def test_unpickle_pickle(self): self.maxDiff = None mkp = masterkey.MasterKeyPool() mkp.addMasterKey(self.mkeyblob) mkp2 = masterkey.MasterKeyPool.unpickle(data=mkp.pickle()) self.assertNotEquals(len(mkp.getMasterKeys(self.mk.guid)), 0) self.assertNotEquals(len(mkp2.getMasterKeys(self.mk.guid)), 0) self.assertEquals(len(mkp.getMasterKeys(self.mk.guid)), len(mkp2.getMasterKeys(self.mk.guid))) self.assertEquals(repr(mkp.getMasterKeys(self.mk.guid)), repr(mkp2.getMasterKeys(self.mk.guid)))
def test_unpickle_pickle_decrypted(self): self.maxDiff = None mkp = masterkey.MasterKeyPool() mkp.addMasterKey(self.mkeyblob) nb = mkp.try_credential(self.sid, self.password) mkp2 = masterkey.MasterKeyPool.unpickle(data=mkp.pickle()) self.assertEquals(nb, 1) self.assertNotEquals(len(mkp.getMasterKeys(self.mk.guid)), 0) self.assertNotEquals(len(mkp2.getMasterKeys(self.mk.guid)), 0) self.assertEquals(len(mkp.getMasterKeys(self.mk.guid)), len(mkp2.getMasterKeys(self.mk.guid))) self.assertEquals(repr(mkp.getMasterKeys(self.mk.guid)), repr(mkp2.getMasterKeys(self.mk.guid)))
def main(self, myPath, mkpDir, sid, password): print "--", "Getting chrome passwords" try: database = [] database.append(myPath + "/chrome/" + chromeLoginFile) mkp = masterkey.MasterKeyPool() mkp.loadDirectory(mkpDir) passHash = hashlib.sha1(password.encode("UTF-16LE")).hexdigest().decode('hex') pwords = self.getChromePass(database, mkp, sid, passHash) return pwords except Exception, e: print e return None
def getwifipassword(self, systemhive, securityhive, masterkeydir, profiledirectory): """ getwifipassword returns all wifi passwords located at X:/ProgramData/Microsoft/Wlansvc """ reg = registry.Regedit() secrets = reg.get_lsa_secrets(securityhive, systemhive) dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal'] mkp = masterkey.MasterKeyPool() mkp.loadDirectory(masterkeydir) mkp.addSystemCredential(dpapi_system) mkp.try_credential_hash(None, None) finalpass = dict() for root, _, files in os.walk(profiledirectory): for file in files: filepath = os.path.join(root, file) with open(filepath, 'r') as f: file_data = f.read().replace('\x0a', '').replace('\x0d', '') wifi_name = re.search('<name>([^<]+)</name>', file_data) wifi_name = wifi_name.group(1) key_material_re = re.search( '<keyMaterial>([0-9A-F]+)</keyMaterial>', file_data) if not key_material_re: continue key_material = key_material_re.group(1) wblob = blob.DPAPIBlob(key_material.decode('hex')) wifi_pwd = '<not decrypted>' mks = mkp.getMasterKeys(wblob.mkguid) for mk in mks: if mk.decrypted: wblob.decrypt(mk.get_key()) if wblob.decrypted: wifi_pwd = wblob.cleartext break print 'Wifi:{} Password:{}'.format(wifi_name, wifi_pwd) finalpass[wifi_name] = wifi_pwd print finalpass return finalpass
def getOutlookPassword(self, mkpDir, sid, credHist, ntUser, userPassword): dic = {} ''' OutlokkMasterkey = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/S-1-5-21-3173276068-3308429807-3105269238-1000" OutlookSID = "S-1-5-21-3173276068-3308429807-3105269238-1000" OutlookCredhist = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/CREDHIST" Ntuser = "******" Userpassword = "******"''' mkp = masterkey.MasterKeyPool() mkp.loadDirectory(mkpDir) mkp.addCredhistFile(sid, credHist) mkp.try_credential(sid, userPassword) # Credential of the USER email = [] password = [] # Open the registry with open(ntUser, 'rb') as f: r = registry.Registry.Registry(f) # Path of the Outlook file in Registry directory = r.open( 'Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676' ) for reg in directory.subkeys(): auxreg = [] for regnumber in reg.values(): # 000001 000002 000003..... auxreg.append(regnumber.name()) # For IMAP if "IMAP Password" in auxreg: username = reg.value('Email').value() password = reg.value('IMAP Password').value() break # For IMAP if "POP3 Password" in auxreg: username = reg.value('Email').value() password = reg.value('POP3 Password').value() break # Function de hacer cosas for char in username: if char.encode("hex") != "00": email.append(char) finalusername = ''.join(email) dic['user'] = finalusername # File to create the blob fi = open("blob", 'w') notruncate = password # This password is not truncated, need to delete the first byte passwordhex = password.encode("hex") # Convert the hex to hexadecimal binstr = binascii.unhexlify( passwordhex[2:]) # The blop does not need the first byte. fi.write(binstr) # Write the blop in a file fi.close() blob1 = blob.DPAPIBlob(open( 'blob', 'rb').read()) # Load the blop from the file finalpass = [] mks = mkp.getMasterKeys(blob1.mkguid) for mk in mks: if mk.decrypted: blob1.decrypt(mk.get_key()) if blob1.decrypted: password = blob1.cleartext for char in password: if char.encode("hex") != "00": finalpass.append(char) finalpassword = ''.join(finalpass) dic['password'] = finalpassword try: os.remove("blob") except: pass return {self.__class__.__name__: dic}
parser.add_option('--sid', metavar='SID', dest='sid') parser.add_option('--masterkey', metavar='DIRECTORY', dest='masterkeydir') parser.add_option('--credhist', metavar='FILE', dest='credhist') parser.add_option('--password', metavar='PASSWORD', dest='password') parser.add_option('--pwdhash', metavar='HASH', dest='pwdhash') parser.add_option('--sysmkdir', metavar='DIRECTORY', dest='sysmkdir') parser.add_option('--system', metavar='HIVE', dest='system') parser.add_option('--security', metavar='HIVE', dest='security') (options, args) = parser.parse_args() check_parameters(options, args) umkp = None if options.masterkeydir: umkp = masterkey.MasterKeyPool() umkp.loadDirectory(options.masterkeydir) if options.credhist: umkp.addCredhistFile(options.sid, options.credhist) if options.password: umkp.try_credential(options.sid, options.password) elif options.pwdhash: umkp.try_credential_hash( options.sid, options.pwdhash.decode('hex')) smkp = None if options.sysmkdir and options.system and options.security: reg = registry.Regedit() secrets = reg.get_lsa_secrets(options.security, options.system) dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal'] smkp = masterkey.MasterKeyPool()