VMware vCenter Operations Manager password de/encrypter

vcops-passwords.py

#!/usr/bin/env python2
# VMware vCenter Operations Manager password de/encrypter
# author: takeshix@adversec.com
from sys import argv,exit
from base64 import b64encode,b64decode
from Crypto.Cipher import AES

class vCopsCrypt:
    # AES128 wrapper class with PKCS5 padding 
    BLOCK_SIZE = 16
    def encrypt(self):
        cipher = AES.new(KEY,AES.MODE_CBC,IV)
        return cipher.encrypt(self.pkcs5_pad(STRING))

    def decrypt(self):
        cipher = AES.new(KEY,AES.MODE_CBC,IV)
        return self.pkcs5_unpad(cipher.decrypt(STRING))

    def pkcs5_pad(self,s):
        return s + (self.BLOCK_SIZE - len(s) % self.BLOCK_SIZE) * chr(self.BLOCK_SIZE - len(s) % self.BLOCK_SIZE)

    def pkcs5_unpad(self,s):
        return s[0:-ord(s[-1])]

if __name__ == "__main__":
    if len(argv) is not 4:
        print '{} [enc|dec] [key] [plaintext|ciphertext]'.format(argv[0])
        print ''
        print 'Default location of key: /usr/lib/vmware-vcops/user/conf/key.txt'
        exit(1)

    MODE = argv[1]
    KEY = argv[2]
    STRING = argv[3]
    # The 16 byte key is used as IV for CBC operations
    IV = KEY

    # vCops generates 16 bytes keys on first boot
    if len(KEY) is not 16:
        print 'Invalid key length'
        exit(1)

    # Remove trailing @ from encrypted passwords
    if STRING.endswith('@'):
        STRING = STRING[:-1]

    c = vCopsCrypt()

    if MODE == 'enc':
        ciphertext = c.encrypt()
        print b64encode(ciphertext)
    elif MODE == 'dec':
        try:
            STRING = b64decode(STRING)
        except TypeError:
            print 'Not a valid base64 string'
            exit(1)
        plaintext = c.decrypt()
        print plaintext
    else:
        print 'Invalid mode: {}'.format(MODE)