They Can be found under HKEY_USERS\
So once again we rely on our ruby openssl implementations to do our decoding for us. First we pack the text from the registry:
Then we set up our AES implementation:
aes = OpenSSL::Cipher::Cipher.new("AES-128-ECB")
aes.padding = 0
aes.key = "hdfzpysvpzimorhk"
password= aes.update(cipher) + aes.final
The import thing to note here is the aes.padding property. This MUST be set to 0 or you will get bad decrypt errors. It took me quite a while to figure that out. The result, as usual, is an easily decrypted password. This once again highlights that static key encryption in a product like this is next to useless. Products that are going to save sensitive passwords should prompt a user to pick a master password, and sue that as an encryption key. This forever separates the encryption key from the software. It's the only real way to keep that data secure.
I submitted this module today, so it should hopefully get committed sometime in next couple of days. Keep your eyes peeled for post/windows/gather/enum_coreftp_passwords.rb