![]() ![]() ![]() String plainText = JsonConvert.SerializeObject(value) Moving forward it will serialize the object into JSON format and that's the first part of exporting the session credentials files. Well it'll check your filename to output to and prompt a window where you can choose the path to save your exported credential to and if the directory doesn't exist in the path, it'll create it. It first starts with a try condition where it sets the variable value with the value from the function **GeneralExportList()** which is a function that carries the format of how the export shall be in plain text as shown below is the source code of the mentioned function: Let's break down how this code works, so first this function takes two arguments and these are **fileName** and **password** which by default is set to null. If (!RegistryHelper.GetPuttyImported() || !File.Exists(text))", arg)) The codes above actually create something like this as an output : `C:\Users\tahaafarooq\AppData\Roaming\SolarWinds\FreeTools\Solar-PuTTY\data.dat` String text = Path.Combine(this.ExportedDirectoryPath, "data.dat") This.ExportedDirectoryPath = Path.Combine(Environment.GetFolderPath(), "SolarWinds\\FreeTools\\Solar-PuTTY\\") Generally the path of the sessions file **data.dat** is `C:\Users\\AppData\Roaming\SolarWinds\FreeTools\Solar-PuTTY\data.dat`įirst it defines the path of the session file, and checks whether the file exists or not, as well as it's Registry. And from that I was able to find the function that exports the credentials files and the function that imports the credentials files.Ībove are the code of the function **AutoImportSessions()**, this function generally auto imports the sessions files that holds the credentials and host names of where the user logs in to. ![]() In the class **SolarWindsSSH.ViewModel** we have a clear view of what every button of the solar-putty application does when opened. I start reviewing each one of these classes looking for my main goal, and that's "how the passwords are exported and how it decodes them when imported" Taking a closer look on **Solar-PuTTY.exe** it has some interesting classes: That's how it should look after uploading the files in **dnSpy.exe**. NET Debugging and Assembly Editing, and i'll upload all the extracted files in there for analysis ![]() Now that I have them in my windows, I'll proceed by running **dnSpy.exe** which is a very nice tool for. Let's move all these extracted files to my windows lab and I can work up smoothly on reversing the. It's a **.NET Assembly** Windows executables, which makes it even fun for me :) Solar-Test.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections Solar-PuTTY.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections In the `` there is some interesting information:īut notice that it also pulled up Solar-PuTTY.exe from the archive, I try to see if it's the same compared to the first file that I replaced with the name "Solar-Test.exe" I proceed by extracting the files inside **Solar-PuTTY.exe**:Īfter extracting all of the files, it's time I review what's juicy inside these files Solar-PuTTY.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sectionsīut more details, it's also a Nullsoft self extracting Archive!, which makes this even more interesting! It's a PE32 executable, for Microsoft Windows: There was nothing important I found from this, So first to understand how this file is made and how it contains the sessions with the credentials to each host I need to reverse engineer the software Solar-PuTTY. It asks for a password that will be used to protect the exported data, and then it'll export the data, Regardless of the export feature the sessions are actually saved to a file in the path : `C:\Users\tahaafarooq\AppData\Roaming\SolarWinds\FreeTools\Solar-PuTTY\data.dat`Ĭhecking the content of the `data.dat` it's actually base64:ĭecoding the base64 would provide with some gibberish contents: Imagine you are a red team operator and you just got access to a user's computer in the network you are assessing, and the user uses Solar-PuTTY, in solar putty you have the feature that exports the sessions that can be reused in another device when imported. I have been using solar-putty for a while now, below is a preview of how solar-putty actually looks likeīasically it can hold sessions of the servers that you have access to and you don't need to re-enter the passwords! Solar-PuTTY is a standalone free terminal emulator and network file transfer tool based on the well-known PuTTY for Windows. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |