{"id":13511116,"url":"https://github.com/Phaeilo/vol-openvpn","last_synced_at":"2025-03-30T19:30:45.071Z","repository":{"id":14646833,"uuid":"17364753","full_name":"Phaeilo/vol-openvpn","owner":"Phaeilo","description":"A Volatility plugin to extract credentials from the memory of a OpenVPN client.","archived":false,"fork":false,"pushed_at":"2014-09-26T12:42:18.000Z","size":121,"stargazers_count":28,"open_issues_count":0,"forks_count":4,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-11-20T05:30:42.888Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Phaeilo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-03-03T11:59:59.000Z","updated_at":"2024-10-15T19:44:33.000Z","dependencies_parsed_at":"2022-07-30T07:37:59.899Z","dependency_job_id":null,"html_url":"https://github.com/Phaeilo/vol-openvpn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Phaeilo%2Fvol-openvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Phaeilo%2Fvol-openvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Phaeilo%2Fvol-openvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Phaeilo%2Fvol-openvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Phaeilo","download_url":"https://codeload.github.com/Phaeilo/vol-openvpn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246368641,"owners_count":20766055,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T03:00:34.776Z","updated_at":"2025-03-30T19:30:44.818Z","avatar_url":"https://github.com/Phaeilo.png","language":"Python","funding_links":[],"categories":["Volatility 2"],"sub_categories":["Plugins"],"readme":"# OpenVPN credentials extractor\n\nThis repository contains a plugin for [Volatility](https://code.google.com/p/volatility/) that can extract credentials\nfrom the memory of an [OpenVPN](http://openvpn.net/index.php/open-source/) process. The username and password entered\nby the user, as well as passwords entered to unlock a private key can be recovered. OpenVPN's `--auth-nocache` flag\nmust not be set. The plugin supports OpenVPN 2.X.X on Windows. It was successfully tested with OpenVPN 2.2.2, 2.3.2 and\n2.3.4 on Windows XP (x86) and Windows 7 (x86 \u0026 x64).\n\nThis repository also contains a small plugin to extract base64/PEM encoded RSA private keys from memory.\n\n### Motivation\n\nThis plugin was developed as a part of a university assignment about virtual machine introspection. The Volatility\nframework was chosen, because it offers a wide variety of plugins and can interface with hypervisors through\n[libvmi](https://code.google.com/p/vmitools/) to perform introspection. OpenVPN was chosen as a target, because it is\nwidely deployed at the university to facilitate network access control. This allowed to evaluate the security of the\nOpenVPN deployment and demonstrate the plugin on an application that students are familiar with in everyday use.\n\nIn a real-world scenario, the plugin may be handy to extract credentials during an investigation or pentest engagement.\nYou can also use it to validate that OpenVPN's `--auth-nocache` flag works as intended.\n\n### Installation\n\nEither place the plugins into Volatility's `plugins/` directory, or use the `--plugins=` option to point Volatility\nto the directory containing `openvpn.py`.\n\n### Usage\n\nThe plugins expect no further arguments, just load a memory image and specify a profile for Volatility.\nA memory sample can be downloaded from https://mega.co.nz/#!Wx5kiZZS!77NiMTl8B_imwhl4JSg0lmRm90LZ9wgvFhQYxmmOioo.\nAfter downloading the memory dump, decompress it and run Volatility to extract the credentials:\n\n    unxz \"OpenVPN-2.3.4 XP 32.elf.xz\"\n    volatility -f \"OpenVPN-2.3.4 XP 32.elf\" --profile=WinXPSP3x86 openvpn\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPhaeilo%2Fvol-openvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPhaeilo%2Fvol-openvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPhaeilo%2Fvol-openvpn/lists"}