def retrieve_password(self):
# print title
Header().title_debug('Outlook')
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead)
except:
print_debug('WARNING', 'Outlook not installed.\nAn error occurs retrieving the registry key.\nKey = %s' % keyPath)
return
num = win32api.RegQueryInfoKey(hkey)[0]
pwdFound = []
for x in range(0, num):
name = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(hkey, name, 0, accessRead)
num_skey = win32api.RegQueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = win32api.RegEnumKey(skey, y)
sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead)
num_sskey = win32api.RegQueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = win32api.RegEnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output("Outlook", pwdFound)
def run(self):
"""
Main function
"""
# Print title
title = "GitForWindows"
Header().title_info(title)
# According to the "git-credential-store" documentation:
# Build a list of locations in which git credentials can be stored
locations = []
locations.append(os.environ.get("USERPROFILE") + "\\.git-credentials")
locations.append(os.environ.get("USERPROFILE") + "\\.config\\git\\credentials")
if "XDG_CONFIG_HOME" in os.environ:
locations.append(os.environ.get("XDG_CONFIG_HOME") + "\\git\\credentials")
# Apply the password extraction on the defined locations
pwd_found = []
for location in locations:
pwd_found += self.extract_credentials(location)
# Filter duplicates
final_pwd_found = []
duplicates_track = []
for pwd in pwd_found:
pwd_id = pwd["URL"] + pwd["Username"] + pwd["Password"]
if pwd_id not in duplicates_track:
final_pwd_found.append(pwd)
duplicates_track.append(pwd_id)
# Print the results
print_output(title, final_pwd_found)
def read_file(self, filepath):
f = open(filepath, 'r')
pwdFound = []
for ff in f.readlines():
values = {}
info = ff.split(';')
for i in info:
i = i.split('=')
if i[0] == 'Name':
values['Name'] = i[1]
if i[0] == 'Server':
values['Server'] = i[1]
if i[0] == 'Port':
values['Port'] = i[1]
if i[0] == 'User':
values['User'] = i[1]
if i[0] == "Password":
if i[1] != '1' and i[1] != '0':
values['Password'] = self.decode(i[1])
# used to save the password if it is an anonymous authentication
if values['User'] == 'anonymous' and 'Password' not in values.keys():
values['Password'] = '******'
pwdFound.append(values)
# print the results
print_output('FTP Navigator', pwdFound)
def get_key_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER,
'Software\\FTPware\\CoreFTP\\Sites', 0,
accessRead)
except:
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'Host':
values['Host'] = k[1]
if k[0] == 'Port':
values['Port'] = k[1]
if k[0] == 'User':
values['User'] = k[1]
pwdFound.append(values)
if k[0] == 'PW':
try:
values['Password'] = self.decrypt(k[1])
except:
values['Password'] = '******'
# print the results
print_output('CoreFTP', pwdFound)
def run(self):
Header().title_info('System account (from /etc/shadow)')
# check root access
if self.root_access():
if self.check_file_access():
shadowFile = open (self.filestr,'r')
for line in shadowFile.readlines():
_hash = line.replace('\n', '')
line = _hash.split(':')
# check if a password is defined
if not line[1] in [ 'x', '*','!' ]:
user = line[0]
cryptPwd = line[1]
# save each hash non empty
self.hash += _hash + '\n'
# try dictionary and bruteforce attack
self.attack(user, cryptPwd)
values = {'Category' : 'Hash', 'Hash' : self.hash }
self.pwdFound.append(values)
# print the results
print_output('System account (from /etc/shadow)', self.pwdFound)
def retrieve_password(self):
# print the title
Header().title_debug('Wifi (from Network Manager)')
directory = '/etc/NetworkManager/system-connections'
if os.path.exists(directory):
if os.getuid() != 0:
print_debug('INFO', 'You need more privileges (run it with sudo)\n')
wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))]
pwdFound = []
for w in wireless_ssid:
cp = RawConfigParser()
cp.read(os.path.join(directory, w))
values = {}
values['SSID'] = w
if cp.sections():
for section in cp.sections():
if 'wireless' in section:
for i in cp.items(section):
values[i[0]] = i[1]
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Wifi', pwdFound)
else:
print_debug('ERROR', 'the path "%s" does not exist' %(directory))
def run(self):
# print title
Header().title_info('Dot Net Passport')
a = self.get_creds()
pwd = ''
pwdFound = []
if a:
for i in a:
values = {}
if i['Type'] == win32cred.CRED_TYPE_DOMAIN_VISIBLE_PASSWORD:
cipher_text = i['CredentialBlob']
pwd = self.Win32CryptUnprotectData(cipher_text, self.get_entropy())
if pwd != 'failed':
values['TargetName'] = i['TargetName']
if i['UserName'] is not None:
values['Username'] = i['UserName']
try:
values['Password'] = pwd.decode('utf16')
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
values['INFO'] = 'Error decoding the password'
pwdFound.append(values)
# print the results
print_output('Dot Net Passport', pwdFound)
def run(self):
Header().title_info('System account (from /etc/shadow)')
# check root access
if self.root_access():
if self.check_file_access():
shadowFile = open (self.filestr,'r')
for line in shadowFile.readlines():
_hash = line.replace('\n', '')
line = _hash.split(':')
# check if a password is defined
if not line[1] in [ 'x', '*','!' ]:
user = line[0]
cryptPwd = line[1]
# save each hash non empty
self.hash += _hash + '\n'
# try dictionary and bruteforce attack
self.attack(user, cryptPwd)
values = {'Category' : 'Hash', 'Hash' : self.hash }
self.pwdFound.append(values)
# print the results
print_output('System account (from /etc/shadow)', self.pwdFound)
def retrieve_password(self):
# print the title
Header().title_debug('Wifi (from Network Manager)')
directory = '/etc/NetworkManager/system-connections'
if os.path.exists(directory):
if os.getuid() != 0:
print_debug('INFO', 'You need more privileges (run it with sudo)\n')
wireless_ssid = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory,f))]
pwdFound = []
for w in wireless_ssid:
cp = RawConfigParser()
cp.read(os.path.join(directory, w))
values = {}
values['SSID'] = w
if cp.sections():
for section in cp.sections():
if 'wireless' in section:
for i in cp.items(section):
values[i[0]] = i[1]
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Wifi', pwdFound)
else:
print_debug('WARNING', 'the path "%s" does not exist' %(directory))
def decipher_new_version(self, path):
database_path = path + os.sep + 'Login Data'
if os.path.exists(database_path):
# Connect to the Database
conn = sqlite3.connect(database_path)
cursor = conn.cursor()
# Get the results
try:
cursor.execute('SELECT action_url, username_value, password_value FROM logins')
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', 'Opera seems to be used, the database is locked. Kill the process and try again !')
return
pwdFound = []
for result in cursor.fetchall():
values = {}
# Decrypt the Password
password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1]
if password:
values['Site'] = result[0]
values['Username'] = result[1]
values['Password'] = password
pwdFound.append(values)
# print the results
print_output("Opera", pwdFound)
def parse_results(self, passwords):
cpt = 0
values = {}
pwdFound = []
for password in passwords:
# date (begin of the sensitive data)
match=re.search(r'(\d+-\d+-\d+)', password)
if match:
values = {}
cpt = 0
tmp_cpt = 0
# after finding 2 urls
if cpt == 2:
tmp_cpt += 1
if tmp_cpt == 2:
values['User'] = password
print 'User:'******'Password'] = password
# url
match=re.search(r'^http', password)
if match:
cpt +=1
if cpt == 1:
tmp_url = password
elif cpt == 2:
values['URL'] = tmp_url
pwdFound.append(values)
# print the results
print_output("Opera", pwdFound)
def get_key_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\\FTPware\\CoreFTP\\Sites', 0, accessRead)
except:
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'Host':
values['Host'] = k[1]
if k[0] == 'Port':
values['Port'] = k[1]
if k[0] == 'User':
values['User'] = k[1]
pwdFound.append(values)
if k[0] == 'PW':
try:
values['Password'] = self.decrypt(k[1])
except:
values['Password'] = '******'
# print the results
print_output('CoreFTP', pwdFound)
def run(self):
# print title
Header().title_info('Kalypso Media Launcher')
creds = []
key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89'
if 'APPDATA' in os.environ:
inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini'
else:
print_debug('ERROR', 'The APPDATA environment variable is not defined.')
return
# The actual user details are stored in *.userdata files
if not os.path.exists(inifile):
print_debug('INFO', 'The Kalypso Media Launcher doesn\'t appear to be installed.')
return
config = ConfigParser.ConfigParser()
config.read(inifile)
values = {}
values['Login'] = config.get('styx user','login')
# get the encoded password
cookedpw = base64.b64decode(config.get('styx user','password'));
values['Password'] = self.xorstring(cookedpw, key)
creds.append(values)
print_output("Kalypso Media Launcher", creds)
def run(self, historic=''):
# print title
Header().title_debug('Internet Explorer')
# write the binary file
try:
self.write_binary_file()
except:
print_debug('ERROR', '%s cannot be created, check your file permission' % dll_name)
list = []
if historic:
if os.path.exists(historic):
f = open(historic, 'r')
for line in f:
list.append(line.strip())
else:
print_debug('WARNING', 'The text file %s does not exist' % historic)
# retrieve the urls from the history
hash_tables = self.get_hash_table(list)
# open the registry
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2'
failed = False
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead)
except:
failed = True
nb_site = 0
nb_pass_found = 0
if failed == False:
num = win32api.RegQueryInfoKey(hkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
if k:
nb_site +=1
for h in hash_tables:
# both hash are similar, we can decipher the password
if h[1] == k[0][:40].lower():
nb_pass_found += 1
cipher_text = k[1]
self.decipher_password(cipher_text, h[0])
break
# print the results
print_output("Internet Explorer", pwdFound)
# manage errors
if nb_site == 0:
print_debug('INFO', 'No credentials stored in the IE browser.')
elif nb_site > nb_pass_found:
print_debug('ERROR', '%s hashes have not been decrypted, the associate website used to decrypt the passwords has not been found' % str(nb_site - nb_pass_found))
else:
print_debug('INFO', 'No password stored.\nThe registry key storing the ie password has not been found.\nKey: %s' % keyPath)
def get_infos(self, path, passphrase, salt):
for p in os.listdir(path):
if p.startswith('o.jdeveloper.db.connection'):
path += os.sep + p
break
xml_file = path + os.sep + 'connections.xml'
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
values = {}
for elem in tree.iter():
if 'addrType' in elem.attrib.keys():
if elem.attrib['addrType'] == 'sid':
for e in elem.getchildren():
values['sid'] = e.text
elif elem.attrib['addrType'] == 'port':
for e in elem.getchildren():
values['port'] = e.text
elif elem.attrib['addrType'] == 'user':
for e in elem.getchildren():
values['user'] = e.text
elif elem.attrib['addrType'] == 'ConnName':
for e in elem.getchildren():
values['Connection Name'] = e.text
elif elem.attrib['addrType'] == 'customUrl':
for e in elem.getchildren():
values['custom Url'] = e.text
elif elem.attrib['addrType'] == 'SavePassword':
for e in elem.getchildren():
values['SavePassword'] = e.text
elif elem.attrib['addrType'] == 'hostname':
for e in elem.getchildren():
values['hostname'] = e.text
elif elem.attrib['addrType'] == 'password':
for e in elem.getchildren():
pwd = self.decrypt(salt, e.text, passphrase)
values['password'] = pwd
elif elem.attrib['addrType'] == 'driver':
for e in elem.getchildren():
values['driver'] = e.text
# password found
pwdFound.append(values)
# print the results
print_output("SQL Developer", pwdFound)
else:
print_debug('ERROR', 'The xml file connections.xml containing the passwords has not been found.')
def run(self):
# print the title
Header().title_debug('Gnome keyring')
if os.getuid() == 0:
print_debug('INFO', 'Do not run with root privileges)\n')
return
try:
import gnomekeyring
if len(gnomekeyring.list_keyring_names_sync()) > 0:
pwdFound = []
for keyring in gnomekeyring.list_keyring_names_sync():
for id in gnomekeyring.list_item_ids_sync(keyring):
values = {}
item = gnomekeyring.item_get_info_sync(keyring, id)
attr = gnomekeyring.item_get_attributes_sync(
keyring, id)
if attr:
if item.get_display_name():
values["Item"] = item.get_display_name()
if attr.has_key('server'):
values["Server"] = attr['server']
if attr.has_key('protocol'):
values["Protocol"] = attr['protocol']
if attr.has_key('unique'):
values["Unique"] = attr['unique']
if attr.has_key('domain'):
values["Domain"] = attr['domain']
if attr.has_key('origin_url'):
values["Origin_url"] = attr['origin_url']
if attr.has_key('username_value'):
values["Username"] = attr['username_value']
if attr.has_key('user'):
values["Username"] = attr['user']
if item.get_secret():
values["Password"] = item.get_secret()
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Gnome keyring', pwdFound)
else:
print_debug('WARNING', 'The Gnome Keyring wallet is empty')
except Exception, e:
print_debug(
'ERROR',
'An error occurs with the Gnome Keyring wallet: {0}'.format(e))
def get_infos(self, path, passphrase, salt):
for p in os.listdir(path):
if p.startswith('o.jdeveloper.db.connection'):
path += os.sep + p
break
xml_file = path + os.sep + 'connections.xml'
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
values = {}
for elem in tree.iter():
if 'addrType' in elem.attrib.keys():
if elem.attrib['addrType'] == 'sid':
for e in elem.getchildren():
values['sid'] = e.text
elif elem.attrib['addrType'] == 'port':
for e in elem.getchildren():
values['port'] = e.text
elif elem.attrib['addrType'] == 'user':
for e in elem.getchildren():
values['user'] = e.text
elif elem.attrib['addrType'] == 'ConnName':
for e in elem.getchildren():
values['Connection Name'] = e.text
elif elem.attrib['addrType'] == 'customUrl':
for e in elem.getchildren():
values['custom Url'] = e.text
elif elem.attrib['addrType'] == 'SavePassword':
for e in elem.getchildren():
values['SavePassword'] = e.text
elif elem.attrib['addrType'] == 'hostname':
for e in elem.getchildren():
values['hostname'] = e.text
elif elem.attrib['addrType'] == 'password':
for e in elem.getchildren():
pwd = self.decrypt(salt, e.text, passphrase)
values['password'] = pwd
elif elem.attrib['addrType'] == 'driver':
for e in elem.getchildren():
values['driver'] = e.text
# password found
pwdFound.append(values)
# print the results
print_output("SQL Developer", pwdFound)
else:
print_debug('ERROR', 'The xml file connections.xml containing the passwords has not been found.')
def run(self):
# print the title
Header().title_info('Gnome keyring')
if os.getuid() == 0:
print_debug('WARNING', 'Do not run it with root privileges)\n')
return
try:
import gnomekeyring
if len(gnomekeyring.list_keyring_names_sync()) > 0:
pwdFound = []
for keyring in gnomekeyring.list_keyring_names_sync():
for id in gnomekeyring.list_item_ids_sync(keyring):
values = {}
item = gnomekeyring.item_get_info_sync(keyring, id)
attr = gnomekeyring.item_get_attributes_sync(keyring, id)
if attr:
if item.get_display_name():
values["Item"] = item.get_display_name()
if attr.has_key('server'):
values["Server"] = attr['server']
if attr.has_key('protocol'):
values["Protocol"] = attr['protocol']
if attr.has_key('unique'):
values["Unique"] = attr['unique']
if attr.has_key('domain'):
values["Domain"] = attr['domain']
if attr.has_key('origin_url'):
values["Origin_url"] = attr['origin_url']
if attr.has_key('username_value'):
values["Username"] = attr['username_value']
if attr.has_key('user'):
values["Username"] = attr['user']
if item.get_secret():
values["Password"] = item.get_secret()
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output('Gnome keyring', pwdFound)
else:
print_debug('WARNING', 'The Gnome Keyring wallet is empty')
except Exception,e:
print_debug('ERROR', 'An error occurs with the Gnome Keyring wallet: {0}'.format(e))
def run(self):
# print title
Header().title_info('Wifi')
if not windll.Shell32.IsUserAnAdmin():
print_debug('WARNING', '[!] This script should be run as admin!')
return
else:
if 'ALLUSERSPROFILE' in os.environ:
directory = os.environ['ALLUSERSPROFILE'] + os.sep + 'Microsoft\Wlansvc\Profiles\Interfaces'
else:
print_debug('ERROR', 'Environment variable (ALLUSERSPROFILE) has not been found.')
return
if not os.path.exists(directory):
print_debug('INFO', 'No credentials found.\nFile containing passwords not found:\n%s' % directory)
return
try:
print_debug('INFO', '[!] Trying to elevate our privilege')
get_system_priv()
print_debug('INFO', '[!] Elevation ok - Passwords decryption is in progress')
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
print_debug('ERROR', '[!] An error occurs during the privilege elevation process. Wifi passwords have not been decrypted')
time.sleep(5)
# read temp file containing all passwords found
pwdFound = []
filepath = tempfile.gettempdir() + os.sep + 'TEMP123A.txt'
# the file has not been created yet
if not os.path.exists(filepath):
time.sleep(5)
if os.path.exists(filepath):
cp = RawConfigParser()
cp.read(filepath)
for section in cp.sections():
values = {}
for c in cp.items(section):
values[str(c[0])] = str(c[1])
pwdFound.append(values)
# remove file on the temporary directory
os.remove(filepath)
# print the results
print_output("Wifi", pwdFound)
else:
print_debug('INFO', 'No passwords found')
def run(self):
"""
Main function:
- For encrypted password, provides the encrypted version of the password with the master password in order
to allow "LaZagne run initiator" the use the encryption parameter associated with the version of Maven because
encryption parameters can change between version of Maven.
- "LaZagne run initiator" can also use the encrypted password and the master password "AS IS"
in a Maven distribution to access repositories.
See https://github.com/jelmerk/maven-settings-decoder
See https://github.com/sonatype/plexus-cipher/blob/master/src/main/java/org/sonatype/plexus/components/cipher/PBECipher.java
"""
# Print title
title = "MavenRepositories"
Header().title_info(title)
# Extract the master password
master_password = self.extract_master_password()
# Extract all available repositories credentials
repos_creds = self.extract_repositories_credentials()
# Parse and process the list of repositories's credentials
# 3 cases are handled:
# => Authentication using password protected with the master password (encrypted)
# => Authentication using password not protected with the master password (plain text)
# => Authentication using private key
pwd_found = []
for creds in repos_creds:
values = {}
values["Id"] = creds["id"]
values["Username"] = creds["username"]
if not self.use_key_auth(creds):
pwd = creds["password"].strip()
# Case for authentication using password protected with the master password
if pwd.startswith("{") and pwd.endswith("}"):
values["SymetricEncryptionKey"] = master_password
values["PasswordEncrypted"] = pwd
else:
values["Password"] = pwd
else:
# Case for authentication using private key
pk_file_location = creds["privateKey"]
pk_file_location = pk_file_location.replace("${user.home}", os.environ.get("USERPROFILE"))
with open(pk_file_location, "r") as pk_file:
values["PrivateKey"] = pk_file.read()
if "passphrase" in creds:
values["Passphrase"] = creds["passphrase"]
pwd_found.append(values)
# Print the results
print_output(title, pwd_found)
def get_infos(self, path, passphrase, salt):
xml_file = path + os.sep + 'config70/dbvis.xml'
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
for e in tree.findall('Databases/Database'):
values = {}
try:
values['Connection Name'] = e.find('Alias').text
except:
pass
try:
values['Userid'] = e.find('Userid').text
except:
pass
try:
ciphered_password = e.find('Password').text
try:
password = self.decrypt(salt, ciphered_password, passphrase)
values['Password'] = password
passwordFound = True
except:
pass
except:
pass
try:
values['Driver'] = e.find('UrlVariables//Driver').text.strip()
except:
pass
try:
elem = e.find('UrlVariables')
for ee in elem.getchildren():
for ele in ee.getchildren():
if 'Server' == ele.attrib['UrlVariableName']:
values['Server'] = str(ele.text)
if 'Port' == ele.attrib['UrlVariableName']:
values['Port'] = str(ele.text)
if 'SID' == ele.attrib['UrlVariableName']:
values['SID'] = str(ele.text)
except:
pass
if len(values) > 0:
pwdFound.append(values)
# print the results
print_output("DbVisualizer", pwdFound)
def get_infos(self, path, passphrase, salt):
xml_file = path + os.sep + "config70/dbvis.xml"
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
for e in tree.findall("Databases/Database"):
values = {}
try:
values["Connection Name"] = e.find("Alias").text
except:
pass
try:
values["Userid"] = e.find("Userid").text
except:
pass
try:
ciphered_password = e.find("Password").text
try:
password = self.decrypt(salt, ciphered_password, passphrase)
values["Password"] = password
passwordFound = True
except:
pass
except:
pass
try:
values["Driver"] = e.find("UrlVariables//Driver").text.strip()
except:
pass
try:
elem = e.find("UrlVariables")
for ee in elem.getchildren():
for ele in ee.getchildren():
if "Server" == ele.attrib["UrlVariableName"]:
values["Server"] = str(ele.text)
if "Port" == ele.attrib["UrlVariableName"]:
values["Port"] = str(ele.text)
if "SID" == ele.attrib["UrlVariableName"]:
values["SID"] = str(ele.text)
except:
pass
if len(values) > 0:
pwdFound.append(values)
# print the results
print_output("DbVisualizer", pwdFound)
def run(self):
Header().title_info('Wifi (from WPA Supplicant)')
if self.check_file_access():
return
# check root access
if os.getuid() != 0:
print_debug('INFO', 'You need more privileges (run it with sudo)\n')
return
pwdFound = self.parse_file()
print_output("wpa_supplicant", pwdFound)
def get_logins_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(
win32con.HKEY_CURRENT_USER,
'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
except:
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
port = ''
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'HostName':
self.set_hostname(k[1])
if k[0] == 'UserName':
self.set_username(k[1])
if k[0] == 'Password':
self.set_hash(k[1])
if k[0] == 'PortNumber':
port = str(k[1])
if num != 0:
if port == '':
port = '22'
try:
password = self.decrypt_password()
except:
password = '******'
values['Hostname'] = self.get_hostname()
values['Port'] = port
values['Username'] = self.get_username()
values['Password'] = password
pwdFound.append(values)
# print the results
print_output("WinSCP", pwdFound)
def retrieve_password(self):
# print title
Header().title_debug('Chrome')
database_path = ''
if 'HOMEDRIVE' in os.environ and 'HOMEPATH' in os.environ:
# For Win7
path_Win7 = os.environ.get('HOMEDRIVE') + os.sep + os.environ.get('HOMEPATH') + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data'
# For XP
path_XP = os.environ.get('HOMEDRIVE') + os.sep + os.environ.get('HOMEPATH') + '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
if os.path.exists(path_XP):
database_path = path_XP
elif os.path.exists(path_Win7):
database_path = path_Win7
else:
print_debug('INFO', 'Google Chrome not installed.')
return
else:
print_debug('ERROR', 'Environment variables (HOMEDRIVE or HOMEPATH) have not been found')
return
# Connect to the Database
conn = sqlite3.connect(database_path)
cursor = conn.cursor()
# Get the results
try:
cursor.execute('SELECT action_url, username_value, password_value FROM logins')
except:
print_debug('ERROR', 'Google Chrome seems to be used, the database is locked. Kill the process and try again !')
return
pwdFound = []
for result in cursor.fetchall():
values = {}
# Decrypt the Password
password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1]
if password:
values['Site'] = result[0]
values['Username'] = result[1]
values['Password'] = password
pwdFound.append(values)
# print the results
print_output("Chrome", pwdFound)
def get_logins_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, 'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
except:
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
port = ''
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'HostName':
self.set_hostname(k[1])
if k[0] == 'UserName':
self.set_username(k[1])
if k[0] == 'Password':
self.set_hash(k[1])
if k[0] == 'PortNumber':
port = str(k[1])
if num != 0:
if port == '':
port = '22'
try:
password = self.decrypt_password()
except:
password = '******'
values['Hostname'] = self.get_hostname()
values['Port'] = port
values['Username'] = self.get_username()
values['Password'] = password
pwdFound.append(values)
# print the results
print_output("WinSCP", pwdFound)
def get_infos(self, path, passphrase, salt):
xml_file = path + os.sep + 'config70/dbvis.xml'
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
values = {}
for elem in tree.iter('Databases'):
values = {}
passwordFound = False
for e in elem.iter():
if 'Alias' == e.tag:
values['Connection Name'] = str(e.text)
if 'Userid' == e.tag:
values['Userid'] = str(e.text)
if 'Password' == e.tag:
ciphered_password = e.text
try:
password = self.decrypt(salt, ciphered_password,
passphrase)
values['Password'] = password
passwordFound = True
except:
pass
if 'UrlVariables' == e.tag:
for el in e.getchildren():
values['Driver'] = str(el.text).strip()
for ele in el.getchildren():
if 'Server' == ele.attrib['UrlVariableName']:
values['Server'] = str(ele.text)
if 'Port' == ele.attrib['UrlVariableName']:
values['Port'] = str(ele.text)
if 'SID' == ele.attrib['UrlVariableName']:
values['SID'] = str(ele.text)
if passwordFound:
pwdFound.append(values)
# print the results
print_output('DbVisualizer', pwdFound)
def run(self):
# print the title
Header().title_info('ClawsMail')
path = self.get_path()
if not path:
print_debug('INFO', 'ClawsMail not installed.')
mode = DES.MODE_CFB
if 'FreeBSD' in platform.system():
mode = DES.MODE_ECB
pwdFound = self.accountrc_decrypt(path, self.get_passcrypt_key(), mode)
# print the results
print_output('ClawsMail', pwdFound)
def run(self):
# print title
Header().title_info('Galcon Fusion')
creds = []
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key:
results=QueryValueEx(key, 'SteamPath')
except:
print_debug('INFO', 'Steam does not appear to be installed.')
return
if not results:
print_debug('INFO', 'Steam does not appear to be installed.')
return
steampath=results[0]
userdata = steampath + '\\userdata'
# Check that we have a userdata directory
if not os.path.exists(userdata):
print_debug('ERROR', 'Steam doesn\'t have a userdata directory.')
return
# Now look for Galcon Fusion in every user
files = os.listdir(userdata)
for file in files:
filepath = userdata + '\\' + file + '\\44200\\remote\\galcon.cfg'
if not os.path.exists(filepath):
continue
# If we're here we should have a Galcon Fusion file
with open(filepath, mode='rb') as cfgfile:
# We've found a config file, now extract the creds
data = cfgfile.read()
values = {}
values['Login'] = data[4:0x23]
values['Password'] = data[0x24:0x43]
creds.append(values)
print_output("Galcon Fusion", creds)
def get_infos(self, path, passphrase, salt):
xml_file = path + os.sep + 'config70/dbvis.xml'
if os.path.exists(xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
values = {}
for elem in tree.iter('Databases'):
values = {}
passwordFound = False
for e in elem.iter():
if 'Alias' == e.tag:
values['Connection Name'] = str(e.text)
if 'Userid' == e.tag:
values['Userid'] = str(e.text)
if 'Password' == e.tag:
ciphered_password = e.text
try:
password = self.decrypt(salt, ciphered_password, passphrase)
values['Password'] = password
passwordFound = True
except:
pass
if 'UrlVariables' == e.tag:
for el in e.getchildren():
values['Driver'] = str(el.text).strip()
for ele in el.getchildren():
if 'Server' == ele.attrib['UrlVariableName']:
values['Server'] = str(ele.text)
if 'Port' == ele.attrib['UrlVariableName']:
values['Port'] = str(ele.text)
if 'SID' == ele.attrib['UrlVariableName']:
values['SID'] = str(ele.text)
if passwordFound:
pwdFound.append(values)
# print the results
print_output('DbVisualizer', pwdFound)
def run(self):
# print the title
Header().title_info('ClawsMail')
path = self.get_path()
if not path:
print_debug('INFO', 'ClawsMail not installed.')
return
mode = DES.MODE_CFB
if 'FreeBSD' in platform.system():
mode = DES.MODE_ECB
pwdFound = self.accountrc_decrypt(path, self.get_passcrypt_key(), mode)
# print the results
print_output('ClawsMail', pwdFound)
def run(self):
values = {}
pwdFound = []
# print the title
Header().title_info("Environment variables")
# --------- http_proxy --------
tmp = ""
if "http_proxy" in os.environ:
tmp = "http_proxy"
elif "HTTP_Proxy" in os.environ:
tmp = "HTTP_Proxy"
if tmp:
values["Variable"] = tmp
values["Password"] = os.environ[tmp]
pwdFound.append(values)
# --------- https_proxy --------
tmp = ""
if "https_proxy" in os.environ:
tmp = "https_proxy"
elif "HTTPS_Proxy" in os.environ:
tmp = "HTTPS_Proxy"
if tmp:
values["Variable"] = tmp
values["Password"] = os.environ[tmp]
pwdFound.append(values)
tab = ["passwd", "pwd", "pass", "password"]
for i in os.environ:
for t in tab:
if (t.upper() in i.upper()) and (i.upper() != "PWD") and (i.upper() != "OLDPWD"):
values["Variable"] = i
values["Password"] = os.environ[i]
pwdFound.append(values)
# write credentials into a text file
if len(values) != 0:
# print the results
print_output("Environnement variables", pwdFound)
else:
print_debug("INFO", "No passwords stored in the environment variables.")
def retrieve_password(self):
values = {}
pwdFound = []
# print the title
Header().title_debug('Environnement variables')
# --------- http_proxy --------
tmp = ''
if 'http_proxy' in os.environ:
tmp = 'http_proxy'
elif 'HTTP_Proxy' in os.environ:
tmp = 'HTTP_Proxy'
if tmp:
values["Variable"] = tmp
values["Password"] = os.environ[tmp]
pwdFound.append(values)
# --------- https_proxy --------
tmp = ''
if 'https_proxy' in os.environ:
tmp = 'https_proxy'
elif 'HTTPS_Proxy' in os.environ:
tmp = 'HTTPS_Proxy'
if tmp:
values["Variable"] = tmp
values["Password"] = os.environ[tmp]
pwdFound.append(values)
tab = ['passwd', 'pwd', 'pass', 'password']
for i in os.environ:
for t in tab:
if (t.upper() in i.upper()) and (i.upper() != 'PWD') and (i.upper() != 'OLDPWD'):
values["Variable"] = i
values["Password"] = os.environ[i]
pwdFound.append(values)
# write credentials into a text file
if len(values) != 0:
# print the results
print_output('Environnement variables', pwdFound)
else:
print_debug('INFO', 'No passwords stored in the environment variables.')
def retrieve_password(self):
# print title
Header().title_debug('Generic Network')
os_plateform = platform.release()
a = self.get_creds()
pwd = ''
pwdFound = []
if a:
for i in a:
values = {}
if i['Type'] == win32cred.CRED_TYPE_GENERIC:
cipher_text = i['CredentialBlob']
if os_plateform == 'XP':
pwd = self.Win32CryptUnprotectData(
cipher_text, self.get_entropy())
else:
pwd = cipher_text
if pwd != 'failed':
targetName = i['TargetName'].replace(
'Microsoft_WinInet_', '')
values['TargetName'] = targetName
if os_plateform == 'XP':
t = targetName.split('/')
targetName = t[0]
if i['UserName'] is not None:
values['Username'] = i['UserName']
try:
values['Password'] = pwd.decode('utf16')
except:
values['INFO'] = 'Error decoding the password'
pwdFound.append(values)
# print the results
print_output("Generic Network", pwdFound)
else:
print_debug('INFO',
'No credentials listed with the enum cred function')
def run(self):
# print title
Header().title_info('Galcon Fusion')
creds = []
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key:
results=QueryValueEx(key, 'SteamPath')
except:
print_debug('INFO', 'Steam does not appear to be installed.')
return
if not results:
print_debug('INFO', 'Steam does not appear to be installed.')
return
steampath=results[0]
userdata = steampath + '\\userdata'
# Check that we have a userdata directory
if not os.path.exists(userdata):
print_debug('ERROR', 'Steam doesn\'t have a userdata directory.')
return
# Now look for Galcon Fusion in every user
files = os.listdir(userdata)
for file in files:
filepath = userdata + '\\' + file + '\\44200\\remote\\galcon.cfg'
if not os.path.exists(filepath):
continue
# If we're here we should have a Galcon Fusion file
with open(filepath, mode='rb') as cfgfile:
# We've found a config file, now extract the creds
data = cfgfile.read()
values = {}
values['Login'] = data[4:0x23]
values['Password'] = data[0x24:0x43]
creds.append(values)
print_output("Galcon Fusion", creds)
def parse_xml(self, xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
for elem in tree.iter():
values = {}
try:
if elem.attrib['name'].startswith('ftp') or elem.attrib['name'].startswith('ftps') or elem.attrib['name'].startswith('sftp') or elem.attrib['name'].startswith('http') or elem.attrib['name'].startswith('https'):
values['URL'] = elem.attrib['name']
encrypted_password = base64.b64decode(elem.attrib['value'])
password = win32crypt.CryptUnprotectData(encrypted_password, None, None, None, 0)[1]
values['Password'] = password
pwdFound.append(values)
except:
pass
# print the results
print_output("Cyberduck", pwdFound)
def parse_xml(self, xml_file):
tree = ET.ElementTree(file=xml_file)
pwdFound = []
for elem in tree.iter():
values = {}
try:
if elem.attrib['name'].startswith('ftp') or elem.attrib['name'].startswith('ftps') or elem.attrib['name'].startswith('sftp') or elem.attrib['name'].startswith('http') or elem.attrib['name'].startswith('https'):
values['URL'] = elem.attrib['name']
encrypted_password = base64.b64decode(elem.attrib['value'])
password = win32crypt.CryptUnprotectData(encrypted_password, None, None, None, 0)[1]
values['Password'] = password
pwdFound.append(values)
except:
pass
# print the results
print_output("Cyberduck", pwdFound)
def run(self):
# print title
Header().title_info('Turba')
creds = []
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key:
results=QueryValueEx(key, 'SteamPath')
except:
print_debug('INFO', 'Steam does not appear to be installed.')
return
if not results:
print_debug('INFO', 'Steam does not appear to be installed.')
return
steampath=results[0]
steamapps = steampath + '\\SteamApps\common'
# Check that we have a SteamApps directory
if not os.path.exists(steamapps):
print_debug('ERROR', 'Steam doesn\'t have a SteamApps directory.')
return
filepath = steamapps + '\\Turba\\Assets\\Settings.bin'
if not os.path.exists(filepath):
print_debug('INFO', 'Turba doesn\'t appear to be installed.')
return
# If we're here we should have a valid config file file
with open(filepath, mode='rb') as filepath:
# We've found a config file, now extract the creds
data = filepath.read()
values = {}
chunk=data[0x1b:].split('\x0a')
values['Login'] = chunk[0]
values['Password'] = chunk[1]
creds.append(values)
print_output("Turba", creds)
def run(self):
# print title
Header().title_info('Turba')
creds = []
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with OpenKey(HKEY_CURRENT_USER, 'Software\Valve\Steam') as key:
results = QueryValueEx(key, 'SteamPath')
except:
print_debug('INFO', 'Steam does not appear to be installed.')
return
if not results:
print_debug('INFO', 'Steam does not appear to be installed.')
return
steampath = results[0]
steamapps = steampath + '\\SteamApps\common'
# Check that we have a SteamApps directory
if not os.path.exists(steamapps):
print_debug('ERROR', 'Steam doesn\'t have a SteamApps directory.')
return
filepath = steamapps + '\\Turba\\Assets\\Settings.bin'
if not os.path.exists(filepath):
print_debug('INFO', 'Turba doesn\'t appear to be installed.')
return
# If we're here we should have a valid config file file
with open(filepath, mode='rb') as filepath:
# We've found a config file, now extract the creds
data = filepath.read()
values = {}
chunk = data[0x1b:].split('\x0a')
values['Login'] = chunk[0]
values['Password'] = chunk[1]
creds.append(values)
print_output("Turba", creds)
def run(self):
# print title
Header().title_info('Pidgin')
if constant.appdata:
directory = '%s\.purple' % constant.appdata
path = os.path.join(directory, 'accounts.xml')
elif 'APPDATA' in os.environ:
directory = os.environ['APPDATA'] + '\.purple'
path = os.path.join(directory, 'accounts.xml')
else:
print_debug('ERROR', 'The APPDATA environment variable is not defined.')
return
if os.path.exists(path):
tree = ET.ElementTree(file=path)
root = tree.getroot()
accounts = root.getchildren()
pwdFound = []
for a in accounts:
values = {}
aa = a.getchildren()
noPass = True
for tag in aa:
cpt = 0
if tag.tag == 'name':
cpt = 1
values['Login'] = tag.text
if tag.tag == 'password':
values['Password'] = tag.text
noPass = False
if noPass == False:
pwdFound.append(values)
# print the results
print_output("Pidgin", pwdFound)
else:
print_debug('INFO', 'Pidgin not installed.')
def run(self):
# print title
Header().title_info("Skype")
if "APPDATA" in os.environ:
directory = os.environ["APPDATA"] + "\Skype"
if os.path.exists(directory):
# retrieve the key used to build the salt
key = self.get_regkey()
if key == "failed":
print_debug("ERROR", "The salt has not been retrieved")
else:
pwdFound = []
for d in os.listdir(directory):
if os.path.exists(directory + os.sep + d + os.sep + "config.xml"):
values = {}
try:
values["username"] = d
# get encrypted hash from the config file
enc_hex = self.get_hash_credential(directory + os.sep + d + os.sep + "config.xml")
if enc_hex == "failed":
print_debug("WARNING", "No credential stored on the config.xml file.")
else:
# decrypt the hash to get the md5 to brue force
values["hash_md5"] = self.get_md5_hash(enc_hex, key)
values["shema to bruteforce"] = values["username"] + "\\nskyper\\n<password>"
# Try a dictionary attack on the hash
password = self.dictionary_attack(values["username"], values["hash_md5"])
if password:
values["password"] = password
pwdFound.append(values)
except Exception, e:
print_debug("DEBUG", "{0}".format(e))
# print the results
print_output("Skype", pwdFound)
else:
print_debug("INFO", "Skype not installed.")
def run(self):
# print title
Header().title_info('Skype')
if 'APPDATA' in os.environ:
directory = os.environ['APPDATA'] + '\Skype'
if os.path.exists(directory):
# retrieve the key used to build the salt
key = self.get_regkey()
if key == 'failed':
print_debug('ERROR', 'The salt has not been retrieved')
else:
pwdFound = []
for d in os.listdir(directory):
if os.path.exists(directory + os.sep + d + os.sep + 'config.xml'):
values = {}
try:
values['username'] = d
# get encrypted hash from the config file
enc_hex = self.get_hash_credential(directory + os.sep + d + os.sep + 'config.xml')
if enc_hex == 'failed':
print_debug('WARNING', 'No credential stored on the config.xml file.')
else:
# decrypt the hash to get the md5 to brue force
values['hash_md5'] = self.get_md5_hash(enc_hex, key)
values['shema to bruteforce'] = values['username'] + '\\nskyper\\n<password>'
# Try a dictionary attack on the hash
password = self.dictionary_attack(values['username'], values['hash_md5'])
if password:
values['password'] = password
pwdFound.append(values)
except Exception,e:
print_debug('DEBUG', '{0}'.format(e))
# print the results
print_output("Skype", pwdFound)
else:
print_debug('INFO', 'Skype not installed.')
