def run(self):
key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win.OpenKey(win.HKEY_CURRENT_USER, key_path)
except Exception as e:
self.debug(e)
return
num = winreg.QueryInfoKey(hkey)[0]
pwd_found = []
for x in range(0, num):
name = winreg.EnumKey(hkey, x)
skey = win.OpenKey(hkey, name, 0, win.ACCESS_READ)
num_skey = winreg.QueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = winreg.EnumKey(skey, y)
sskey = win.OpenKey(skey, name_skey)
num_sskey = winreg.QueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = winreg.EnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
if values:
pwd_found.append(values)
winreg.CloseKey(skey)
winreg.CloseKey(hkey)
return pwd_found
def run(self):
creds = []
results = None
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with win.OpenKey(win.HKEY_CURRENT_USER,
'Software\Valve\Steam') as key:
results = winreg.QueryValueEx(key, 'SteamPath')
except Exception:
pass
if results:
steampath = string_to_unicode(results[0])
steamapps = os.path.join(steampath, u'SteamApps\common')
# Check that we have a SteamApps directory
if not os.path.exists(steamapps):
self.error(u'Steam doesn\'t have a SteamApps directory.')
return
filepath = os.path.join(steamapps, u'Turba\\Assets\\Settings.bin')
if not os.path.exists(filepath):
self.debug(u'Turba doesn\'t appear to be installed.')
return
# If we're here we should have a valid config file file
with open(filepath, mode='rb') as filepath:
# We've found a config file, now extract the creds
data = filepath.read()
chunk = data[0x1b:].split('\x0a')
creds.append({'Login': chunk[0], 'Password': chunk[1]})
return creds
def history_from_regedit(self):
urls = []
try:
hkey = win.OpenKey(win.HKEY_CURRENT_USER, 'Software\\Microsoft\\Internet Explorer\\TypedURLs')
except Exception:
self.debug(traceback.format_exc())
return []
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if k:
urls.append(k[1])
winreg.CloseKey(hkey)
return urls
def get_regkey(self):
try:
key_path = 'Software\\Skype\\ProtectedStorage'
try:
hkey = win.OpenKey(win.HKEY_CURRENT_USER, key_path)
except Exception as e:
self.debug(str(e))
return False
# num = winreg.QueryInfoKey(hkey)[1]
k = winreg.EnumValue(hkey, 0)[1]
return win.Win32CryptUnprotectData(
k,
is_current_user=constant.is_current_user,
user_dpapi=constant.user_dpapi)
except Exception as e:
self.debug(str(e))
return False
def run(self):
creds = []
results = None
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with win.OpenKey(win.HKEY_CURRENT_USER,
'Software\\Valve\\Steam') as key:
results = winreg.QueryValueEx(key, 'SteamPath')
except Exception:
pass
if results:
steampath = string_to_unicode(results[0])
userdata = os.path.join(steampath, u'userdata')
# Check that we have a userdata directory
if not os.path.exists(userdata):
self.error(u'Steam doesn\'t have a userdata directory.')
return
# Now look for Galcon Fusion in every user
for f in os.listdir(userdata):
filepath = os.path.join(userdata, string_to_unicode(f),
u'44200\\remote\\galcon.cfg')
if not os.path.exists(filepath):
continue
# If we're here we should have a Galcon Fusion file
with open(filepath, mode='rb') as cfgfile:
# We've found a config file, now extract the creds
data = cfgfile.read()
creds.append({
'Login': data[4:0x23],
'Password': data[0x24:0x43]
})
return creds
def run(self):
if float(win.get_os_version()) > 6.1:
self.debug(u'Internet Explorer passwords are stored in Vault (check vault module)')
return
pwd_found = []
try:
hkey = win.OpenKey(win.HKEY_CURRENT_USER, 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2')
except Exception:
self.debug(traceback.format_exc())
else:
nb_site = 0
nb_pass_found = 0
# retrieve the urls from the history
hash_tables = self.get_hash_table()
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if k:
nb_site += 1
for h in hash_tables:
# both hash are similar, we can decipher the password
if h[1] == k[0][:40].lower():
nb_pass_found += 1
cipher_text = k[1]
pwd_found += self.decipher_password(cipher_text, h[0])
break
winreg.CloseKey(hkey)
# manage errors
if nb_site > nb_pass_found:
self.error(u'%s hashes have not been decrypted, the associate website used to decrypt the '
u'passwords has not been found' % str(nb_site - nb_pass_found))
return pwd_found