VSS Repository... really?... REALLY?!
Several months ago I was approached by a project manager asking for help with some truly legacy code; stuff that was so old it existed only in an ancient source safe database that hadn'tseen the light of day in years. Unfortunately no one had (or remembered) credentials to get in and this project update wasn't going away any time soon. We needed a solution to crack the database and get access to our client's code. Needless to say, this was one of the last projects I wanted to work on.
VSS is known to have a crappy security implementation, so I took it as a challenge to write my own password cracker based on some sparse interwebs info, and my own penetration testing. Needless to say, the rumors of the lax security model implemented in VSS are true. This started out with a client need, and ended up turning into a fun little security project.
The goals that I set for myself were pretty simple:
- Leverage a simple command line interface
- Crack the passwords for one or more users
- Exploit VSS custom hash functionality
- Export the cracked passwords to a text file
You. Poor. Bastard.
The now aptly named You Poor Bastard is pretty straight-forward. The following command via CMD/Powershell
.\YouPoorBastard.exe -p "C:\SomeDataFolder\YourVSSDirectory" -e "C:\SomeDataFolder\Export.txt"
Will iterate all the users in the database and export the resulting passwords to a tab separated file.
You can also generate passwords for a single user and print them to the screen rather than a file. It's not the fanciest thing I've ever written, but when you need a tool like this, you really need it.