Fixing password decryption length

NeffIsBack · NeffIsBack · commit 4b4036a5a1a9 · 2024-05-05T12:29:49.000-04:00
diff --git a/nxc/modules/vnc.py b/nxc/modules/vnc.py
@@ -150,7 +150,6 @@ def vnc_from_registry(self, remote_ops):
                 value = self.reg_query_value(remote_ops, path, password).encode().rstrip(b"\x00").decode()
                 value = unhexlify(value)
             except Exception as e:
-                print(e)
                 if "ERROR_FILE_NOT_FOUND" not in str(e):
                     self.context.log.debug(f"Error while RegQueryValue {path}\\{user}: {e}")
                 continue
@@ -169,7 +168,7 @@ def vnc_from_registry(self, remote_ops):
     def split_len(self, seq, length):
         return [seq[i:i + length] for i in range(0, len(seq), length)]
 
-    def recover_vncpassword(self, cipher):
+    def recover_vncpassword(self, cipher: bytes):
         encpasswd = cipher.hex()
         pwd = None
         if encpasswd:
@@ -189,11 +188,13 @@ def recover_vncpassword(self, cipher):
                 pwd = self.decrypt_password(cipher)
         return pwd
 
-    def decrypt_password(self, password):
+    def decrypt_password(self, password: bytes):
+        length = len(password)
         try:
-            password = (password + b"\x00" * 8)[:8]
+            if length <= 16:
+                password += b"\x00" * (16 - length)
             cipher = DES.new(key=self.vnc_decryption_key, mode=DES.MODE_ECB)
-            return cipher.decrypt(password)
+            return cipher.decrypt(password)[:length]
         except Exception as ex:
             self.context.log.debug(f"Error while decrypting VNC password {password}: {ex}")
 
@@ -213,5 +214,5 @@ def vnc_from_filesystem(self, dploot_conn):
                     passwds_encrypted = re.findall(regex, file_content)
                     for passwd_encrypted in passwds_encrypted:
                         passwd_encrypted = passwd_encrypted.split(b"=")[-1]
-                        password = self.decrypt_password(unhexlify(passwd_encrypted))
+                        password = self.recover_vncpassword(unhexlify(passwd_encrypted))[:8]
                         self.context.log.highlight(f"[{vnc_name}] Password: {password.decode('latin-1')}")
