WinSCP stores ssh session passwords in an encoded format in either the registry or a config file called WinSCP.ini.
This python script searches in the WinSCP default locations to extract stored credentials for the current user, when executed locally on the target. If a WinSCP.ini config file is already present the script can decode stored credentials as seen below. To gather WinSCP credentials from a remote target or a range of targets there is a module present for the pentesting Tool NetExec called "winscp".
These default locations are:
- registry
- %APPDATA%\WinSCP.ini
- %USER%\Documents\WinSCP.ini
Alternatively, a registry hive can be decrypted locally if it has been exported from the target (NTUSER.DAT file from the user home folder).
WinSCPPasswdExtractor is available on pypi.org. Therefore it is recommended to install this tool with pipx:
pipx install WinSCPPasswdExtractorAlternatively you could install it with pip or simply download the file and run it.
You can either specify a file path if you know the exact path to an existing WinSCP.ini file or you let the tool itself look if any credentials are stored in the default locations. If the provided file is a recovered registry hive, pass the -r or --registry flag.
With pipx:
WinSCPPasswdExtractor
WinSCPPasswdExtractor --path <path-to-winscp-file>
WinSCPPasswdExtractor --path <path-to-ntuser-hive-file> --registryManually downloaded:
python WinSCPPasswdExtractor.py
python WinSCPPasswdExtractor.py --path <path-to-winscp-file>
python WinSCPPasswdExtractor.py --path <path-to-ntuser-hive-file> --registryThis Tool is based on the work of winscppasswd, the ruby winscp parser from Metasploit-Framework and the awesome work from winscppassword.
They did the hard stuff