def get_user_list_on_filesystem(impersonated_user=[]): """ Get user list to retrieve their passwords """ # Check users existing on the system (get only directories) user_path = u'{drive}:\\Users'.format(drive=constant.drive) if float(get_os_version()) < 6: user_path = u'{drive}:\\Documents and Settings'.format( drive=constant.drive) all_users = [] if os.path.exists(user_path): all_users = [ filename for filename in os.listdir(user_path) if os.path.isdir(os.path.join(user_path, filename)) ] # Remove default users for user in [ 'All Users', 'Default User', 'Default', 'Public', 'desktop.ini' ]: if user in all_users: all_users.remove(user) # Removing user that have already been impersonated for imper_user in impersonated_user: if imper_user in all_users: all_users.remove(imper_user) return all_users
def run(self): is_vista_or_higher = False if float(get_os_version()) >= 6.0: is_vista_or_higher = True mscache = dump_file_hashes(constant.hives['system'], constant.hives['security'], is_vista_or_higher) if mscache: return ['__MSCache__', mscache]
def run(self): """ - Try to decrypt wdigest password using mimikatz method (only work on Win7 and Vista) - Try to check if an already passwords is also used as windows password - Windows password not found, return the DPAPI hash (not admin priv needed) to bruteforce using John or Hashcat """ pwd_found = [] # Check if Admin if ctypes.windll.shell32.IsUserAnAdmin() != 0: # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx supported_os = { '6.0': 'Vista', '6.1': 'Win7', } os_version = get_os_version() if os_version in supported_os: os = supported_os[os_version] arch = 'x86' if isx64machine(): arch = 'x64' if get_debug_privilege(): # Ready to found passwords self.info('Using mimikatz method') m = Mimikatz(os=os, arch=arch) pwd_found = m.find_wdigest_password() if not pwd_found: if constant.dpapi: # Check if a password already found is a windows password password = constant.dpapi.get_cleartext_password() if password: pwd_found.append({ 'Login': constant.username, 'Password': password }) else: # Retrieve dpapi hash used to bruteforce (hash can be retrieved without needed admin privilege) # Method taken from Jean-Christophe Delaunay - @Fist0urs # https://www.synacktiv.com/ressources/univershell_2017_dpapi.pdf self.info(u'Windows passwords not found.\nTry to bruteforce this hash (using john or hashcat) ' u'depending on your context (domain environment or not)') if constant.dpapi: context = 'local' if self.is_in_domain(): context = 'domain' h = constant.dpapi.get_dpapi_hash(context=context) if h: pwd_found.append({ 'Dpapi_hash_{context}'.format(context=context): constant.dpapi.get_dpapi_hash( context=context) }) return pwd_found
def run(self, historic=''): if float(win.get_os_version()) > 6.1: print_debug( 'INFO', u'Internet Explorer passwords are stored in Vault (check vault module)' ) return pwd_found = [] try: hkey = win.OpenKey( win.HKEY_CURRENT_USER, 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2' ) except Exception: print_debug('DEBUG', traceback.format_exc()) else: nb_site = 0 nb_pass_found = 0 lists = [] if historic: if os.path.exists(historic): f = open(historic, 'r') for line in f: lists.append(line.strip()) else: print_debug('WARNING', u'The text file %s does not exist' % historic) # retrieve the urls from the history hash_tables = self.get_hash_table(lists) num = _winreg.QueryInfoKey(hkey)[1] for x in range(0, num): k = _winreg.EnumValue(hkey, x) if k: nb_site += 1 for h in hash_tables: # both hash are similar, we can decipher the password if h[1] == k[0][:40].lower(): nb_pass_found += 1 cipher_text = k[1] pwd_found += self.decipher_password( cipher_text, h[0]) break _winreg.CloseKey(hkey) # manage errors if nb_site > nb_pass_found: print_debug( 'ERROR', u'%s hashes have not been decrypted, the associate website used to decrypt the ' u'passwords has not been found' % str(nb_site - nb_pass_found)) return pwd_found
def run(self): if float(win.get_os_version()) > 6.1: self.debug( u'Internet Explorer passwords are stored in Vault (check vault module)' ) return pwd_found = [] try: hkey = win.OpenKey( win.HKEY_CURRENT_USER, 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2' ) except Exception: self.debug(traceback.format_exc()) else: nb_site = 0 nb_pass_found = 0 # retrieve the urls from the history hash_tables = self.get_hash_table() num = winreg.QueryInfoKey(hkey)[1] for x in range(0, num): k = winreg.EnumValue(hkey, x) if k: nb_site += 1 for h in hash_tables: # both hash are similar, we can decipher the password if h[1] == k[0][:40].lower(): nb_pass_found += 1 cipher_text = k[1] pwd_found += self.decipher_password( cipher_text, h[0]) break winreg.CloseKey(hkey) # manage errors if nb_site > nb_pass_found: self.error( u'%s hashes have not been decrypted, the associate website used to decrypt the ' u'passwords has not been found' % str(nb_site - nb_pass_found)) return pwd_found
def run(self): # DPAPI structure could compute lsa secrets as well, so do not do it again if constant.lsa_secrets: return ['__LSASecrets__', constant.lsa_secrets] is_vista_or_higher = False if float(get_os_version()) >= 6.0: is_vista_or_higher = True # Get LSA Secrets secrets = get_file_secrets(constant.hives['system'], constant.hives['security'], is_vista_or_higher) if secrets: # Clear DPAPI master key clear = secrets['DPAPI_SYSTEM'] size = struct.unpack_from("<L", clear)[0] secrets['DPAPI_SYSTEM'] = clear[16:16 + 44] # Keep value to be reused in other module (e.g wifi) constant.lsa_secrets = secrets return ['__LSASecrets__', secrets]
def run(self): if float(win.get_os_version()) > 6.1: self.debug(u'Internet Explorer passwords are stored in Vault (check vault module)') return pwd_found = [] try: hkey = win.OpenKey(win.HKEY_CURRENT_USER, 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2') except Exception: self.debug(traceback.format_exc()) else: nb_site = 0 nb_pass_found = 0 # retrieve the urls from the history hash_tables = self.get_hash_table() num = winreg.QueryInfoKey(hkey)[1] for x in range(0, num): k = winreg.EnumValue(hkey, x) if k: nb_site += 1 for h in hash_tables: # both hash are similar, we can decipher the password if h[1] == k[0][:40].lower(): nb_pass_found += 1 cipher_text = k[1] pwd_found += self.decipher_password(cipher_text, h[0]) break winreg.CloseKey(hkey) # manage errors if nb_site > nb_pass_found: self.error(u'%s hashes have not been decrypted, the associate website used to decrypt the ' u'passwords has not been found' % str(nb_site - nb_pass_found)) return pwd_found
def get_user_list_on_filesystem(impersonated_user=[]): """ Get user list to retrieve their passwords """ # Check users existing on the system (get only directories) user_path = u'{drive}:\\Users'.format(drive=constant.drive) if float(get_os_version()) < 6: user_path = u'{drive}:\\Documents and Settings'.format(drive=constant.drive) all_users = [] if os.path.exists(user_path): all_users = [filename for filename in os.listdir(user_path) if os.path.isdir(os.path.join(user_path, filename))] # Remove default users for user in ['All Users', 'Default User', 'Default', 'Public', 'desktop.ini']: if user in all_users: all_users.remove(user) # Removing user that have already been impersonated for imper_user in impersonated_user: if imper_user in all_users: all_users.remove(imper_user) return all_users