_split| | ||
xml_split[:xml].each do |xml_string| | ||
xml_file.xpath("#{xml_string}").each do |xml_match| | ||
vprint_status("#{xml_split[:extraction_description]}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be a little hard to debug this module if you're just printing the variable data with no context. For this (and most other) vprint_*()
calls, try to add some context to what you're printing
end | ||
|
||
sql_credential_path = store_loot("#{artifact}#{cred}", "", session, "#{database_string}", local_loc) #saves neatened up database file | ||
print_status "File with credentials saved: #{sql_credential_path}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
print_status "File with credentials saved: #{sql_credential_path}" | |
print_status "File with credentials saved: #{sql_credential_path}" |
|
||
child_json_query.each do |split| | ||
children = eval("json_parse#{parent_json_query}") | ||
children.each {|child_node| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the same block styling for inline blocks:
children.each do |child_node|
.......
end
# filter based on options | ||
if (category != datastore['APPCATEGORY'] && datastore['APPCATEGORY'] != 'All') || (application != datastore['APPLICATION'] && datastore['APPLICATION'] != 'All') || (file_type != datastore['ARTIFACTS'] && datastore['ARTIFACTS'] != 'All') | ||
# doesn't match search criteria, skip this artifact | ||
next |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
next | |
next if (category != datastore['APPCATEGORY'] && datastore['APPCATEGORY'] != 'All') || (application != datastore['APPLICATION'] && datastore['APPLICATION'] != 'All') || (file_type != datastore['ARTIFACTS'] && datastore['ARTIFACTS'] != 'All') |
and delete end statement on the next line
|
||
if credential_type == 'sqlite' | ||
extract_sqlite(saving_path, artifact_child, artifact, local_loc) | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These can all be compressed into one line each:
extract_xml(saving_path, artifact_child, artifact, local_loc) if credential_type == 'xml'
extract_json(saving_path, artifact_child, artifact, local_loc) if credential_type == 'json'
extract_regex(saving_path, artifact_child, artifact, local_loc) if credential_type == 'text'
extract_sqlite(saving_path, artifact_child, artifact, local_loc) if credential_type == 'sqlite'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or you could turn it into a case/switch, up to you.
1 Game: | ||
Xfire | ||
|
||
13 Browser: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
13 Browser: | |
13 Browsers: |
@cbrnrd: I'm not sure @danhallsworth1 is coming back, so any review you leave will be more work for me. :-) |
@cbrnrd: How about I close this PR and open up a new one you can PR to? Then I can address the changes directly. |
My only real issue with this module is that it's a huge pile of modules. In theory it would be broken down into parts, each functional item, then packrat could be a post script that runs them all. |
Not to mention, and I didn't check, there's possible overlap in code and functionality between this and other modules that already exist |
|
See me over in #11998. Thanks. |
… it can gather from applications on end user systems.
Artifacts include: chat logins and logs, browser logins and history and
cookies, email logins and emails sent and received and deleted, contacts
and many others. These artifacts are collected from applications
including: 12 browsers, 13 chat/IM/IRC applications, 6 email clients and
1 game.
These artifacts are then scraped for credentials,
The use case for this post-exploitation module is to specify the types
of artefacts you are interesed in, to gather the relevent files
depending on your aims.
Tell us what this change does. If you're fixing a bug, please mention
the github issue number.
Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/smb/ms08_067_netapi