def get_creds(self):
try:
creds = win32cred.CredEnumerate(None, 0)
return creds
except Exception, e:
#print e
return None
def get_creds(self):
try:
creds = win32cred.CredEnumerate(None, 0)
return creds
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
return None
def get_credman_creds(quiet=0):
try:
creds = win32cred.CredEnumerate(None, 0)
return creds
except pywintypes.error as e:
if not quiet:
if e[0] == 1004:
print "[E] Call to CredEnumerate failed: Invalid flags. This doesn't work on XP/2003."
elif e[0] == 1168:
print "[E] Call to CredEnumerate failed: Element not found. No credentials stored for this user. Run as normal user, not SYSTEM."
elif e[0] == 1312:
print "[E] Call to CredEnumerate failed: No such login session. Only works for proper login session - not network logons."
else:
print "[E] Call to CredEnumerate failed: %s" % e[2]
return None
def run(self):
pwd_found = []
# FOR XP
# - password are encrypted with specific salt depending on its Type
# entropy = 'abe2869f-9b47-4cd9-a358-c22904dba7f7\\0' # FOR CRED_TYPE_GENERIC
# entropy = '82BD0E67-9FEA-4748-8672-D5EFE5B779B0\\0' # FOR CRED_TYPE_DOMAIN_VISIBLE_PASSWORD
# CryptUnprotectData(byref(blobIn),None,byref(blobEntropy),None,None,CRYPTPROTECT_UI_FORBIDDEN,byref(blobOut))
# # creds = POINTER(PCREDENTIAL)()
# # count = c_ulong()
# # if CredEnumerate(None, 0, byref(count), byref(creds)) == 1:
# # for i in range(count.value):
# # c = creds[i].contents
# # if c.Type == CRED_TYPE_GENERIC or c.Type == CRED_TYPE_DOMAIN_VISIBLE_PASSWORD:
# # # Remove password too long
# # if c.CredentialBlobSize.real < 200:
# # pwd_found.append({
# # 'URL': c.TargetName,
# # 'Login': c.UserName,
# # 'Password': c.CredentialBlob[:c.CredentialBlobSize.real].replace(b"\x00", b"")
# # })
# # CredFree(creds)
for i in win32cred.CredEnumerate(None, 0):
if i["Type"] in [
win32cred.CRED_TYPE_GENERIC,
win32cred.CRED_TYPE_DOMAIN_CERTIFICATE,
win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD
]:
pwd = i['CredentialBlob']
if pwd.endswith(b"\x00\x00\x00"):
pwd = pwd.replace(b'\x00', b'')
pwd_found.append({
'URL': i['TargetName'],
'Login': i['UserName'],
'Password': pwd,
'LastWritten': str(i['LastWritten'])
})
return pwd_found
def get_creds(self):
try:
creds = win32cred.CredEnumerate(None, 0)
return creds
except:
return None
import win32process
import win32event
import pywintypes
import win32security
import win32api
import win32con
import ntsecuritycon
import win32cred
from binascii import hexlify
import sys
# hashing the URL of the stored creds in REGISTRY. URLs are in Internet history
#Open Internet History - C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files
#hash each URL
#Check to see if any creds have been stored
#Windows Credential Manager:
try:
creds = win32cred.CredEnumerate(None, 0)
print creds
except pywintypes.error as e:
if e[0] == 1004:
print "[E] Call to CredEnumerate failed: Invalid flags. This doesn't work on XP/2003."
elif e[0] == 1168:
print "[E] Call to CredEnumerate failed: Element not found. No credentials stored for this user. Run as normal user, not SYSTEM."
elif e[0] == 1312:
print "[E] Call to CredEnumerate failed: No such login session. Only works for proper login session - not network logons."
else:
print "[E] Call to CredEnumerate failed: %s" % e[2]
def ie_decrypt(self):
try:
cmdline = '''
try
{
#Load the WinRT projection for the PasswordVault
$Script:vaultType = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$Script:vault = new-object Windows.Security.Credentials.PasswordVault -ErrorAction silentlycontinue
}
catch
{
throw "This module relies on functionality provided in Windows 8 or Windows 2012 and above."
}
#endregion
function Get-VaultCredential
{
process
{
try
{
&{
$Script:vault.RetrieveAll()
} | foreach-Object { $_.RetrievePassword() ; "Username......";$_.UserName;"######";"Password......";$_.Password;"######";"Website......";$_.Resource;"_________" }
}
catch
{
Write-Error -ErrorRecord $_ -RecommendedAction "Check your search input - user: $UserName resource: $Resource"
}
}
end
{
Write-Debug "[$cmdName] Exiting function"
}
}
Get-VaultCredential
'''
command = ['powershell.exe', '/c', cmdline]
info = subprocess.STARTUPINFO()
info.dwFlags = sub.STARTF_USESHOWWINDOW | sub.CREATE_NEW_PROCESS_GROUP
info.wShowWindow = sub.SW_HIDE
p = subprocess.Popen(command,
startupinfo=info,
stderr=subprocess.STDOUT,
stdout=subprocess.PIPE,
universal_newlines=True)
results, _ = p.communicate()
passwords = []
for result in results.replace('\n', '').split('_________'):
values = {}
if result:
for res in result.split('######'):
values[res.split('......')[0]] = res.split('......')[1]
passwords.append(values)
print "Get common credentials for windows vault :" + "\n" + str(
passwords)
CRED_TYPE_GENERIC = win32cred.CRED_TYPE_GENERIC
CredRead = win32cred.CredRead
creds = win32cred.CredEnumerate(None, 0) # Enumerate credentials
credentials = []
for package in creds:
try:
target = package['TargetName']
creds = CredRead(target, CRED_TYPE_GENERIC)
credentials.append(creds)
except Exception:
pass
values_ = {}
for cred in credentials:
values_['service'] = cred['TargetName']
values_['UserName'] = cred['UserName']
values_['pwd'] = cred['CredentialBlob'].decode('utf16')
print "Get windows vault web credentials :" + "\n" + str(values_)
except Exception:
pass