Install PuTTY on your local Windows or Linux system. If you wish to deploy a new server, follow the Creating a Compute Instance guide to create a Linode. Most Linux distributions have an SSH server preinstalled. Before You BeginĮnsure you have a Linux server with an SSH server (like OpenSSH) installed. It can be downloaded from GitHub or used via the Metasploit post-exploitation module: /post/windows/gather/credentials/solar_putty.While PuTTY is compatible with Windows 10, you may want to review the Connecting to a Remote Server Over SSH on Windows guide for alternatives to PuTTY that may better suit your needs and preferences. SolarPuttyDecrypt is a post-exploitation/forensics tool to decrypt SolarPuTTY’s sessions files and retrieve plain-text credentials. Backtracking the `DoExport` function I found the `Crypto.Encrypt` and `Crypto.Decrypt` functions.Īt this point was a matter of couple of minutes understanding how the `Crypto.Encrypt` function works and writing down a simple script to batch retrieve locally stored sessions and/or exported session.I’ve searched for the string “Export Session” as a “Constant” and in the `OnExportModel` I discovered the `DoExport` function.I’ve started off identifing the “export” functionality: Then, I’ve loaded it into ILSpy and started the reverse engineering process. The next step was to reverse engineering Solar-Putty in order to understand how it was storing the sessions and how to reverse the encryption.įirst step, I tried identifying the language it was written in and if it was packed/crypted in any way.Ī simple C#. Now, despite being a pretty straightforward and easy method I wanted something able to retrieve plaintext password in batch since I had hundred of saved sessions. tsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)Īnd here the results: Auth attempt for user root with password: mysup3rsecretPassword1!! Sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) Print('Auth attempt for user %s with key: %s' % (username, key.get_base64()))ĭef check_channel_exec_request(self, channel, command): Print('Auth attempt for user %s with password: %s ' % (username, password))ĭef check_auth_publickey(self, username, key): Host_key = paramiko.RSAKey(filename=sys.argv)ĭef check_channel_request(self, kind, chanid):ĭef check_auth_password(self, username, password): Print "Need private RSA key as argument." I wrote this simple script (already used in the past to solve a CTF) in order to log SSH credentials: #!/usr/bin/env python The first idea that I had was to generate a “fake” SSH server that logs credentials provided by the user (as per previous point 2 and 3: I was able to export the sessions and Solar-Putty won’t complain if the server fingerprint is changed). Retrieve the Plain-Text Stored Sessions Quick and dirty method Solar-Putty won’t alert if the server fingerprint differs from the stored one as the exported sessions does not contains the server fingerprint information.Since sessions are not protected by a master password they can be freely used and moreover, exported from Solar-PuTTY (they can also be exported with an empty password).Their location can be found in: %appdata%\SolarWinds\FreeTools\Solar-PuTTY\data.dat The first thing that I would like to point out is that saved sessions are locally stored in a (not really) encrypted format as they are not protected by a master password choosen by the user. I exported all the saved sessions from one of the machines and decided to work offline trying to recover them all in plain-text. Unfortunately, there was no easy way to directly see the stored password but the “Export Sessions” functionality caught my attention. Solar PuTTY, allows its users to store sessions and credentials or private keys for an easy login. Solar-PuTTY is a solarwinds version (with improved GUI and couple more functionalities) of the already well known PuTTY, an SSH (and telnet) client for the Windows platform. It can be downloaded as a standalone executable from GitHub ( Source Code) or used via the Metasploit post-exploitation module: /post/windows/gather/credentials/solar_putty.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |