def get_application_path(self):
directory = os.path.join(constant.profile['APPDATA'], u'Cyberduck')
if os.path.exists(directory):
for dr in os.listdir(directory):
if dr.startswith(u'Cyberduck'):
for d in os.listdir(os.path.join(directory, string_to_unicode(dr))):
path = os.path.join(directory, string_to_unicode(dr), string_to_unicode(d), u'user.config')
return path
def run(self):
windir = os.path.join(constant.profile['HOMEDRIVE'],
string_to_unicode(os.sep), u'Windows')
files = [
'Panther\\Unattend.xml', 'Panther\\Unattended.xml',
'Panther\\Unattend\\Unattended.xml',
'Panther\\Unattend\\Unattend.xml',
'System32\\Sysprep\\unattend.xml',
'System32\\Sysprep\\Panther\\unattend.xml'
]
pwd_found = []
xmlns = '{urn:schemas-microsoft-com:unattend}'
for file in files:
path = os.path.join(windir, string_to_unicode(file))
if os.path.exists(path):
self.debug(u'Unattended file found: %s' % path)
tree = ElementTree(file=path)
root = tree.getroot()
for setting in root.findall('%ssettings' % xmlns):
component = setting.find('%scomponent' % xmlns)
auto_logon = component.find('%sauto_logon' % xmlns)
if auto_logon:
username = auto_logon.find('%sUsername' % xmlns)
password = auto_logon.find('%sPassword' % xmlns)
if all((username, password)):
# Remove false positive (with following message on password => *SENSITIVE*DATA*DELETED*)
if 'deleted' not in password.text.lower():
pwd_found.append({
'Login':
username.text,
'Password':
self.try_b64_decode(password.text)
})
user_accounts = component.find('%suser_accounts' % xmlns)
if user_accounts:
local_accounts = user_accounts.find(
'%slocal_accounts' % xmlns)
if local_accounts:
for local_account in local_accounts.findall(
'%slocal_account' % xmlns):
username = local_account.find('%sName' % xmlns)
password = local_account.find('%sPassword' %
xmlns)
if all((username, password)):
if 'deleted' not in password.text.lower():
pwd_found.append({
'Login':
username.text,
'Password':
self.try_b64_decode(password.text)
})
return pwd_found
def run(self):
creds = []
results = None
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with win.OpenKey(win.HKEY_CURRENT_USER,
'Software\Valve\Steam') as key:
results = winreg.QueryValueEx(key, 'SteamPath')
except Exception:
pass
if results:
steampath = string_to_unicode(results[0])
steamapps = os.path.join(steampath, u'SteamApps\common')
# Check that we have a SteamApps directory
if not os.path.exists(steamapps):
self.error(u'Steam doesn\'t have a SteamApps directory.')
return
filepath = os.path.join(steamapps, u'Turba\\Assets\\Settings.bin')
if not os.path.exists(filepath):
self.debug(u'Turba doesn\'t appear to be installed.')
return
# If we're here we should have a valid config file file
with open(filepath, mode='rb') as filepath:
# We've found a config file, now extract the creds
data = filepath.read()
chunk = data[0x1b:].split('\x0a')
creds.append({'Login': chunk[0], 'Password': chunk[1]})
return creds
def run(self):
"""
Main function
"""
# According to the "git-credential-store" documentation:
# Build a list of locations in which git credentials can be stored
locations = [
os.path.join(constant.profile["USERPROFILE"], u'.git-credentials'),
os.path.join(constant.profile["USERPROFILE"],
u'.config\\git\\credentials'),
]
if "XDG_CONFIG_HOME" in os.environ:
locations.append(
os.path.join(
string_to_unicode(os.environ.get('XDG_CONFIG_HOME')),
u'git\\credentials'))
# Apply the password extraction on the defined locations
pwd_found = []
for location in locations:
pwd_found += self.extract_credentials(location)
# Filter duplicates
return [{
'URL': url,
'Login': login,
'Password': password
} for url, login, password in set(pwd_found)]
def get_info(self, key, username, path):
if os.path.exists(os.path.join(path, u'config.xml')):
values = {}
try:
values['Login'] = username
# get encrypted hash from the config file
enc_hex = self.get_hash_credential(
os.path.join(path, u'config.xml'))
if not enc_hex:
self.warning(
u'No credential stored on the config.xml file.')
else:
# decrypt the hash to get the md5 to brue force
values['Hash'] = self.get_md5_hash(enc_hex, key)
values[
'Pattern to bruteforce using md5'] = win.string_to_unicode(
values['Login']) + u'\\nskyper\\n<password>'
# Try a dictionary attack on the hash
password = self.dictionary_attack(values['Login'],
values['Hash'])
if password:
values['Password'] = password
self.pwd_found.append(values)
except Exception as e:
self.debug(str(e))
def get_default_database(self):
try:
key = OpenKey(HKEY_CURRENT_USER,
'Software\\ACS\\PuTTY Connection Manager')
db = string_to_unicode(
winreg.QueryValueEx(key, 'DefaultDatabase')[0])
winreg.CloseKey(key)
return db
except Exception:
return False
def get_username(self, path):
xml_file = os.path.join(path, u'shared.xml')
if os.path.exists(xml_file):
tree = ElementTree(file=xml_file)
username = tree.find('Lib/Account/Default')
try:
return win.string_to_unicode(username.text)
except Exception:
pass
return False
def run(self):
creds = []
results = None
# Find the location of steam - to make it easier we're going to use a try block
# 'cos I'm lazy
try:
with win.OpenKey(win.HKEY_CURRENT_USER,
'Software\\Valve\\Steam') as key:
results = winreg.QueryValueEx(key, 'SteamPath')
except Exception:
pass
if results:
steampath = string_to_unicode(results[0])
userdata = os.path.join(steampath, u'userdata')
# Check that we have a userdata directory
if not os.path.exists(userdata):
self.error(u'Steam doesn\'t have a userdata directory.')
return
# Now look for Galcon Fusion in every user
for f in os.listdir(userdata):
filepath = os.path.join(userdata, string_to_unicode(f),
u'44200\\remote\\galcon.cfg')
if not os.path.exists(filepath):
continue
# If we're here we should have a Galcon Fusion file
with open(filepath, mode='rb') as cfgfile:
# We've found a config file, now extract the creds
data = cfgfile.read()
creds.append({
'Login': data[4:0x23],
'Password': data[0x24:0x43]
})
return creds
def print_output(self, software_name, pwd_found):
if pwd_found:
# if the debug logging level is not apply => print the title
if not logging.getLogger().isEnabledFor(logging.INFO):
# print the username only if password have been found
user = constant.finalResults.get('User', '')
global tmp_user
if user != tmp_user:
tmp_user = user
self.print_user(user, force_print=True)
# if not title1:
self.print_title(software_name)
# Particular passwords representation
to_write = []
if software_name in ('Hashdump', 'Lsa_secrets', 'Mscache'):
pwds = pwd_found[1]
for pwd in pwds:
self.do_print(pwd)
if software_name == 'Lsa_secrets':
hex_value = self.print_hex(pwds[pwd], length=16)
to_write.append([pwd.decode(), hex_value.decode()])
self.do_print(hex_value)
else:
to_write.append(pwd)
self.do_print()
# Other passwords
else:
# Remove duplicated password
pwd_found = [
dict(t) for t in set([tuple(d.items()) for d in pwd_found])
]
# Loop through all passwords found
for pwd in pwd_found:
# Detect which kinds of password has been found
lower_list = [s.lower() for s in pwd]
for p in ('password', 'key', 'hash'):
pwd_category = [s for s in lower_list if p in s]
if pwd_category:
pwd_category = pwd_category[0]
break
write_it = False
passwd = None
try:
# Do not print empty passwords
if not pwd[pwd_category.capitalize()]:
continue
passwd = string_to_unicode(
pwd[pwd_category.capitalize()])
except Exception:
pass
# No password found
if not passwd:
print_debug("FAILED", u'Password not found.')
else:
constant.nb_password_found += 1
write_it = True
print_debug(
"OK", u'{pwd_category} found!'.format(
pwd_category=pwd_category.title()))
# Store all passwords found on a table => for dictionary attack if master password set
if passwd not in constant.password_found:
constant.password_found.append(passwd)
pwd_info = []
for p in pwd:
try:
pwd_line = '%s: %s' % (
p, pwd[p].decode()
) # Manage bytes output (py 3)
except Exception:
pwd_line = '%s: %s' % (p, pwd[p])
pwd_info.append(pwd_line)
self.do_print(pwd_line)
self.do_print()
if write_it:
to_write.append(pwd_info)
# write credentials into a text file
self.checks_write(to_write, software_name)
else:
print_debug("INFO", "No passwords found.\n")