mirror of
https://github.com/NetSPI/PowerHuntShares.git
synced 2025-05-04 19:28:42 +02:00
149 lines
5.1 KiB
PowerShell
149 lines
5.1 KiB
PowerShell
|
|
# Author: Scott Sutherland, NetSPI (@_nullbind / nullbind)
|
|
# Intended input: dbvis.xml files
|
|
|
|
function Get-PwDbvisxml{
|
|
param (
|
|
[string]$ComputerName = $null, # Optional
|
|
[string]$ShareName = $null, # Optional
|
|
[string]$UncFilePath = $null, # Optional
|
|
[string]$FileName = $null, # Optional
|
|
[string]$FilePath # Required
|
|
)
|
|
|
|
# Parameters for password decryption
|
|
$password = "qinda" # hard-coded key
|
|
$iterations = 10
|
|
$salt = [byte[]]@(142, 18, 57, 156, 7, 114, 111, 90)
|
|
|
|
# Create the key and cipher for PBEWithMD5AndDES
|
|
$spec = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
|
|
$key = $spec.GetBytes(8) # DES key size is 8 bytes
|
|
$des = New-Object System.Security.Cryptography.DESCryptoServiceProvider
|
|
$des.Key = $key
|
|
$des.IV = $salt[0..7]
|
|
$des.Padding = 'PKCS7'
|
|
|
|
# Decrypt Function
|
|
function Decrypt-Pw ($encryptedText) {
|
|
$encryptedBytes = [Convert]::FromBase64String($encryptedText)
|
|
$decryptor = $des.CreateDecryptor()
|
|
$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length)
|
|
return [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
|
|
}
|
|
|
|
# Load and parse dbvis.xml
|
|
[xml]$xml = Get-Content -Path $FilePath
|
|
|
|
# Extract connection details
|
|
$connectionNode = $xml.dbvis.connections.connection
|
|
|
|
# Extract required fields
|
|
$targetServer = $connectionNode.url -replace 'jdbc:mysql://([^:/]+).*','$1'
|
|
$targetPort = $connectionNode.url -replace '.*:(\d+)/.*','$1'
|
|
$username = $connectionNode.user
|
|
$passwordEnc = $connectionNode.password
|
|
$decryptedPassword = Decrypt-Pw -encryptedText $passwordEnc
|
|
|
|
# Return result object
|
|
return [PSCustomObject]@{
|
|
ComputerName = $ComputerName
|
|
ShareName = $ShareName
|
|
UncFilePath = $UncFilePath
|
|
FileName = $FileName
|
|
Section = "NA"
|
|
ObjectName = "NA"
|
|
TargetURL = "NA"
|
|
TargetServer = $targetServer
|
|
TargetPort = $targetPort
|
|
Database = "NA"
|
|
Domain = "NA"
|
|
Username = $username
|
|
Password = $decryptedPassword
|
|
PasswordEnc = $passwordEnc
|
|
KeyFilePath = "NA"
|
|
}
|
|
}
|
|
|
|
# Example command
|
|
# Get-PwDbvisxml -ComputerName "MyComputer" -ShareName "MyShare" -UncFilePath "\\MyComputer\MyShare\dbvis.xml" -FileName "dbvis.xml" -FilePath "C:\temp\dbvis.xml"
|
|
|
|
<# Sample dbvis.xml
|
|
|
|
<dbvis>
|
|
<connections>
|
|
<connection>
|
|
<name>MyDatabaseConnection</name>
|
|
<url>jdbc:mysql://localhost:3306/mydatabase</url>
|
|
<user>db_user</user>
|
|
<password>+mQwYxIFaEjZ/MWJDkm1SCWhHw7xPXWd</password> <!-- Encrypted using DES with default key or a master password -->
|
|
<driver>com.mysql.jdbc.Driver</driver>
|
|
</connection>
|
|
</connections>
|
|
</dbvis>
|
|
|
|
#>
|
|
|
|
<# Bonus encryption and decryption functions
|
|
|
|
# Parameters
|
|
$password = "qinda"
|
|
$iterations = 10
|
|
$salt = [byte[]]@(142, 18, 57, 156, 7, 114, 111, 90)
|
|
|
|
# Create the key and cipher for PBEWithMD5AndDES
|
|
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes($password)
|
|
$spec = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
|
|
$key = $spec.GetBytes(8) # DES key size is 8 bytes
|
|
|
|
# Initialize DES encryption with PKCS7 padding
|
|
$des = New-Object System.Security.Cryptography.DESCryptoServiceProvider
|
|
$des.Key = $key
|
|
$des.IV = $salt[0..7] # DES requires an 8-byte IV, derived from salt
|
|
$des.Padding = 'PKCS7' # Set padding mode to PKCS7
|
|
|
|
# Encrypt Function
|
|
function Encrypt-Pw ($plainText) {
|
|
$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($plainText)
|
|
$encryptor = $des.CreateEncryptor()
|
|
$encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length)
|
|
return [Convert]::ToBase64String($encryptedBytes)
|
|
}
|
|
that
|
|
# Example usage
|
|
$plaintextPassword = "mydbvispasswordinclr"
|
|
$encryptedPassword = Encrypt-Pw -plainText $plaintextPassword
|
|
Write-Output "Encrypted Password: $encryptedPassword"
|
|
|
|
# -----------
|
|
|
|
# Parameters
|
|
$password = "qinda"
|
|
$iterations = 10
|
|
$salt = [byte[]]@(142, 18, 57, 156, 7, 114, 111, 90)
|
|
|
|
# Create the key and cipher for PBEWithMD5AndDES
|
|
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes($password)
|
|
$spec = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
|
|
$key = $spec.GetBytes(8) # DES key size is 8 bytes
|
|
|
|
# Initialize DES encryption with PKCS7 padding
|
|
$des = New-Object System.Security.Cryptography.DESCryptoServiceProvider
|
|
$des.Key = $key
|
|
$des.IV = $salt[0..7] # DES requires an 8-byte IV, derived from salt
|
|
$des.Padding = 'PKCS7' # Set padding mode to PKCS7
|
|
|
|
# Decrypt Function
|
|
function Decrypt-Pw ($encryptedText) {
|
|
$encryptedBytes = [Convert]::FromBase64String($encryptedText)
|
|
$decryptor = $des.CreateDecryptor()
|
|
$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length)
|
|
return [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
|
|
}
|
|
|
|
# Example usage
|
|
$decryptedPassword = Decrypt-Pw -encryptedText $encryptedPassword
|
|
Write-Output "Decrypted Password: $decryptedPassword"
|
|
|
|
#>
|