Go to your windows vm and do this.
RunAudit.bat shows that CascAudit.exe is run with the db file as an argument:
Itโs a .NET binary:
Iโll jump over to a Windows VM and use DNSpy to take a look. In the MailModule, thereโs this code:
It is opening an SQLite connection to the database passed as an arg, reading from the LDAP table, and decrypting the password.
Last updated
root@kali# cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"root@kali# file CascAudit.exe
CascAudit.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windowsnamespace CascAudiot
{
// Token: 0x02000008 RID: 8
[StandardModule]
internal sealed class MainModule
{
// Token: 0x0600000F RID: 15 RVA: 0x00002128 File Offset: 0x00000328
[STAThread]
public static void Main()
{
if (MyProject.Application.CommandLineArgs.Count != 1)
{
Console.WriteLine("Invalid number of command line args specified. Must specify database path only");
return;
}
checked
{
using (SQLiteConnection sqliteConnection = new SQLiteConnection("Data Source=" + MyProject.Application.CommandLineArgs[0] + ";Version=3;"))
{
string str = string.Empty;
string password = string.Empty;
string str2 = string.Empty;
try
{
sqliteConnection.Open();
using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
{
using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
{
sqliteDataReader.Read();
str = Conversions.ToString(sqliteDataReader["Uname"]);
str2 = Conversions.ToString(sqliteDataReader["Domain"]);
string encryptedString = Conversions.ToString(sqliteDataReader["Pwd"]);
try
{
password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
}
catch (Exception ex)
{
Console.WriteLine("Error decrypting password: " + ex.Message);
return;
}
}
}
sqliteConnection.Close();
}
catch (Exception ex2)
{
Console.WriteLine("Error getting LDAP connection data From database: " + ex2.Message);
return;
}
...[snip]...