A post-exploitation/forensics tool to decrypt SolarPuTTY's sessions files
In September 2019 I found some bad design choices (vulnerability?) in SolarWinds SolarPuTTY software. It allows an attacker to recover SolarPuTTY's stored sessions from a compromised system.
This vulnerability was leveraged to targets all SolarPuTTY versions <= 22.214.171.124
I've made this detailed blog post explaining the "vulnerability".
By default, when runned without arguments, the tool attempts to dump the local SolarPuTTY's sessions file (%appdata%\SolarWinds\FreeTools\Solar-PuTTY\data.dat).
Otherwise the tool can be pointed to an arbitrary exported sessions file in the following way (use "" for empty password):
SolarPuttyDecrypt.exe C:\Users\test\session.dat Pwd123!
Sessions will be outputted on screen and saved into User's Desktop (%userprofile%\desktop\SolarPutty_sessions_decrypted.txt)
Searching for someone interested into porting this project to a Metasploit post-exploitation module.