def getBootKey(self): # Local Version whenever we are given the files directly bootKey = '' tmpKey = '' winreg = winregistry.Registry(self.__systemHive, self.__isRemote) # We gotta find out the Current Control Set currentControlSet = winreg.getValue('\\Select\\Current')[1] currentControlSet = "ControlSet%03d" % currentControlSet for key in ['JD', 'Skew1', 'GBG', 'Data']: logging.debug('Retrieving class info for %s' % key) ans = winreg.getClass('\\%s\\Control\\Lsa\\%s' % (currentControlSet, key)) digit = ans[:16].decode('utf-16le') tmpKey = tmpKey + digit transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7] tmpKey = unhexlify(tmpKey) for i in xrange(len(tmpKey)): bootKey += tmpKey[transforms[i]] logging.info('Target system bootKey: 0x%s' % hexlify(bootKey)) return bootKey
def main(): # Init the example's logger theme logger.init() print(version.BANNER) parser = argparse.ArgumentParser(add_help = True, description = "Reads data from registry hives.") parser.add_argument('hive', action='store', help='registry hive to open') subparsers = parser.add_subparsers(help='actions', dest='action') # A enum_key command enumkey_parser = subparsers.add_parser('enum_key', help='enumerates the subkeys of the specified open registry key') enumkey_parser.add_argument('-name', action='store', required=True, help='registry key') enumkey_parser.add_argument('-recursive', dest='recursive', action='store_true', required=False, help='recursive search (default False)') # A enum_values command enumvalues_parser = subparsers.add_parser('enum_values', help='enumerates the values for the specified open registry key') enumvalues_parser.add_argument('-name', action='store', required=True, help='registry key') # A get_value command getvalue_parser = subparsers.add_parser('get_value', help='retrieves the data for the specified registry value') getvalue_parser.add_argument('-name', action='store', required=True, help='registry value') # A get_class command getclass_parser = subparsers.add_parser('get_class', help='retrieves the data for the specified registry class') getclass_parser.add_argument('-name', action='store', required=True, help='registry class name') # A walk command walk_parser = subparsers.add_parser('walk', help='walks the registry from the name node down') walk_parser.add_argument('-name', action='store', required=True, help='registry class name to start walking down from') if len(sys.argv)==1: parser.print_help() sys.exit(1) options = parser.parse_args() reg = winregistry.Registry(options.hive) if options.action.upper() == 'ENUM_KEY': print("[%s]" % options.name) enumKey(reg, options.name, options.recursive) elif options.action.upper() == 'ENUM_VALUES': enumValues(reg, options.name) elif options.action.upper() == 'GET_VALUE': getValue(reg, options.name) elif options.action.upper() == 'GET_CLASS': getClass(reg, options.name) elif options.action.upper() == 'WALK': walk(reg, options.name) reg.close()
def checkNoLMHashPolicy(self): # logging.debug('Checking NoLMHash Policy') winreg = winregistry.Registry(self.__systemHive, self.__isRemote) # We gotta find out the Current Control Set currentControlSet = winreg.getValue('\\Select\\Current')[1] currentControlSet = "ControlSet%03d" % currentControlSet noLmHash = winreg.getValue('\\%s\\Control\\Lsa\\NoLmHash' % currentControlSet) if noLmHash is not None: noLmHash = noLmHash[1] else: noLmHash = 0 if noLmHash != 1: # logging.debug('LMHashes are being stored') return False # logging.debug('LMHashes are NOT being stored') return True
def getBootKey(system): # Local Version whenever we are given the files directly bootKey = b'' tmpKey = b'' winreg = winregistry.Registry(system, False) # We gotta find out the Current Control Set currentControlSet = winreg.getValue('\\Select\\Current')[1] currentControlSet = "ControlSet%03d" % currentControlSet for key in ['JD', 'Skew1', 'GBG', 'Data']: ans = winreg.getClass('\\%s\\Control\\Lsa\\%s' % (currentControlSet, key)) digit = ans[:16].decode('utf-16le') tmpKey = tmpKey + b(digit) transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7] tmpKey = unhexlify(tmpKey) for i in range(len(tmpKey)): bootKey += tmpKey[transforms[i]:transforms[i] + 1] return bootKey
def __init__(self, hiveFile=None): self.__hiveFile = hiveFile if self.__hiveFile is not None: self.__registry_hive = winregistry.Registry(self.__hiveFile, isRemote=True)