def trySingleKey(self, profile, keyPath):
try:
hkey = OpenKey(winreg.HKEY_CURRENT_USER, keyPath)
except Exception as e:
log.debug(e)
return
num = winreg.QueryInfoKey(hkey)[0]
pwd_found = []
for x in range(0, num):
name = winreg.EnumKey(hkey, x)
skey = OpenKey(hkey, name, 0, winreg.ACCESS_READ)
num_skey = winreg.QueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = winreg.EnumKey(skey, y)
sskey = OpenKey(skey, name_skey)
num_sskey = winreg.QueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = winreg.EnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(
profile, sskey, name_skey)
if values:
pwd_found.append(values)
winreg.CloseKey(skey)
winreg.CloseKey(hkey)
return pwd_found
def get_credentials(self):
try:
key = OpenKey(winreg.HKEY_CURRENT_USER,
'Software\\Martin Prikryl\\WinSCP 2\\Sessions')
except Exception as e:
log.debug(str(e))
return False
pwd_found = []
num_profiles = winreg.QueryInfoKey(key)[0]
for n in range(num_profiles):
name_skey = winreg.EnumKey(key, n)
skey = OpenKey(key, name_skey)
num = winreg.QueryInfoKey(skey)[1]
values = {}
elements = {
'HostName': 'URL',
'UserName': '******',
'PortNumber': 'Port',
'Password': '******'
}
for nn in range(num):
k = winreg.EnumValue(skey, nn)
for e in elements:
if k[0] == e:
if e == 'Password':
try:
values['Password'] = self.decrypt_password(
username=values.get('Login', ''),
hostname=values.get('URL', ''),
_hash=k[1])
except Exception as e:
log.debug(str(e))
else:
values[elements[k[0]]] = str(k[1])
if num != 0:
if 'Port' not in values:
values['Port'] = '22'
pwd_found.append(values)
winreg.CloseKey(skey)
winreg.CloseKey(key)
return pwd_found
def run(self):
key = None
pwd_found = []
try:
key = OpenKey(winreg.HKEY_CURRENT_USER,
'Software\\FTPware\\CoreFTP\\Sites')
except Exception as e:
log.debug(str(e))
if key:
num_profiles = winreg.QueryInfoKey(key)[0]
for n in range(num_profiles):
name_skey = winreg.EnumKey(key, n)
skey = OpenKey(key, name_skey)
num = winreg.QueryInfoKey(skey)[1]
values = {}
for nn in range(num):
k = winreg.EnumValue(skey, nn)
if k[0] in ['Host', 'Port', 'User', 'PW']:
if k[0] == 'User':
values['Login'] = k[1]
if k[0] == 'PW':
try:
values['Password'] = AES.new(
b"hdfzpysvpzimorhk", AES.MODE_ECB).decrypt(
binascii.unhexlify(
k[1])).split(b'\x00')[0]
except Exception as e:
log.debug(str(e))
else:
values[k[0]] = k[1]
pwd_found.append(values)
winreg.CloseKey(skey)
winreg.CloseKey(key)
return pwd_found
def history_from_regedit(self):
urls = []
try:
hkey = OpenKey(
winreg.HKEY_CURRENT_USER,
'Software\\Microsoft\\Internet Explorer\\TypedURLs')
except Exception:
log.debug(traceback.format_exc())
return []
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if k:
urls.append(k[1])
winreg.CloseKey(hkey)
return urls
def run(self, profile):
if float('.'.join(platform.version().split('.')[:2])) > 6.1:
log.debug(
'Internet Explorer passwords are stored in Vault (check vault module)'
)
return
pwd_found = set()
try:
hkey = OpenKey(
winreg.HKEY_CURRENT_USER,
'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2'
)
except Exception:
log.debug(traceback.format_exc())
else:
nb_site = 0
nb_pass_found = 0
# retrieve the urls from the history
hash_tables = self.get_hash_table()
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if k:
nb_site += 1
for h in hash_tables:
# both hash are similar, we can decipher the password
if h[1] == k[0][:40].lower():
nb_pass_found += 1
cipher_text = k[1]
pwd_found |= self.decipher_password(
profile, cipher_text, h[0])
break
winreg.CloseKey(hkey)
# manage errors
if nb_site > nb_pass_found:
log.error(
'%s hashes have not been decrypted, the associate website used to decrypt the '
'passwords has not been found' %
str(nb_site - nb_pass_found))
return list(pwd_found)
def run(self, profile):
key = self.check_openvpn_installed()
if not key:
return
pwd_found = []
num_profiles = winreg.QueryInfoKey(key)[0]
for n in range(num_profiles):
name_skey = winreg.EnumKey(key, n)
skey = OpenKey(key, name_skey)
values = {'Profile': name_skey}
try:
encrypted_password = winreg.QueryValueEx(skey, "auth-data")[0]
entropy = winreg.QueryValueEx(skey, "entropy")[0][:-1]
password = CryptUnprotectData(encrypted_password, profile,
entropy)
values['Password'] = password.decode('utf16')
except Exception as e:
log.debug(str(e))
pwd_found.append(values)
winreg.CloseKey(skey)
winreg.CloseKey(key)
return pwd_found
def retrieve_info(self, profile, hkey, name_key):
values = {}
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if 'password' in k[0].lower():
try:
password_bytes = CryptUnprotectData(k[1][1:], profile)
# password_bytes is <password in utf-16> + b'\x00\x00'
terminator = b'\x00\x00'
if password_bytes.endswith(terminator):
password_bytes = password_bytes[:-len(terminator)]
values[k[0]] = password_bytes.decode("utf-16")
except Exception as e:
log.debug(str(e))
values[k[0]] = 'N/A'
else:
try:
values[k[0]] = k[1].decode('utf-16')
except Exception:
values[k[0]] = str(k[1])
return values