Pentest-Story: Empirum password decryption

During our internal pentests we often came across the client management software Empirum from Matrix42. On closer inspection of various configuration files, some .ini files, which were under the Configurator share, were particularly noticeable.

This contains several cryptographically encrypted strings. The length and the character set used indicate different algorithms. After some time of research on the Internet it was clear that the EmpCrypt.exe reversibly encrypts passwords.

USER_2=DOMAIN\user
PASSWORD_2_SETUP=****************
PASSWORD_2_EIS=********************************
PASSWORD_2_SYNC=*****************************************************************************

Sources

• https://www.syss.de/fileadmin/dokumente/Publikationen/2015/Privilege_Escalation_via_Client_Management_Software__Part_II.pdf
• https://seclists.org/fulldisclosure/2013/Feb/71

Since the EmpCrypt.exe can be modified to decrypt the passwords, it is likely that the hidden functionality was built in by the manufacturer.

Calling the exe file without parameters

The software was analyzed with Ghidra. A hidden command line parameter was discovered which does not appear in the official help.

The encrypted strings from the .ini file could now be decrypted using the /D parameter.

Thanks for reading, cheers.

evait security GmbH | https://www.evait.de