h0ny/MobaXtermDecryptor

## MobaXtermDecryptor [](https://github.com/h0ny "作者") [](https://github.com/h0ny/MobaXtermDecryptor "访客") [](https://github.com/h0ny/MobaXtermDecryptor "Stars")  [](https://github.com/h0ny/MobaXtermDecryptor/releases)  ### 介绍 一个简单的 MobaXterm 密码转储工具。 用户凭据存储的位置： | 注册表路径 | 注册表项 | MobaXterm.ini | 描述 | | --------------------------------- | ---------------------- | ------------- | ------------------------ | | HKCU\Software\Mobatek\MobaXterm | SessionP | [Misc] | Entropy (DPAPI) | | HKCU\Software\Mobatek\MobaXterm\M | UserName@MachineName | [Sesspass] | MasterPassword (base64) | | HKCU\Software\Mobatek\MobaXterm\P | [All Registry Entries] | [Passwords] | Passwords (ciphertext) | | HKCU\Software\Mobatek\MobaXterm\C | [All Registry Entries] | [Credentials] | Credentials (ciphertext) | 部分 MobaXterm.ini 内容示例： ``` [Misc] SessionP=656078197542 MPSetAccount=Administrator MPSetComputer=WIN-KC7O8UA7U4Q [Credentials] dev-user=root:hDkUY2nK [Passwords] mobauser@mobaserver=hnp+7YZCxO75h1e/w1tST2IvKHtWIIIRuKQ= [Sesspass] Administrator@WIN-Demo=AQAAALK+kjnRao9Fp9ljPL2GpQIAAAAAAgAAAAAAEGYAAAABAAAgAAAA8eEio3ElndSDHvad+IUTeuDcxECIp6BRTcnl4WUO0hQAAAAADoAAAAACAAAgAAAApYkVRexqVUB0W2aggCLirnpVr7XXvG4zkThBB5Cc34RgAAAAtuRBDfbxi9Ws5Fp7D2DAV12a/7+ZAC4Y8s6LryB0AmG6eByh2+ScguKs0nKsXupoHtQrq1esdbOF+KA5ObYKv7e9Cmb3X86HX90sRyaqRoi0faQ4BwL2EVFP3CAqNfVCQAAAAOIiPQ/546VgLw5vn2ptgn/ELHzOiGWwA7v9ov3Z0/POZrPXW+1jtb2PeGCkWyH82PDjx5c0UyO4j7xw/UzrDYE= ``` ### 使用方法 对于 MobaXterm 安装版本直接运行即可： ``` PS C:\> .\MobaXtermDecryptor.exe --debug [14:48:54 INF] [+] Logger initialized with level: Debug [14:48:54 INF] [+] Automatic mode [14:48:55 DBG] [+] Searching for MobaXterm process: [14:48:55 DBG] [+] Process Name: MobaXterm, Version: 24.2 [14:48:55 DBG] [+] Process ID: 2448, Path: C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe [14:48:55 DBG] [-] MobaXterm.ini configuration file does not exist: C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.ini [14:48:55 DBG] [+] Read information from the registry: HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\ [14:48:55 INF] [+] MobaXterm Installer Edition [14:48:55 INF] [+] MobaXterm Credentials: [14:48:55 INF] [*] Name: dev-user [14:48:55 INF] [*] Username: root [14:48:55 INF] [*] Password: Admin123 [14:48:55 INF] [*] [14:48:55 INF] [+] MobaXterm Passwords: [14:48:55 INF] [*] ConnName: mobauser@mobaserver [14:48:55 INF] [*] Password: 39214moba204877pass6472 [14:48:55 INF] [*] ``` 对于 MobaXterm 便携版本需要指定 MobaXterm.ini 文件： ``` PS C:\> .\MobaXtermDecryptor.exe mobaxterm --debug c:\Users\Administrator\Documents\MobaXterm\MobaXterm.ini [14:38:32 INF] [+] Logger initialized with level: Debug [14:38:32 INF] [+] Execute mobaxterm command [14:38:33 INF] [+] MobaXterm.ini configuration file path: c:\Users\hony\Documents\MobaXterm\MobaXterm.ini [14:38:33 INF] [+] MobaXterm Portable Edition [14:38:33 INF] [+] MobaXterm Credentials: [14:38:33 INF] [*] Name: dev-user [14:38:33 INF] [*] Username: root [14:38:33 INF] [*] Password: Admin123 [14:38:33 INF] [*] [14:38:33 INF] [+] MobaXterm Passwords: [14:38:33 INF] [*] ConnName: mobauser@mobaserver [14:38:33 INF] [*] Password: 100374moba240717pass345585 [14:38:33 INF] [*] ``` ### 参考项目 - https://github.com/qwqdanchun/Pillager - https://github.com/XMCyber/XMCredentialsDecryptor - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password

标签：C#/.NET编程, Docker 部署, DPAPI, meg, MobaXterm, Windows注册表, 信息安全, 凭据窃取, 凭据转储, 哈希解密, 多人体追踪, 密码提取, 密码解密, 网络安全, 网络运维, 蓝军武器, 逆向分析, 隐私保护