def get_modules(): moduleNames = [ ApacheDirectoryStudio(), Autologon(), Dbvisualizer(), Chrome(), CSE(), CoreFTP(), Cyberduck(), Filezilla(), FtpNavigator(), GalconFusion(), GitForWindows(), IE(), Jitsi(), KalypsoMedia(), MavenRepositories(), MemoryDump(), # retrieve browers and keepass passwords Keepass(), # should be launched after memory dump Mozilla(), Composer(), Credman(), OpenSSHForWindows(), Opera(), Outlook(), Pidgin(), Puttycm(), RDPManager(), Robomongo(), RoguesTale(), Tortoise(), Skype(), SQLDeveloper(), Squirrel(), Turba(), Unattended(), Vault(), Wifi(), WinSCP(), Cachedump(), Hashdump(), LSASecrets() ] return moduleNames
def get_modules(): moduleNames = [ # Browser Chrome(), Mozilla(), Opera(), CocCoc(), # Chats Pidgin(), # Databases Dbvisualizer(), Robomongo(), SQLDeveloper(), Squirrel(), # SVN Tortoise(), # Sysadmin ApacheDirectoryStudio(), Filezilla(), FtpNavigator(), Unattended(), # Wifi Wifi(), # Windows DPAPIHash(), Cachedump(), Credman(), Vault(), Hashdump(), LSASecrets(), Sysvault() ] return moduleNames
def get_modules(): module_names = [ # Browser IE(), UCBrowser(), # Chats Pidgin(), Skype(), PSI(), # Databases Dbvisualizer(), Squirrel(), SQLDeveloper(), Robomongo(), PostgreSQL(), # games KalypsoMedia(), GalconFusion(), RoguesTale(), Turba(), # Git GitForWindows(), # Mails Outlook(), Thunderbird(), # Maven MavenRepositories(), # Memory MemoryDump(), # retrieve browsers and keepass passwords Keepass(), # should be launched after memory dump # Php Composer(), # SVN Tortoise(), # Sysadmin ApacheDirectoryStudio(), CoreFTP(), Cyberduck(), Filezilla(), FtpNavigator(), Puttycm(), OpenSSHForWindows(), RDPManager(), Unattended(), WinSCP(), # Wifi Wifi(), # Windows Autologon(), Cachedump(), Credman(), Hashdump(), LSASecrets(), Vault(), WindowsPassword(), CredFiles(), ] return module_names + chromium_browsers + firefox_browsers
def _export_credentials(self, db_path, is_yandex=False, master_key=None): """ Export credentials from the given database :param unicode db_path: database path :return: list of credentials :rtype: tuple """ credentials = [] yandex_enckey = None if is_yandex: try: credman_passwords = Credman().run() for credman_password in credman_passwords: if b'Yandex' in credman_password.get('URL', b''): if credman_password.get('Password'): yandex_enckey = credman_password.get('Password') self.info('EncKey found: {encKey}'.format( encKey=repr(yandex_enckey))) except Exception: self.debug(traceback.format_exc()) # Passwords could not be decrypted without encKey self.info('EncKey has not been retrieved') return [] try: conn = sqlite3.connect(db_path) cursor = conn.cursor() cursor.execute(self.database_query) except Exception: self.debug(traceback.format_exc()) return credentials for url, login, password in cursor.fetchall(): try: # Yandex passwords use a masterkey stored on windows credential manager # https://yandex.com/support/browser-passwords-crypto/without-master.html if is_yandex and yandex_enckey: try: try: p = json.loads(str(password)) except Exception: p = json.loads(password) password = base64.b64decode(p['p']) except Exception: # New version does not use json format pass # Passwords are stored using AES-256-GCM algorithm # The key used to encrypt is stored on the credential manager # yandex_enckey: # - 4 bytes should be removed to be 256 bits # - these 4 bytes correspond to the nonce ? # cipher = AES.new(yandex_enckey, AES.MODE_GCM) # plaintext = cipher.decrypt(password) # Failed... else: # Decrypt the Password try: password_bytes = Win32CryptUnprotectData( password, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi) except AttributeError: try: password_bytes = Win32CryptUnprotectData( password, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi) except: password_bytes = None if password_bytes is not None: password = password_bytes.decode("utf-8") elif master_key: password = self._decrypt_v80(password, master_key) if not url and not login and not password: continue credentials.append((url, login, password)) except Exception: self.debug(traceback.format_exc()) conn.close() return credentials
def _export_credentials(self, db_path, is_yandex=False): """ Export credentials from the given database :param unicode db_path: database path :return: list of credentials :rtype: tuple """ credentials = [] yandex_enckey = None if is_yandex: try: credman_passwords = Credman().run() for credman_password in credman_passwords: if b'Yandex' in credman_password.get('URL', b''): if credman_password.get('Password'): yandex_enckey = credman_password.get('Password') self.info('EncKey found: {encKey}'.format( encKey=repr(yandex_enckey))) except Exception: self.debug(traceback.format_exc()) # Passwords could not be decrypted without encKey self.info('EncKey has not been retrieved') return [] try: conn = sqlite3.connect(db_path) cursor = conn.cursor() cursor.execute(self.database_query) except Exception: self.debug(traceback.format_exc()) return credentials for url, login, password in cursor.fetchall(): try: # Yandex passwords use a masterkey stored on windows credential manager # https://yandex.com/support/browser-passwords-crypto/without-master.html if is_yandex and yandex_enckey: try: p = json.loads(str(password)) except Exception: p = json.loads(password) password = base64.b64decode(p['p']) # Passwords are stored using AES-256-GCM algorithm # The key used to encrypt is stored on the credential manager # from cryptography.hazmat.primitives.ciphers.aead import AESGCM # aesgcm = AESGCM(yandex_enckey) # Failed... else: # Decrypt the Password password = Win32CryptUnprotectData( password, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi) if not url and not login and not password: continue credentials.append((url, login, password)) except Exception: self.debug(traceback.format_exc()) conn.close() return credentials