From cbe5fe631710590eb8aff9182294c19c4965c713 Mon Sep 17 00:00:00 2001 From: Pierre-Alexandre Vandewoestyne Date: Sun, 30 Jan 2022 16:57:30 +0100 Subject: [PATCH] exporting raw credz and cookies --- DonPAPI.py | 2 ++ database.py | 60 ++++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 54 insertions(+), 8 deletions(-) diff --git a/DonPAPI.py b/DonPAPI.py index bddefb0..3653722 100644 --- a/DonPAPI.py +++ b/DonPAPI.py @@ -185,6 +185,8 @@ def main(): #print("ENDING MAIN") my_report = reporting(sqlite3.connect(options.db_path), logging, options, targets) my_report.generate_report() + my_report.export_credz() + my_report.export_cookies() if options.GetHashes: my_report.export_MKF_hashes() my_report.export_dcc2_hashes() diff --git a/database.py b/database.py index 9df50f5..beb54e1 100644 --- a/database.py +++ b/database.py @@ -164,7 +164,7 @@ class reporting: cred_id, file_path, username, password, target, type, pillaged_from_computerid, pillaged_from_userid = cred if type != current_type: current_type=type - current_type_count=self.get_credz_count(current_type)[0][0] + current_type_count=self.get_credz_count(current_type,'AND username NOT IN ("NL$KM_history") AND target NOT IN ("WindowsLive:target=virtualapp/didlogical","Adobe App Info","Adobe App Prefetched Info","Adobe User Info","Adobe User OS Info","MicrosoftOffice16_Data:ADAL","LegacyGeneric:target=msteams_adalsso/adal_contex")')[0][0] data += f"""{current_type} ({current_type_count})""" @@ -251,6 +251,8 @@ class reporting: data += """
""" self.add_to_resultpage(data) ### + + ##### List cookies results = self.get_cookies() @@ -259,12 +261,13 @@ class reporting: Value Until Target + Type Pillaged_from_computerid Pillaged_from_userid\n""" # current_type = 'cookies' - data += f"""Cookies ({len(results)})""" + data += f"""Cookies ({len(results)})""" for index, cred in enumerate(results): name,value,expires_utc,target,type,pillaged_from_computerid,pillaged_from_userid = cred # Skip infos of @@ -291,8 +294,11 @@ class reporting: ###Print block for info in [name,value]: data += f""" {str(info)[:48]} """ - for info in [expires_utc]: - data += f""" {(datetime(1601, 1, 1) + timedelta(microseconds=info)).strftime('%b %d %Y %H:%M:%S')} """ + for info in [expires_utc]: #Formule a change si on intègre des cookies venant d'autre chose que chrome + if type == "browser-chrome" : + data += f""" {(datetime(1601, 1, 1) + timedelta(microseconds=info)).strftime('%b %d %Y %H:%M:%S')} """ + else: + data += f""" {(datetime.fromtimestamp(info)).strftime('%b %d %Y %H:%M:%S')} """ # check if info contains a URL if 'http:' in target or 'https:' in target: @@ -529,14 +535,48 @@ class reporting: self.logging.debug(ex) self.logging.debug(f"Export Done!") - def get_credz_count(self,current_type): + def export_credz(self,distinct=True): + user_credz=self.get_credz(distinct=True) + filename = os.path.join(self.options.output_directory, 'raw_credz') + self.logging.info(f"Exporting {len(user_credz)} credz to {self.options.output_directory}") + if os.path.exists(filename): + os.remove(filename) + for index, cred in enumerate(user_credz): + username, password = cred + try: + f=open(filename,'ab') + f.write(f"{username}:{password}\n".encode('utf-8')) + f.close() + except Exception as ex: + self.logging.error(f"Exception in export raw credz to {filename}") + self.logging.debug(ex) + self.logging.debug(f"Export Done!") + + def export_cookies(self): + user_credz=self.get_cookies() + filename = os.path.join(self.options.output_directory, 'raw_cookies') + self.logging.info(f"Exporting {len(user_credz)} cookies to {self.options.output_directory}") + if os.path.exists(filename): + os.remove(filename) + for index, cred in enumerate(user_credz): + name, value, expires_utc, target, type, pillaged_from_computerid, pillaged_from_userid = cred + try: + f=open(filename,'ab') + f.write(f"{target}:{name}:{value}\n".encode('utf-8')) + f.close() + except Exception as ex: + self.logging.error(f"Exception in export raw credz to {filename}") + self.logging.debug(ex) + self.logging.debug(f"Export Done!") + + def get_credz_count(self,current_type,extra_conditions=''): with self.conn: cur = self.conn.cursor() - cur.execute(f"SELECT count(id) FROM credz WHERE LOWER(type)=LOWER('{current_type}')") + cur.execute(f"SELECT count(id) FROM credz WHERE LOWER(type)=LOWER('{current_type}') {extra_conditions}") results = cur.fetchall() return results - def get_credz(self, filterTerm=None, credz_type=None): + def get_credz(self, filterTerm=None, credz_type=None,distinct=False): """ Return credentials from the database. """ @@ -550,7 +590,10 @@ class reporting: with self.conn: cur = self.conn.cursor() cur.execute("SELECT * FROM users WHERE LOWER(username) LIKE LOWER(?)", ['%{}%'.format(filterTerm)]) - + elif distinct : + with self.conn: + cur = self.conn.cursor() + cur.execute("SELECT DISTINCT username,password FROM credz WHERE LOWER(type) NOT IN ('sam','lsa','dcc2') AND password NOT IN ('')") # otherwise return all credentials else: with self.conn: @@ -640,6 +683,7 @@ class reporting: cur.execute(f"SELECT name,value,expires_utc,target,type,pillaged_from_computerid,pillaged_from_userid FROM cookies ORDER BY pillaged_from_computerid ASC, expires_utc DESC ") results = cur.fetchall() return results + class database: def __init__(self, conn,logger):