def run(self): pwd_found = [] try: hkey = OpenKey( winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') if int(winreg.QueryValueEx(hkey, 'AutoAdminLogon')[0]) == 1: log.debug('Autologin enabled') keys = { 'DefaultDomainName': '', 'DefaultUserName': '', 'DefaultPassword': '', 'AltDefaultDomainName': '', 'AltDefaultUserName': '', 'AltDefaultPassword': '', } for k in list(keys): try: keys[k] = str(winreg.QueryValueEx(hkey, k)[0]) except Exception: del keys[k] if keys: pwd_found.append(keys) except Exception as e: log.debug(str(e)) return pwd_found
def run(self): hosts = [] paths = ( ('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB1'), ('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB2'), ('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB3'), ('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB1'), ('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB2'), ('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB3'), ) for path in paths: try: hkey = OpenKey(path[1], path[2]) reg_key = winreg.QueryValueEx(hkey, path[3])[0] if reg_key: hosts += [reg_key] except Exception: # skipping if value doesn't exist # log.debug(u'Problems with key:: {reg_key}'.format(reg_key=path[1]+path[2])) pass credentials = self.credentials_from_registry() for cred in credentials: cred['host(s)'] = b', '.join(hosts) return credentials
def check_masterPassword(self, key): is_master_pwd_used = winreg.QueryValueEx(key, 'UseMasterPassword')[0] winreg.CloseKey(key) if str(is_master_pwd_used) == '0': return False else: return True
def get_default_database(self): try: key = OpenKey(winreg.HKEY_CURRENT_USER, 'Software\\ACS\\PuTTY Connection Manager') db = winreg.QueryValueEx(key, 'DefaultDatabase')[0] winreg.CloseKey(key) return db except Exception: pass
def credentials_from_registry(self): found_passwords = [] password_path = ( { 'app': 'EyeCON', 'reg_root': winreg.HKEY_LOCAL_MACHINE, 'reg_path': 'SOFTWARE\\WOW6432Node\\eyevis\\eyetool\\Default', 'user_key': 'registered', 'password_key': 'connection' }, { 'app': 'EyeCON', 'reg_root': winreg.HKEY_LOCAL_MACHINE, 'reg_path': 'SOFTWARE\\eyevis\\eyetool\\Default', 'user_key': 'registered', 'password_key': 'connection' }, ) for path in password_path: try: try: hkey = OpenKey(path['reg_root'], path['reg_path']) reg_user_key = winreg.QueryValueEx(hkey, path['user_key'])[0] reg_password_key = winreg.QueryValueEx(hkey, path['password_key'])[0] except Exception: log.debug(u'Problems with key:: {reg_key}'.format(reg_key=path['reg_root'] + path['reg_path'])) continue try: user = self.deobfuscate(reg_user_key) except Exception: log.info(u'Problems with deobfuscate user : {reg_key}'.format(reg_key=path['reg_path'])) continue try: password = self.deobfuscate(reg_password_key) except Exception: log.info(u'Problems with deobfuscate password : {reg_key}'.format(reg_key=path['reg_path'])) continue found_passwords.append({'username': user, 'password': password}) except Exception: pass return found_passwords
def get_registry_key(self, reg_key, parameter): data = '' try: if reg_key.startswith('HKEY_LOCAL_MACHINE'): hkey = winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, reg_key.replace('HKEY_LOCAL_MACHINE\\', '')) data = winreg.QueryValueEx(hkey, parameter)[0] except Exception as e: log.debug(e) return data
def run(self, profile): key = self.check_openvpn_installed() if not key: return pwd_found = [] num_profiles = winreg.QueryInfoKey(key)[0] for n in range(num_profiles): name_skey = winreg.EnumKey(key, n) skey = OpenKey(key, name_skey) values = {'Profile': name_skey} try: encrypted_password = winreg.QueryValueEx(skey, "auth-data")[0] entropy = winreg.QueryValueEx(skey, "entropy")[0][:-1] password = CryptUnprotectData(encrypted_password, profile, entropy) values['Password'] = password.decode('utf16') except Exception as e: log.debug(str(e)) pwd_found.append(values) winreg.CloseKey(skey) winreg.CloseKey(key) return pwd_found
def vnc_from_registry(self): pfound = [] vncs = ( ('RealVNC 4.x', 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\RealVNC\\WinVNC4', 'Password'), ('RealVNC 3.x', 'HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\vncserver', 'Password'), ('RealVNC 4.x', 'HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4', 'Password'), ('RealVNC 4.x', 'HKEY_CURRENT_USER\\SOFTWARE\\RealVNC\\WinVNC4', 'Password'), ('RealVNC 3.x', 'HKEY_CURRENT_USER\\Software\\ORL\\WinVNC3', 'Password'), ('TightVNC', 'HKEY_CURRENT_USER\\Software\\TightVNC\\Server', 'Password'), ('TightVNC', 'HKEY_CURRENT_USER\\Software\\TightVNC\\Server', 'PasswordViewOnly'), ('TightVNC', 'HKEY_LOCAL_MACHINE\\Software\\TightVNC\\Server', 'Password'), ('TightVNC ControlPassword', 'HKEY_LOCAL_MACHINE\\Software\\TightVNC\\Server', 'ControlPassword'), ('TightVNC', 'HKEY_LOCAL_MACHINE\\Software\\TightVNC\\Server', 'PasswordViewOnly'), ('TigerVNC', 'HKEY_LOCAL_MACHINE\\Software\\TigerVNC\\Server', 'Password'), ('TigerVNC', 'HKEY_CURRENT_USER\\Software\\TigerVNC\\Server', 'Password'), ) for vnc in vncs: try: if vnc[1].startswith('HKEY_LOCAL_MACHINE'): hkey = OpenKey(winreg.HKEY_LOCAL_MACHINE, vnc[1].replace('HKEY_LOCAL_MACHINE\\', '')) elif vnc[1].startswith('HKEY_CURRENT_USER'): hkey = OpenKey(winreg.HKEY_CURRENT_USER, vnc[1].replace('HKEY_CURRENT_USER\\', '')) reg_key = winreg.QueryValueEx(hkey, vnc[2])[0] except Exception: log.debug('Problems with key:: {reg_key}'.format(reg_key=vnc[1])) continue try: enc_pwd = binascii.hexlify(reg_key).decode() except Exception: log.debug('Problems with decoding: {reg_key}'.format(reg_key=reg_key)) continue values = {} try: password = self.reverse_vncpassword(enc_pwd) if password: values['Password'] = password except Exception: log.info('Problems with reverse_vncpassword: {reg_key}'.format(reg_key=reg_key)) continue values['Server'] = vnc[0] # values['Hash'] = enc_pwd pfound.append(values) return pfound
def run(self): creds = [] results = None # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with OpenKey(winreg.HKEY_CURRENT_USER, 'Software\\Valve\\Steam') as key: results = winreg.QueryValueEx(key, 'SteamPath') except Exception: pass if not results: return steampath = results[0] userdata = os.path.join(steampath, 'userdata') # Check that we have a userdata directory if not os.path.exists(userdata): log.error('Steam doesn\'t have a userdata directory.') return # Now look for Galcon Fusion in every user for f in os.listdir(userdata): filepath = os.path.join(userdata, f, '44200\\remote\\galcon.cfg') if not os.path.exists(filepath): continue # If we're here we should have a Galcon Fusion file with open(filepath, mode='rb') as cfgfile: # We've found a config file, now extract the creds data = cfgfile.read() creds.append({ 'Login': data[4:0x23], 'Password': data[0x24:0x43] }) return creds
def run(self): creds = [] results = None # Find the location of steam - to make it easier we're going to use a try block # 'cos I'm lazy try: with OpenKey(winreg.HKEY_CURRENT_USER, 'Software\Valve\Steam') as key: results = winreg.QueryValueEx(key, 'SteamPath') except Exception: pass if not results: return steampath = results[0] steamapps = os.path.join(steampath, 'SteamApps\common') # Check that we have a SteamApps directory if not os.path.exists(steamapps): log.error('Steam doesn\'t have a SteamApps directory.') return filepath = os.path.join(steamapps, 'Turba\\Assets\\Settings.bin') if not os.path.exists(filepath): log.debug('Turba doesn\'t appear to be installed.') return # If we're here we should have a valid config file file with open(filepath, mode='rb') as filepath: # We've found a config file, now extract the creds data = filepath.read() chunk = data[0x1b:].split(b'\x0a') creds.append({'Login': chunk[0], 'Password': chunk[1]}) return creds