def get_secrets(sysaddr, secaddr, vista): root = get_root(secaddr) if not root: return None bootkey = get_bootkey(sysaddr) lsakey = get_lsa_key(secaddr, bootkey, vista) secrets_key = open_key(root, ["Policy", "Secrets"]) if not secrets_key: return None secrets = {} for key in subkeys(secrets_key): sec_val_key = open_key(key, ["CurrVal"]) if not sec_val_key: continue enc_secret_value = sec_val_key.ValueList.List[0] if not enc_secret_value: continue enc_secret = secaddr.read(enc_secret_value.Data.value, enc_secret_value.DataLength.value) if not enc_secret: continue if vista: secret = decrypt_aes(enc_secret, lsakey) else: secret = decrypt_secret(enc_secret[0xC:], lsakey) secrets[key.Name] = secret return secrets
def get_secrets(sysaddr, secaddr): root = get_root(secaddr) if not root: return None bootkey = get_bootkey(sysaddr) lsakey = get_lsa_key(secaddr, bootkey) secrets_key = open_key(root, ["Policy", "Secrets"]) if not secrets_key: return None secrets = {} for key in subkeys(secrets_key): sec_val_key = open_key(key, ["CurrVal"]) if not sec_val_key: continue enc_secret_value = sec_val_key.ValueList.List[0] if not enc_secret_value: continue enc_secret = secaddr.read(enc_secret_value.Data.value, enc_secret_value.DataLength.value) if not enc_secret: continue secret = decrypt_secret(enc_secret, lsakey) (secret_len, ) = unpack("<L", secret[:4]) # secrets[key.Name] = secret secrets[key.Name] = secret[16:16 + secret_len] return secrets
def dump_hashes(sysaddr, secaddr, vista): bootkey = get_bootkey(sysaddr) if not bootkey: return [] lsakey = get_lsa_key(secaddr, bootkey, vista) if not lsakey: return [] nlkm = get_nlkm(secaddr, lsakey, vista) if not nlkm: return [] root = get_root(secaddr) if not root: return [] cache = open_key(root, ["Cache"]) if not cache: return [] hashes = [] for v in values(cache): if v.Name == "NL$Control": continue data = v.space.read(v.Data.value, v.DataLength.value) (uname_len, domain_len, domain_name_len, enc_data, ch) = parse_cache_entry(data) # Skip if nothing in this cache entry if uname_len == 0: continue if vista: dec_data = decrypt_hash_vista(enc_data, nlkm, ch) else: dec_data = decrypt_hash(enc_data, nlkm, ch) (username, domain, domain_name, hash) = parse_decrypted_cache(dec_data, uname_len, domain_len, domain_name_len) hashes.append((v.Name, username, domain, domain_name, hash)) return hashes
def get_syskey(syshive_fname): sysaddr = HiveFileAddressSpace(syshive_fname) bootkey = get_bootkey(sysaddr) return bootkey