def run(self):
pwd_found = []
try:
hkey = OpenKey(
winreg.HKEY_LOCAL_MACHINE,
'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon')
if int(winreg.QueryValueEx(hkey, 'AutoAdminLogon')[0]) == 1:
log.debug('Autologin enabled')
keys = {
'DefaultDomainName': '',
'DefaultUserName': '',
'DefaultPassword': '',
'AltDefaultDomainName': '',
'AltDefaultUserName': '',
'AltDefaultPassword': '',
}
for k in list(keys):
try:
keys[k] = str(winreg.QueryValueEx(hkey, k)[0])
except Exception:
del keys[k]
if keys:
pwd_found.append(keys)
except Exception as e:
log.debug(str(e))
return pwd_found
def run(self):
hosts = []
paths = (
('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB1'),
('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB2'),
('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB3'),
('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB1'),
('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB2'),
('EyeCON DB Host', winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB3'),
)
for path in paths:
try:
hkey = OpenKey(path[1], path[2])
reg_key = winreg.QueryValueEx(hkey, path[3])[0]
if reg_key:
hosts += [reg_key]
except Exception:
# skipping if value doesn't exist
# log.debug(u'Problems with key:: {reg_key}'.format(reg_key=path[1]+path[2]))
pass
credentials = self.credentials_from_registry()
for cred in credentials:
cred['host(s)'] = b', '.join(hosts)
return credentials
def check_masterPassword(self, key):
is_master_pwd_used = winreg.QueryValueEx(key, 'UseMasterPassword')[0]
winreg.CloseKey(key)
if str(is_master_pwd_used) == '0':
return False
else:
return True
def get_default_database(self):
try:
key = OpenKey(winreg.HKEY_CURRENT_USER,
'Software\\ACS\\PuTTY Connection Manager')
db = winreg.QueryValueEx(key, 'DefaultDatabase')[0]
winreg.CloseKey(key)
return db
except Exception:
pass
def credentials_from_registry(self):
found_passwords = []
password_path = (
{
'app': 'EyeCON', 'reg_root': winreg.HKEY_LOCAL_MACHINE,
'reg_path': 'SOFTWARE\\WOW6432Node\\eyevis\\eyetool\\Default',
'user_key': 'registered', 'password_key': 'connection'
},
{
'app': 'EyeCON', 'reg_root': winreg.HKEY_LOCAL_MACHINE,
'reg_path': 'SOFTWARE\\eyevis\\eyetool\\Default',
'user_key': 'registered', 'password_key': 'connection'
},
)
for path in password_path:
try:
try:
hkey = OpenKey(path['reg_root'], path['reg_path'])
reg_user_key = winreg.QueryValueEx(hkey, path['user_key'])[0]
reg_password_key = winreg.QueryValueEx(hkey, path['password_key'])[0]
except Exception:
log.debug(u'Problems with key:: {reg_key}'.format(reg_key=path['reg_root'] + path['reg_path']))
continue
try:
user = self.deobfuscate(reg_user_key)
except Exception:
log.info(u'Problems with deobfuscate user : {reg_key}'.format(reg_key=path['reg_path']))
continue
try:
password = self.deobfuscate(reg_password_key)
except Exception:
log.info(u'Problems with deobfuscate password : {reg_key}'.format(reg_key=path['reg_path']))
continue
found_passwords.append({'username': user, 'password': password})
except Exception:
pass
return found_passwords
def get_registry_key(self, reg_key, parameter):
data = ''
try:
if reg_key.startswith('HKEY_LOCAL_MACHINE'):
hkey = winreg.OpenKey(
winreg.HKEY_LOCAL_MACHINE,
reg_key.replace('HKEY_LOCAL_MACHINE\\', ''))
data = winreg.QueryValueEx(hkey, parameter)[0]
except Exception as e:
log.debug(e)
return data
def run(self, profile):
key = self.check_openvpn_installed()
if not key:
return
pwd_found = []
num_profiles = winreg.QueryInfoKey(key)[0]
for n in range(num_profiles):
name_skey = winreg.EnumKey(key, n)
skey = OpenKey(key, name_skey)
values = {'Profile': name_skey}
try:
encrypted_password = winreg.QueryValueEx(skey, "auth-data")[0]
entropy = winreg.QueryValueEx(skey, "entropy")[0][:-1]
password = CryptUnprotectData(encrypted_password, profile,
entropy)
values['Password'] = password.decode('utf16')
except Exception as e:
log.debug(str(e))
pwd_found.append(values)
winreg.CloseKey(skey)
winreg.CloseKey(key)
return pwd_found
def vnc_from_registry(self):
pfound = []
vncs = (
('RealVNC 4.x', 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\RealVNC\\WinVNC4', 'Password'),
('RealVNC 3.x', 'HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\vncserver', 'Password'),
('RealVNC 4.x', 'HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4', 'Password'),
('RealVNC 4.x', 'HKEY_CURRENT_USER\\SOFTWARE\\RealVNC\\WinVNC4', 'Password'),
('RealVNC 3.x', 'HKEY_CURRENT_USER\\Software\\ORL\\WinVNC3', 'Password'),
('TightVNC', 'HKEY_CURRENT_USER\\Software\\TightVNC\\Server', 'Password'),
('TightVNC', 'HKEY_CURRENT_USER\\Software\\TightVNC\\Server', 'PasswordViewOnly'),
('TightVNC', 'HKEY_LOCAL_MACHINE\\Software\\TightVNC\\Server', 'Password'),
('TightVNC ControlPassword', 'HKEY_LOCAL_MACHINE\\Software\\TightVNC\\Server', 'ControlPassword'),
('TightVNC', 'HKEY_LOCAL_MACHINE\\Software\\TightVNC\\Server', 'PasswordViewOnly'),
('TigerVNC', 'HKEY_LOCAL_MACHINE\\Software\\TigerVNC\\Server', 'Password'),
('TigerVNC', 'HKEY_CURRENT_USER\\Software\\TigerVNC\\Server', 'Password'),
)
for vnc in vncs:
try:
if vnc[1].startswith('HKEY_LOCAL_MACHINE'):
hkey = OpenKey(winreg.HKEY_LOCAL_MACHINE, vnc[1].replace('HKEY_LOCAL_MACHINE\\', ''))
elif vnc[1].startswith('HKEY_CURRENT_USER'):
hkey = OpenKey(winreg.HKEY_CURRENT_USER, vnc[1].replace('HKEY_CURRENT_USER\\', ''))
reg_key = winreg.QueryValueEx(hkey, vnc[2])[0]
except Exception:
log.debug('Problems with key:: {reg_key}'.format(reg_key=vnc[1]))
continue
try:
enc_pwd = binascii.hexlify(reg_key).decode()
except Exception:
log.debug('Problems with decoding: {reg_key}'.format(reg_key=reg_key))
continue
values = {}
try:
password = self.reverse_vncpassword(enc_pwd)
if password:
values['Password'] = password
except Exception:
log.info('Problems with reverse_vncpassword: {reg_key}'.format(reg_key=reg_key))
continue
values['Server'] = vnc[0]
# values['Hash'] = enc_pwd
pfound.append(values)
return pfound
def run(self):
creds = []
results = None
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with OpenKey(winreg.HKEY_CURRENT_USER,
'Software\\Valve\\Steam') as key:
results = winreg.QueryValueEx(key, 'SteamPath')
except Exception:
pass
if not results:
return
steampath = results[0]
userdata = os.path.join(steampath, 'userdata')
# Check that we have a userdata directory
if not os.path.exists(userdata):
log.error('Steam doesn\'t have a userdata directory.')
return
# Now look for Galcon Fusion in every user
for f in os.listdir(userdata):
filepath = os.path.join(userdata, f, '44200\\remote\\galcon.cfg')
if not os.path.exists(filepath):
continue
# If we're here we should have a Galcon Fusion file
with open(filepath, mode='rb') as cfgfile:
# We've found a config file, now extract the creds
data = cfgfile.read()
creds.append({
'Login': data[4:0x23],
'Password': data[0x24:0x43]
})
return creds
def run(self):
creds = []
results = None
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with OpenKey(winreg.HKEY_CURRENT_USER,
'Software\Valve\Steam') as key:
results = winreg.QueryValueEx(key, 'SteamPath')
except Exception:
pass
if not results:
return
steampath = results[0]
steamapps = os.path.join(steampath, 'SteamApps\common')
# Check that we have a SteamApps directory
if not os.path.exists(steamapps):
log.error('Steam doesn\'t have a SteamApps directory.')
return
filepath = os.path.join(steamapps, 'Turba\\Assets\\Settings.bin')
if not os.path.exists(filepath):
log.debug('Turba doesn\'t appear to be installed.')
return
# If we're here we should have a valid config file file
with open(filepath, mode='rb') as filepath:
# We've found a config file, now extract the creds
data = filepath.read()
chunk = data[0x1b:].split(b'\x0a')
creds.append({'Login': chunk[0], 'Password': chunk[1]})
return creds
