WinSCP stores ssh session passwords in an encoded format in either the registry or a config file called WinSCP.ini.
This python script searches in the WinSCP default locations to extract stored credentials for the current user, when executed locally on the target. If a WinSCP.ini config file is already present the script can decode stored credentials as seen below. To gather WinSCP credentials from a remote target or a range of targets there is a module present for the pentesting Tool CrackMapExec called "winscp_dump".
These default locations are:
- registry
- %APPDATA%\WinSCP.ini
- %USER%\Documents\WinSCP.ini
WinSCPPasswdExtractor is available on pypi.org. Therefore it is recommended to install this tool with pipx:
pipx install WinSCPPasswdExtractorAlternatively you could install it with pip or simply download the file and run it.
You can either specify a file path if you know the exact path to an existing WinSCP.ini file or you let the tool itself look if any credentials are stored in the default locations.
With pipx:
WinSCPPasswdExtractor
WinSCPPasswdExtractor <path-to-winscp-file>Manually downloaded:
python WinSCPPasswdExtractor.py
python WinSCPPasswdExtractor.py <path-to-winscp-file>This Tool is based on the work of winscppasswd, the ruby winscp parser from Metasploit-Framework and the awesome work from winscppassword.
They did the hard stuff