Sophos Deobfuscator
---------------------------------------------------------------------------------------------------------------------------------
| Sophos Enterprise Console username/password deobfuscator 03/12/18 |
| |
| Author: Joshua Coleman |
| Usage: ruby sophos_deobfuscate.rb |
| |
| ObfuscationUtil.exe is a tool provided by Sophos to obfuscate administrator account credentials: |
| ObfuscationUtil.exe --obfuscate -w |
| ObfuscationUtil.exe --obfuscate -w |
| |
| "Where and are the username and password that are needed to obfuscate. |
| These credentials should have administrator privileges to access the files in the CID." |
| - https://community.sophos.com/kb/en-us/13094 |
| |
| Sidenote: The -w flag is optional and outputs the obfuscated data as a wstring. |
| Each character is of type wchar_t - it's size is compiler-dependent. |
| 8, 16, or 32 bits - signed or unsigned. |
| |
| This tool is able to deobfuscate obfuscated strings (standard or wide) generated by SEC's ObfuscationUtil.exe. |
| |
| Usage example: |
| -------------------------------------------------------------------------------------------------------------------- |
| | [josh@poseidon]> awk 'NF > 1 {print $4}' obfuscated_password.txt | |
| | Bwg09ImSa/lhAgB3NzKRnrBY1aU5eQFHQTursgQOjutmYw== | |
| | | |
| | [josh@poseidon]> ruby sophos_deobfuscate.rb 'Bwg09ImSa/lhAgB3NzKRnrBY1aU5eQFHQTursgQOjutmYw==' | |
| | Data: 00773732919eb058d5a539790147413babb2040e8eeb6663 | |
| | Password (KDF): 5644b2629112c5facfd15923e8f097493b73455eae613454485bc61f785f0008b340fc34e05ad98b71aed70dab3e97c9 | |
| | Salt: 34f489926bf96102 | |
| | Key: 2d56cd87125373fab364c2df196cf29a05e4c8f1a1c99ada | |
| | IV: 3e4f6d9aa6069a61 | |
| | | |
| | Deobfuscated: ReallyGoodPassword | |
| -------------------------------------------------------------------------------------------------------------------- |
---------------------------------------------------------------------------------------------------------------------------------