Jump to content
Welcome, Guest
Existing user? Sign In

Sign In



Sign Up
Sign in to follow this  
24Ghz.

[C/C++]Extract password from TeamViewer

Recommended Posts

Extract password from TeamViewer memory using Frida

  Hi there, in this article we want to tell about our little research about password security in TeamViewer. The method can help during the pentest time for post exploitation to get access to another machine using TeamViewer.
TeamViewer automatically authentication

  A few days ago I worked on my windows cloud VPS with TeamViewer (where I set a custom password). After work I disconnected, at the next time when I wanted to connect, I saw that TeamViewer had auto-filled the password.tw_interface 

I think “Interesting, how can i get access to the password? How is the password stored in my computer?”
Password location

I dumped the memory of the TeamViewer and grepped password. 
dump

Ooo yeees, ? password in the memory is stored in Unicode format. It turns out that if you finish work with TeamViewer and don’t kill the process (or exit from TeamViewer the password will be stored in memory)menu

  

After analyzing we understood that the first red area is a start magic data, in the second one – end magic data (from time to time, end magic data has this value = 00 00 00 20 00 00).
Script for getting password

To extract passwords from memory we wrote two mini programs, in Python and C++ language.
Thx Frida team for a wonderful tool! Our python script attaches to the TeamViewer.exe process, gets the base address and memory size of each library in this process. After that, it dumps one by one memory area, searches parts with [00 88] bytes at the start and [00 00 00] bytes in the end and copies them in the array. The next and the last step is choosing end decoding raws according to the regexp and password policy.

 

python_work_example

cpp_poc

For the future

The programs can extract well remote ID and passwords, but he also gets some false positive dates. If we will have free time, we will try to reduce false positive rates.
Optimize C++ code from https://github.com/vah13/extractTVpasswords
examples

c++ example

cppex

 

python examplepyex 

 

 

Sursa: https://github.com/vah13/extractTVpasswords

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

About Us

Fioriginal.Ro Gaming community

© FiOriginal.ro

Important Links

Rules

Important Links

Making a comeback
×
×
  • Create New...