Passwordstate decryptor is a PowerShell script for decrypting Passwordstate entries.
Usage • Examples • Issues • Information
Built with ❤ by the Northwave Red Team
This script will decrypt PasswordState entries. During update Passwordstate 8.9 - Build 8903 (released April 6th 2020) Clickstudios changed the way encryption keys were derived. The folks at modzero discovered that during the update, Clickstudios decided to reverse the encryption key. In update Passwordstate 9.7 - Build 9700 (released 7th February 2023) Clickstudios again changed the way encryption keys were derived. The folks at Division 5 discovered that encryption keys were derived via HMAC-SHA256. This script now includes a build number flag, which will use the correct key derivation algorithm depending on the build number.
- Import the PasswordStateDecryptor module.
Import-Module .\PasswordStateDecryptor.ps1
- Point the script towards the web.config file.
Invoke-PasswordStateDecryptor -WebConfig 'C:\inetpub\PasswordState\web.config'
- Watch the script get and decrypt all password entries!
All options
NAME
Invoke-PasswordStateDecryptor
SYNOPSIS
Connects to a PasswordState database and extracts all passwords from
a non-FIPS installation of PasswordState. Optionally allows offline
decryption by giving in the secrets. For more information read the
accompanied blog or the source code.
Author: Robert Diepeveen (robert.diepeveen@northwave.nl)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Invoke-PasswordStateDecryptor [[-WebConfig] <String>] [[-SecretSplitterDLL] <String>] [[-FIPSMode] <Boolean>]
[[-ConnectionString] <String>] [[-Secret1] <String>] [[-Secret2] <String>] [[-Secret3] <String>] [[-Secret4] <String>]
[[-CSVPath] <String>] [[-EncryptionKey] <String>] [[-BuildNo] <Int32>] [<CommonParameters>]
DESCRIPTION
Invoke-PasswordStateDecryptor will connect to the database, extract all of
the information necessary to derive the encryption key, decrypt and return the
plaintext passwords for all entries in the database.
This script is intended to be run on a host that has all of the following:
* SQLServer database server with PasswordState database
* web.config from the original compromised PasswordState server
* Moserware.SecretSplitter.dll somewhere (shipped in the repo or on the disk)
An example of such a host is the PasswordState server itself.
Alternatively, if you are able to compromise the database, export all entries to CSV, the build number
and the secret1, secret2, secret3 and secret4 values or the encryption key, you can use the script offline. The
CSV should contain (at least) the following fields: UserName, Password, Description and Title
RELATED LINKS
REMARKS
To see the examples, type: "get-help Invoke-PasswordStateDecryptor -examples".
For more information, type: "get-help Invoke-PasswordStateDecryptor -detailed".
For technical information, type: "get-help Invoke-PasswordStateDecryptor -full".
Issues or new features can be reported via the GitHub issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.
The full decryption process is explained on the More info page.