When no master password is set, it is trivial to reverse the 'encryption' used on the stored passwords. It is a simple series of bitwise operations, using the username concatenated with the host name as sort of pseudo-key. To simplify the process of stealing these passwords I have created a Metasploit Post module /modules/post/windows/gather/enum-winscp_pwds.rb which was committed in the latest revision.
Once again, I am pleased to be contributing to the Metasploit project. I want to take a moment to especially thank egyp7, hdm, and jduck for their help and support. they put up with a lot of dumb questions while I was working on this module. it is only the third one I have created and the second to get committed. The Metasploit team is an amazing group of people to work with. They freely share their knowledge and experience and make Metasploit truly a community driven project, instead of just another piece of OSS. I look forward to continuing to contribute to the Metasploit project.
If we only save the session and not the password does this behavior still occur?
ReplyDeleteMikey, The sessions information will be saved, but not the password. The metasploit module I wrote will only harvest the sessions if the password is there. However, even without the password, the saved sessions are a wealth of information as they give us valid usernames and ports for a specific host. this could aid with any bruteforce attempts.
ReplyDeleteYikes! Anyway to protect that information?
ReplyDelete