def run(self, software_name=None): path = build_path(software_name) if path: xml_file = os.path.join(path, u'SQLAliases23.xml') if os.path.exists(xml_file): tree = ET.ElementTree(file=xml_file) pwdFound = [] for elem in tree.iter('Bean'): values = {} for e in elem: if e.tag == 'name': values['Name'] = e.text elif e.tag == 'url': values['URL'] = e.text elif e.tag == 'userName': values['Login'] = e.text elif e.tag == 'password': values['Password'] = e.text if values: pwdFound.append(values) return pwdFound
def run(self, software_name=None): path = build_path(software_name) if path: pwdFound = [] for file in [u'sitemanager.xml', u'recentservers.xml', u'filezilla.xml']: xml_file = os.path.join(path, file) if os.path.exists(xml_file): tree = ET.ElementTree(file=xml_file) servers = tree.findall('Servers/Server') if tree.findall('Servers/Server') else tree.findall('RecentServers/Server') for server in servers: host = server.find('Host') port = server.find('Port') login = server.find('User') password = server.find('Pass') if host is not None and port is not None and login is not None: values = { 'Host' : host.text, 'Port' : port.text, 'Login' : login.text, } if password is not None: if 'encoding' in password.attrib and password.attrib['encoding'] == 'base64': values['Password'] = base64.b64decode(password.text) else: values['Password'] = password.text pwdFound.append(values) return pwdFound
def run(self, software_name=None): path = build_path(software_name) if path: filepath = os.path.join(path, u'Ftplist.txt') if os.path.exists(filepath): f = open(filepath, 'r') pwdFound = [] for ff in f.readlines(): values = {} info = ff.split(';') for i in info: i = i.split('=') if i[0] == 'Name': values['Name'] = i[1] if i[0] == 'Server': values['Host'] = i[1] if i[0] == 'Port': values['Port'] = i[1] if i[0] == 'User': values['Login'] = i[1] if i[0] == "Password": if i[1] != '1' and i[1] != '0': values['Password'] = self.decode(i[1]) # used to save the password if it is an anonymous authentication if values[ 'Login'] == 'anonymous' and 'Password' not in values.keys( ): values['Password'] = '******' pwdFound.append(values) return pwdFound
def run(self, software_name=None): path = build_path(software_name) if path: pwdFound = [] pwdNotDecryptable = 0 pwdNotSaved = 0 for profile in os.listdir(path): # Cookies Decrypt Methods self.cookie_enum(path,profile) # Cookies Decrypt Methods self.export_history(path,profile) # Password Methods if not self.decrypt_passwords: continue database_path = os.path.join(path, profile, u'Login Data') if not os.path.exists(database_path): print_debug('DEBUG', u'User database not found: {database_path}'.format(database_path=database_path)) continue else: print_debug('DEBUG', u'User database found: {database_path}'.format(database_path=database_path)) # Connect to the Database try: conn = sqlite3.connect(database_path) cursor = conn.cursor() except Exception,e: print_debug('ERROR', u'An error occured opening the database file') print_debug('DEBUG', traceback.format_exc()) continue # Get the results cursor.execute('SELECT action_url, username_value, password_value, blacklisted_by_user FROM logins') for result in cursor.fetchall(): try: # Decrypt the Password password = constant.user_dpapi.decrypt_blob(result[2]) if password: pwdFound.append( { 'URL' : result[0], 'Login' : result[1], 'Password' : password } ) else: if result[3] is 1: pwdNotSaved += 1 print_debug('WARNING', u'Blacklisted by User: Site: {url}'.format(url=result[0])) else: pwdNotDecryptable += 1 print_debug('WARNING', u"Couldn't decrypt: Site: {0}, User: {1}".format(result[0],result[1])) except Exception,e: print_debug('DEBUG', traceback.format_exc()) conn.close()
def run(self, software_name=None): path = build_path(software_name) if path: pwdFound = [] for root, dirs, files in os.walk(path): for name_file in files: f = open(os.path.join(path, name_file), 'r') url = '' username = '' result = '' i = 0 # password for line in f: if i == -1: result = line.replace('\n', '') break if line.startswith('password'): i = -3 i+=1 i = 0 # url for line in f: if i == -1: url = line.replace('\n', '') break if line.startswith('svn:realmstring'): i = -3 i+=1 i = 0 # username for line in f: if i == -1: username = line.replace('\n', '') break if line.startswith('username'): i = -3 i+=1 # encrypted the password if result: try: password = constant.user_dpapi.decrypt_blob(base64.b64decode(result)) pwdFound.append( { 'URL' : url, 'Login' : username, 'Password' : str(password) } ) except: pass return pwdFound
def run(self, software_name=None): pwdFound = [] # Get the installation path path = build_path(software_name) if path: for profile in os.listdir(path): p = os.path.join(path, profile) print_debug('INFO', u'Profile path found: {profile}'.format(profile=p)) if not os.path.exists(os.path.join(p, 'key3.db')): print_debug('WARNING', u'key3 file not found: {key3_file}'.format(key3_file=self.key3)) continue self.key3 = self.readBsddb(os.path.join(p, u'key3.db')) if not self.key3: continue credentials = self.get_database(p) if credentials: (globalSalt, masterPassword, entrySalt) = self.is_masterpassword_correct() # Find masterpassword if set if not globalSalt: print_debug('WARNING', u'Master Password is used !') masterPassword = self.found_masterpassword() if not masterPassword: continue # Get user secret key key = self.extractSecretKey(globalSalt, masterPassword, entrySalt) # Everything is ready to decrypt password for host, user, passw in credentials: # Login loginASN1 = decoder.decode(b64decode(user)) iv = loginASN1[0][1][1].asOctets() ciphertext = loginASN1[0][2].asOctets() login = DES3.new( key, DES3.MODE_CBC, iv).decrypt(ciphertext) # Password passwdASN1 = decoder.decode(b64decode(passw)) iv = passwdASN1[0][1][1].asOctets() ciphertext = passwdASN1[0][2].asOctets() password = DES3.new( key, DES3.MODE_CBC, iv).decrypt(ciphertext) pwdFound.append( { 'URL' : host, 'Login' : self.remove_padding(login), 'Password' : self.remove_padding(password), } ) return pwdFound
def run(self, software_name=None): pwdFound = [] path = build_path('DPAPI') if path: creds_directory = os.path.join(path, u'Roaming', u'Credentials') if os.path.exists(creds_directory): for cred_file in os.listdir(creds_directory): cred = constant.user_dpapi.decrypt_cred( os.path.join(creds_directory, cred_file)) if cred: pwdFound.append(cred) return pwdFound
def run(self, software_name=None): path = build_path(software_name) if path: xml_file = os.path.join(path, u'dbvis.xml') if os.path.exists(xml_file): tree = ET.ElementTree(file=xml_file) pwdFound = [] for e in tree.findall('Databases/Database'): values = {} try: values['Name'] = e.find('Alias').text except: pass try: values['Login'] = e.find('Userid').text except: pass try: ciphered_password = e.find('Password').text password = self.decrypt(ciphered_password) values['Password'] = password except: pass try: values['Driver'] = e.find( 'UrlVariables//Driver').text.strip() except: pass try: elem = e.find('UrlVariables') for ee in elem.getchildren(): for ele in ee.getchildren(): if 'Server' == ele.attrib['UrlVariableName']: values['Host'] = str(ele.text) if 'Port' == ele.attrib['UrlVariableName']: values['Port'] = str(ele.text) if 'SID' == ele.attrib['UrlVariableName']: values['SID'] = str(ele.text) except: pass if values: pwdFound.append(values) return pwdFound
def run(self, software_name=None): pwdFound = [] path = build_path('Hives') if path: system = os.path.join(path, 'SYSTEM') sam = os.path.join(path, 'SAM') if os.path.exists(system) and os.path.exists(sam): hashes = dump_file_hashes(system, sam) if hashes: pwdFound = ['__Hashdump__', hashes] return pwdFound
def run(self, software_name=None): pwdFound = [] path = build_path('Hives') if path: system = os.path.join(path, 'SYSTEM') security = os.path.join(path, 'SECURITY') if os.path.exists(system) and os.path.exists(security): if os.path.isfile(system) and os.path.isfile(security): secrets = get_file_secrets(system, security, True) if secrets: pwdFound = ['__LSASecrets__', secrets] return pwdFound
def run(self, software_name=None): pwdFound = [] path = build_path('Hives') if path: system = os.path.join(path, 'SYSTEM') security = os.path.join(path, 'SECURITY') if os.path.exists(system) and os.path.exists(security): if os.path.isfile(system) and os.path.isfile(security): hashes = dump_file_hashes(system, security, True) if hashes: pwdFound = ['__MSCache__', hashes] return pwdFound
def run(self, software_name=None): """ Extract all connection's credentials. :return: List of dict in which one dict contains all information for a connection. """ path = build_path(software_name) if path: for file in self.paths: if os.path.exists(os.path.join(path, file['filename'])): return self.parse_json(os.path.join(path, file['filename'])) for directory in self.paths: connection_file_path = os.path.join(path, directory['directory'], directory['filename']) if os.path.exists(connection_file_path): return self.parse_json(connection_file_path)
def run(self, software_name=None): path = build_path(software_name) if path: pwdFound = [] for profile in os.listdir(path): database_path = os.path.join(path, profile, u'Login Data') if not os.path.exists(database_path): print_debug( 'DEBUG', u'User database not found: {database_path}'.format( database_path=database_path)) continue else: print_debug( 'DEBUG', u'User database found: {database_path}'.format( database_path=database_path)) # Connect to the Database try: conn = sqlite3.connect(database_path) cursor = conn.cursor() except Exception, e: print_debug('ERROR', u'An error occured opening the database file') print_debug('DEBUG', traceback.format_exc()) continue # Get the results cursor.execute( 'SELECT action_url, username_value, password_value FROM logins' ) for result in cursor.fetchall(): try: # Decrypt the Password password = constant.user_dpapi.decrypt_blob(result[2]) if password: pwdFound.append({ 'URL': result[0], 'Login': result[1], 'Password': password }) except Exception, e: print_debug('DEBUG', traceback.format_exc()) conn.close()
def run(self, software_name=None): pwdFound = [] vaults_directory = build_path('Vault_system') if vaults_directory: dpapi = constant.user_dpapi if constant.user_dpapi is not None else Decrypt_DPAPI( ) if dpapi: for vault_directory in os.listdir(vaults_directory): vault_directory = os.path.join(vaults_directory, vault_directory) try: result = dpapi.decrypt_system_vault(vault_directory) if result: pwdFound += result except: print_debug('DEBUG', traceback.format_exc()) return pwdFound
def run(self, software_name=None): pwdFound = [] path = build_path('DPAPI') if path: vaults_directory = os.path.join(path, u'Local', u'Vault') if os.path.exists(vaults_directory): for vault_directory in os.listdir(vaults_directory): vault_directory = os.path.join(vaults_directory, vault_directory) try: result = constant.user_dpapi.decrypt_vault( vault_directory) if result: pwdFound += result except: print_debug('DEBUG', traceback.format_exc()) return pwdFound
def run(self, software_name=None): """ Main function """ pwdFound = [] path = build_path(software_name) if path: for profile in os.listdir(path): if profile == '.DS_Store': continue profile = os.path.join(path, profile) print_debug( 'INFO', u'Profile path found: {profile}'.format(profile=profile)) key = self.get_key(profile) if key: credentials = self.getLoginData(profile) for user, passw, url in credentials: try: pwdFound.append({ 'URL': url, 'Login': self.decrypt(key=key, iv=user[1], ciphertext=user[2]), 'Password': self.decrypt(key=key, iv=passw[1], ciphertext=passw[2]), }) except Exception, e: print_debug( 'DEBUG', u'An error occured decrypting the password: {error}' .format(error=e)) return pwdFound
def run(self, software_name=None): path = build_path(software_name) if path: account_file = os.path.join(path, u'accounts.xml') if os.path.exists(account_file): tree = ET.ElementTree(file=account_file) root = tree.getroot() pwdFound = [] for account in root.findall('account'): if account.find('name') is not None: name = account.find('name') password = account.find('password') if name is not None and password is not None: pwdFound.append({ 'Login': name.text, 'Password': password.text }) return pwdFound
def run(self, software_name=None): path = build_path(software_name) if path: self._passphrase = self.get_passphrase(path) if self._passphrase: print_debug('INFO', 'Passphrase found: {passphrase}'.format(passphrase=self._passphrase)) xml_name = u'connections.xml' xml_file = None if os.path.exists(os.path.join(path, xml_name)): xml_file = os.path.join(path, xml_name) else: for p in os.listdir(path): if p.startswith('system'): new_directory = os.path.join(path, p) for pp in os.listdir(new_directory): if pp.startswith(u'o.jdeveloper.db.connection'): if os.path.exists(os.path.join(new_directory, pp, xml_name)): xml_file = os.path.join(new_directory, pp, xml_name) break if xml_file: wanted_value = ['sid', 'port', 'hostname', 'user', 'password', 'ConnName', 'customUrl', 'SavePassword', 'driver'] renamed_value = {'sid': 'SID', 'port': 'Port', 'hostname': 'Host', 'user': '******', 'password': '******', 'ConnName': 'Name', 'customUrl': 'URL', 'SavePassword': '******', 'driver': 'Driver'} tree = ET.ElementTree(file=xml_file) pwdFound = [] for e in tree.findall('Reference'): values = {} for ee in e.findall('RefAddresses/StringRefAddr'): if ee.attrib['addrType'] in wanted_value and ee.find('Contents').text is not None: name = renamed_value[ee.attrib['addrType']] value = ee.find('Contents').text if name != 'Password' else self.decrypt(ee.find('Contents').text) values[name] = value pwdFound.append(values) return pwdFound
def run(self, software_name=None): path = build_path(software_name) if path: pwdFound = [] dpapi = constant.user_dpapi if constant.user_dpapi is not None else Decrypt_DPAPI() if dpapi: for repository in os.listdir(path): wifi_dir = os.path.join(path, repository) for r, _, xml_files in os.walk(wifi_dir): for xml_file in xml_files: values = {} xml = os.path.join(r, xml_file) tree = ET.ElementTree(file=xml) root = tree.getroot() xmlschema = '' if '}' in root.tag: i = root.tag.index('}') xmlschema = root.tag[:i+1] name = root.find('{xmlschema}name'.format(xmlschema=xmlschema)) if name is not None: values['Wifi'] = name.text authentication = root.find('{xmlschema}MSM/{xmlschema}security/{xmlschema}authEncryption/{xmlschema}authentication'.format(xmlschema=xmlschema)) if authentication is not None: values['Authentication'] = authentication.text key_material = root.find('{xmlschema}MSM/{xmlschema}security/{xmlschema}sharedKey/{xmlschema}keyMaterial'.format(xmlschema=xmlschema)) if key_material is not None: wifi_pwd = dpapi.decrypt_wifi_blob(key_material.text) values['Password'] = wifi_pwd if values: pwdFound.append(values) return pwdFound
def __init__(self, password=None, pwdhash=None): self.sid = None self.umkp = None self.smkp = None adding_missing_path = u'' # User Information path = build_path('DPAPI') if constant.dump == 'local': adding_missing_path = u'/Microsoft' if path: protect_folder = os.path.join( path, u'Roaming{path}/Protect'.format(path=adding_missing_path)) credhist_file = os.path.join( path, u'Roaming{path}/Protect/CREDHIST'.format( path=adding_missing_path)) if os.path.exists(protect_folder): for folder in os.listdir(protect_folder): if folder.startswith('S-'): self.sid = folder break if self.sid: masterkeydir = os.path.join(protect_folder, self.sid) if os.path.exists(masterkeydir): self.umkp = MasterKeyPool() self.umkp.load_directory(masterkeydir) self.umkp.add_credhist_file(sid=self.sid, credfile=credhist_file) if password: for r in self.umkp.try_credential( sid=self.sid, password=password): print_debug('INFO', r) elif pwdhash: for r in self.umkp.try_credential_hash( self.sid, pwdhash=pwdhash.decode('hex')): print_debug('INFO', r) # System Information path = build_path('Hives') if path: system = os.path.join(path, 'SYSTEM') security = os.path.join(path, 'SECURITY') if os.path.exists(system) and os.path.exists(security): if os.path.isfile(system) and os.path.isfile(security): reg = Regedit() secrets = reg.get_lsa_secrets(security, system) if secrets: dpapi_system = secrets.get('DPAPI_SYSTEM')["CurrVal"] path = build_path('Dpapi_System') if path: masterkeydir = os.path.join( path, u'Protect', u'S-1-5-18', u'User') if os.path.exists(masterkeydir): self.smkp = MasterKeyPool() self.smkp.load_directory(masterkeydir) self.smkp.add_system_credential(dpapi_system) for r in self.smkp.try_system_credential(): print_debug('INFO', r)
def __init__(self, password=None, pwdhash=None): self.sid = None self.preferred_umkp = None self.dpapi_ok = False self.umkp = None self.smkp = None self.last_masterkey_file = None adding_missing_path = '' # -------------------------- User Information -------------------------- path = build_path('DPAPI') if constant.dump == 'local': adding_missing_path = '/Microsoft' if path: protect_folder = os.path.join(path, 'Roaming{path}/Protect'.format(path=adding_missing_path)) if os.path.exists(protect_folder): for folder in os.listdir(protect_folder): if folder.startswith('S-'): self.sid = folder masterkeydir = os.path.join(protect_folder, self.sid) if os.path.exists(masterkeydir): # user master key pool self.umkp = masterkey.MasterKeyPool() # load all master key files (not only the one contained on preferred) self.umkp.loadDirectory(masterkeydir) preferred_file = os.path.join(masterkeydir, 'Preferred') if os.path.exists(preferred_file): preferred_mk_guid = display_masterkey(open(preferred_file, 'rb')) # Preferred file contains the GUID of the last mastekey created self.last_masterkey_file = os.path.join(masterkeydir, preferred_mk_guid) if os.path.exists(self.last_masterkey_file): print_debug('DEBUG', 'Last masterkey created: {masterkefile}'.format(masterkefile=self.last_masterkey_file)) self.preferred_umkp = masterkey.MasterKeyPool() self.preferred_umkp.addMasterKey(open(self.last_masterkey_file, 'rb').read()) credhist_path = os.path.join(path, 'Roaming{path}/Protect/CREDHIST'.format(path=adding_missing_path)) credhist = credhist_path if os.path.exists(credhist_path) else None if credhist: self.umkp.addCredhistFile(self.sid, credhist) if password: if self.umkp.try_credential(self.sid, password): self.dpapi_ok = True else: print_debug('DEBUG', 'Password not correct: {password}'.format(password=password)) elif pwdhash: if self.umkp.try_credential_hash(self.sid, pwdhash.decode('hex')): self.dpapi_ok = True else: print_debug('DEBUG', 'Hash not correct: {pwdhash}'.format(pwdhash=pwdhash)) # -------------------------- System Information -------------------------- path = build_path('Hives') if path: system = os.path.join(path, 'SYSTEM') security = os.path.join(path, 'SECURITY') if os.path.exists(system) and os.path.exists(security): if os.path.isfile(system) and os.path.isfile(security): reg = registry.Regedit() secrets = None try: secrets = reg.get_lsa_secrets(security, system) except: print_debug('DEBUG', traceback.format_exc()) if secrets: dpapi_system = secrets.get('DPAPI_SYSTEM')["CurrVal"] path = build_path('Dpapi_System') if path: masterkeydir = os.path.join(path, 'Protect', 'S-1-5-18', 'User') if os.path.exists(masterkeydir): self.smkp = masterkey.MasterKeyPool() self.smkp.loadDirectory(masterkeydir) self.smkp.addSystemCredential(dpapi_system) self.smkp.try_credential_hash(None, None)
def run(self, software_name=None): windir = build_path(software_name) if windir: files = [ 'Panther\Unattend.xml', 'Panther\Unattended.xml', 'Panther\Unattend\Unattended.xml', 'Panther\Unattend\Unattend.xml', 'System32\Sysprep\unattend.xml', 'System32\Sysprep\Panther\unattend.xml' ] pwdFound = [] xmlns = '{urn:schemas-microsoft-com:unattend}' for file in files: path = os.path.join(windir, unicode(file)) if os.path.exists(path): print_debug('INFO', u'Unattended file found: %s' % path) tree = ET.ElementTree(file=path) root = tree.getroot() for setting in root.findall('%ssettings' % xmlns): component = setting.find('%scomponent' % xmlns) autoLogon = component.find('%sAutoLogon' % xmlns) if autoLogon != None: username = autoLogon.find('%sUsername' % xmlns) password = autoLogon.find('%sPassword' % xmlns) if username != None and password != None: # Remove false positive (with following message on password => *SENSITIVE*DATA*DELETED*) if not 'deleted' in password.text.lower(): pwdFound.append({ 'Login': username.text, 'Password': self.try_b64_decode(password.text) }) userAccounts = component.find('%sUserAccounts' % xmlns) if userAccounts != None: localAccounts = userAccounts.find( '%sLocalAccounts' % xmlns) if localAccounts != None: for localAccount in localAccounts.findall( '%sLocalAccount' % xmlns): username = localAccount.find('%sName' % xmlns) password = localAccount.find('%sPassword' % xmlns) if username != None and password != None: if not 'deleted' in password.text.lower( ): pwdFound.append({ 'Login': username.text, 'Password': self.try_b64_decode( password.text) }) return pwdFound