def test_unpickle_pickle(self):
self.maxDiff = None
mkp = masterkey.MasterKeyPool()
mkp.addMasterKey(self.mkeyblob)
mkp2 = masterkey.MasterKeyPool.unpickle(data=mkp.pickle())
self.assertNotEquals(len(mkp.getMasterKeys(self.mk.guid)), 0)
self.assertNotEquals(len(mkp2.getMasterKeys(self.mk.guid)), 0)
self.assertEquals(len(mkp.getMasterKeys(self.mk.guid)), len(mkp2.getMasterKeys(self.mk.guid)))
self.assertEquals(repr(mkp.getMasterKeys(self.mk.guid)), repr(mkp2.getMasterKeys(self.mk.guid)))
def test_unpickle_pickle_decrypted(self):
self.maxDiff = None
mkp = masterkey.MasterKeyPool()
mkp.addMasterKey(self.mkeyblob)
nb = mkp.try_credential(self.sid, self.password)
mkp2 = masterkey.MasterKeyPool.unpickle(data=mkp.pickle())
self.assertEquals(nb, 1)
self.assertNotEquals(len(mkp.getMasterKeys(self.mk.guid)), 0)
self.assertNotEquals(len(mkp2.getMasterKeys(self.mk.guid)), 0)
self.assertEquals(len(mkp.getMasterKeys(self.mk.guid)), len(mkp2.getMasterKeys(self.mk.guid)))
self.assertEquals(repr(mkp.getMasterKeys(self.mk.guid)), repr(mkp2.getMasterKeys(self.mk.guid)))
def main(self, myPath, mkpDir, sid, password):
print "--", "Getting chrome passwords"
try:
database = []
database.append(myPath + "/chrome/" + chromeLoginFile)
mkp = masterkey.MasterKeyPool()
mkp.loadDirectory(mkpDir)
passHash = hashlib.sha1(password.encode("UTF-16LE")).hexdigest().decode('hex')
pwords = self.getChromePass(database, mkp, sid, passHash)
return pwords
except Exception, e:
print e
return None
def getwifipassword(self, systemhive, securityhive, masterkeydir,
profiledirectory):
"""
getwifipassword returns all wifi passwords located at X:/ProgramData/Microsoft/Wlansvc
"""
reg = registry.Regedit()
secrets = reg.get_lsa_secrets(securityhive, systemhive)
dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal']
mkp = masterkey.MasterKeyPool()
mkp.loadDirectory(masterkeydir)
mkp.addSystemCredential(dpapi_system)
mkp.try_credential_hash(None, None)
finalpass = dict()
for root, _, files in os.walk(profiledirectory):
for file in files:
filepath = os.path.join(root, file)
with open(filepath, 'r') as f:
file_data = f.read().replace('\x0a',
'').replace('\x0d', '')
wifi_name = re.search('<name>([^<]+)</name>', file_data)
wifi_name = wifi_name.group(1)
key_material_re = re.search(
'<keyMaterial>([0-9A-F]+)</keyMaterial>', file_data)
if not key_material_re:
continue
key_material = key_material_re.group(1)
wblob = blob.DPAPIBlob(key_material.decode('hex'))
wifi_pwd = '<not decrypted>'
mks = mkp.getMasterKeys(wblob.mkguid)
for mk in mks:
if mk.decrypted:
wblob.decrypt(mk.get_key())
if wblob.decrypted:
wifi_pwd = wblob.cleartext
break
print 'Wifi:{} Password:{}'.format(wifi_name, wifi_pwd)
finalpass[wifi_name] = wifi_pwd
print finalpass
return finalpass
def getOutlookPassword(self, mkpDir, sid, credHist, ntUser, userPassword):
dic = {}
'''
OutlokkMasterkey = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/S-1-5-21-3173276068-3308429807-3105269238-1000"
OutlookSID = "S-1-5-21-3173276068-3308429807-3105269238-1000"
OutlookCredhist = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/CREDHIST"
Ntuser = "******"
Userpassword = "******"'''
mkp = masterkey.MasterKeyPool()
mkp.loadDirectory(mkpDir)
mkp.addCredhistFile(sid, credHist)
mkp.try_credential(sid, userPassword) # Credential of the USER
email = []
password = []
# Open the registry
with open(ntUser, 'rb') as f:
r = registry.Registry.Registry(f)
# Path of the Outlook file in Registry
directory = r.open(
'Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676'
)
for reg in directory.subkeys():
auxreg = []
for regnumber in reg.values(): # 000001 000002 000003.....
auxreg.append(regnumber.name())
# For IMAP
if "IMAP Password" in auxreg:
username = reg.value('Email').value()
password = reg.value('IMAP Password').value()
break
# For IMAP
if "POP3 Password" in auxreg:
username = reg.value('Email').value()
password = reg.value('POP3 Password').value()
break
# Function de hacer cosas
for char in username:
if char.encode("hex") != "00":
email.append(char)
finalusername = ''.join(email)
dic['user'] = finalusername
# File to create the blob
fi = open("blob", 'w')
notruncate = password # This password is not truncated, need to delete the first byte
passwordhex = password.encode("hex") # Convert the hex to hexadecimal
binstr = binascii.unhexlify(
passwordhex[2:]) # The blop does not need the first byte.
fi.write(binstr) # Write the blop in a file
fi.close()
blob1 = blob.DPAPIBlob(open(
'blob', 'rb').read()) # Load the blop from the file
finalpass = []
mks = mkp.getMasterKeys(blob1.mkguid)
for mk in mks:
if mk.decrypted:
blob1.decrypt(mk.get_key())
if blob1.decrypted:
password = blob1.cleartext
for char in password:
if char.encode("hex") != "00":
finalpass.append(char)
finalpassword = ''.join(finalpass)
dic['password'] = finalpassword
try:
os.remove("blob")
except:
pass
return {self.__class__.__name__: dic}
parser.add_option('--sid', metavar='SID', dest='sid')
parser.add_option('--masterkey', metavar='DIRECTORY', dest='masterkeydir')
parser.add_option('--credhist', metavar='FILE', dest='credhist')
parser.add_option('--password', metavar='PASSWORD', dest='password')
parser.add_option('--pwdhash', metavar='HASH', dest='pwdhash')
parser.add_option('--sysmkdir', metavar='DIRECTORY', dest='sysmkdir')
parser.add_option('--system', metavar='HIVE', dest='system')
parser.add_option('--security', metavar='HIVE', dest='security')
(options, args) = parser.parse_args()
check_parameters(options, args)
umkp = None
if options.masterkeydir:
umkp = masterkey.MasterKeyPool()
umkp.loadDirectory(options.masterkeydir)
if options.credhist:
umkp.addCredhistFile(options.sid, options.credhist)
if options.password:
umkp.try_credential(options.sid, options.password)
elif options.pwdhash:
umkp.try_credential_hash(
options.sid, options.pwdhash.decode('hex'))
smkp = None
if options.sysmkdir and options.system and options.security:
reg = registry.Regedit()
secrets = reg.get_lsa_secrets(options.security, options.system)
dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal']
smkp = masterkey.MasterKeyPool()
