Skip to content

jjc224/Sophos-Deobfuscator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

README.md

README.md

 
 

deobfuscate.rb

deobfuscate.rb

 
 

Repository files navigation

Sophos Deobfuscator

 ---------------------------------------------------------------------------------------------------------------------------------  
| Sophos Enterprise Console username/password deobfuscator                                                               03/12/18 | 
|                                                                                                                                 | 
| Author: Joshua Coleman                                                                                                          | 
| Usage:  ruby sophos_deobfuscate.rb                                                                                              | 
|                                                                                                                                 | 
| ObfuscationUtil.exe is a tool provided by Sophos to obfuscate administrator account credentials:                                | 
|   ObfuscationUtil.exe --obfuscate  -w                                                                                           | 
|   ObfuscationUtil.exe --obfuscate  -w                                                                                           | 
|                                                                                                                                 | 
|   "Where  and  are the username and password that are needed to obfuscate.                                                      | 
|   These credentials should have administrator privileges to access the files in the CID."                                       | 
|     - https://community.sophos.com/kb/en-us/13094                                                                               | 
|                                                                                                                                 | 
|   Sidenote: The -w flag is optional and outputs the obfuscated data as a wstring.                                               | 
|             Each character is of type wchar_t - it's size is compiler-dependent.                                                | 
|             8, 16, or 32 bits - signed or unsigned.                                                                             | 
|                                                                                                                                 | 
| This tool is able to deobfuscate obfuscated strings (standard or wide) generated by SEC's ObfuscationUtil.exe.                  | 
|                                                                                                                                 | 
| Usage example:                                                                                                                  | 
|  --------------------------------------------------------------------------------------------------------------------           | 
| | [josh@poseidon]> awk 'NF > 1 {print $4}' obfuscated_password.txt                                                   |          | 
| |   Bwg09ImSa/lhAgB3NzKRnrBY1aU5eQFHQTursgQOjutmYw==                                                                 |          | 
| |                                                                                                                    |          | 
| | [josh@poseidon]> ruby sophos_deobfuscate.rb 'Bwg09ImSa/lhAgB3NzKRnrBY1aU5eQFHQTursgQOjutmYw=='                     |          | 
| |   Data:           00773732919eb058d5a539790147413babb2040e8eeb6663                                                 |          | 
| |   Password (KDF): 5644b2629112c5facfd15923e8f097493b73455eae613454485bc61f785f0008b340fc34e05ad98b71aed70dab3e97c9 |          | 
| |   Salt:           34f489926bf96102                                                                                 |          | 
| |   Key:            2d56cd87125373fab364c2df196cf29a05e4c8f1a1c99ada                                                 |          | 
| |   IV:             3e4f6d9aa6069a61                                                                                 |          | 
| |                                                                                                                    |          | 
| |   Deobfuscated:   ReallyGoodPassword                                                                               |          | 
|  --------------------------------------------------------------------------------------------------------------------           | 
 ---------------------------------------------------------------------------------------------------------------------------------

About

Sophos Enterprise Console username/password (ObfuscationUtil.exe) deobfuscator

Resources

Readme
Activity

Stars

4 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages