def get_creds(self): try: creds = win32cred.CredEnumerate(None, 0) return creds except Exception, e: #print e return None
def get_creds(self): try: creds = win32cred.CredEnumerate(None, 0) return creds except Exception, e: print_debug('DEBUG', '{0}'.format(e)) return None
def get_credman_creds(quiet=0): try: creds = win32cred.CredEnumerate(None, 0) return creds except pywintypes.error as e: if not quiet: if e[0] == 1004: print "[E] Call to CredEnumerate failed: Invalid flags. This doesn't work on XP/2003." elif e[0] == 1168: print "[E] Call to CredEnumerate failed: Element not found. No credentials stored for this user. Run as normal user, not SYSTEM." elif e[0] == 1312: print "[E] Call to CredEnumerate failed: No such login session. Only works for proper login session - not network logons." else: print "[E] Call to CredEnumerate failed: %s" % e[2] return None
def run(self): pwd_found = [] # FOR XP # - password are encrypted with specific salt depending on its Type # entropy = 'abe2869f-9b47-4cd9-a358-c22904dba7f7\\0' # FOR CRED_TYPE_GENERIC # entropy = '82BD0E67-9FEA-4748-8672-D5EFE5B779B0\\0' # FOR CRED_TYPE_DOMAIN_VISIBLE_PASSWORD # CryptUnprotectData(byref(blobIn),None,byref(blobEntropy),None,None,CRYPTPROTECT_UI_FORBIDDEN,byref(blobOut)) # # creds = POINTER(PCREDENTIAL)() # # count = c_ulong() # # if CredEnumerate(None, 0, byref(count), byref(creds)) == 1: # # for i in range(count.value): # # c = creds[i].contents # # if c.Type == CRED_TYPE_GENERIC or c.Type == CRED_TYPE_DOMAIN_VISIBLE_PASSWORD: # # # Remove password too long # # if c.CredentialBlobSize.real < 200: # # pwd_found.append({ # # 'URL': c.TargetName, # # 'Login': c.UserName, # # 'Password': c.CredentialBlob[:c.CredentialBlobSize.real].replace(b"\x00", b"") # # }) # # CredFree(creds) for i in win32cred.CredEnumerate(None, 0): if i["Type"] in [ win32cred.CRED_TYPE_GENERIC, win32cred.CRED_TYPE_DOMAIN_CERTIFICATE, win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD ]: pwd = i['CredentialBlob'] if pwd.endswith(b"\x00\x00\x00"): pwd = pwd.replace(b'\x00', b'') pwd_found.append({ 'URL': i['TargetName'], 'Login': i['UserName'], 'Password': pwd, 'LastWritten': str(i['LastWritten']) }) return pwd_found
def get_creds(self): try: creds = win32cred.CredEnumerate(None, 0) return creds except: return None
import win32process import win32event import pywintypes import win32security import win32api import win32con import ntsecuritycon import win32cred from binascii import hexlify import sys # hashing the URL of the stored creds in REGISTRY. URLs are in Internet history #Open Internet History - C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files #hash each URL #Check to see if any creds have been stored #Windows Credential Manager: try: creds = win32cred.CredEnumerate(None, 0) print creds except pywintypes.error as e: if e[0] == 1004: print "[E] Call to CredEnumerate failed: Invalid flags. This doesn't work on XP/2003." elif e[0] == 1168: print "[E] Call to CredEnumerate failed: Element not found. No credentials stored for this user. Run as normal user, not SYSTEM." elif e[0] == 1312: print "[E] Call to CredEnumerate failed: No such login session. Only works for proper login session - not network logons." else: print "[E] Call to CredEnumerate failed: %s" % e[2]
def ie_decrypt(self): try: cmdline = ''' try { #Load the WinRT projection for the PasswordVault $Script:vaultType = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $Script:vault = new-object Windows.Security.Credentials.PasswordVault -ErrorAction silentlycontinue } catch { throw "This module relies on functionality provided in Windows 8 or Windows 2012 and above." } #endregion function Get-VaultCredential { process { try { &{ $Script:vault.RetrieveAll() } | foreach-Object { $_.RetrievePassword() ; "Username......";$_.UserName;"######";"Password......";$_.Password;"######";"Website......";$_.Resource;"_________" } } catch { Write-Error -ErrorRecord $_ -RecommendedAction "Check your search input - user: $UserName resource: $Resource" } } end { Write-Debug "[$cmdName] Exiting function" } } Get-VaultCredential ''' command = ['powershell.exe', '/c', cmdline] info = subprocess.STARTUPINFO() info.dwFlags = sub.STARTF_USESHOWWINDOW | sub.CREATE_NEW_PROCESS_GROUP info.wShowWindow = sub.SW_HIDE p = subprocess.Popen(command, startupinfo=info, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, universal_newlines=True) results, _ = p.communicate() passwords = [] for result in results.replace('\n', '').split('_________'): values = {} if result: for res in result.split('######'): values[res.split('......')[0]] = res.split('......')[1] passwords.append(values) print "Get common credentials for windows vault :" + "\n" + str( passwords) CRED_TYPE_GENERIC = win32cred.CRED_TYPE_GENERIC CredRead = win32cred.CredRead creds = win32cred.CredEnumerate(None, 0) # Enumerate credentials credentials = [] for package in creds: try: target = package['TargetName'] creds = CredRead(target, CRED_TYPE_GENERIC) credentials.append(creds) except Exception: pass values_ = {} for cred in credentials: values_['service'] = cred['TargetName'] values_['UserName'] = cred['UserName'] values_['pwd'] = cred['CredentialBlob'].decode('utf16') print "Get windows vault web credentials :" + "\n" + str(values_) except Exception: pass