def test_decrypt_lsa_key_nt5(self):
lsakey = ("010000000100000000000000060677c4"
"63ced8d548dc2c528f2a64a5a4427907"
"5941537344cb7231c657f294ee4c5df0"
"e57268683de207cba0338cf0ea6b8e51"
"54a2ac6b219e2099ece22650").decode("hex")
syskey = "35bc7242385ed971867e722369bd8db4".decode("hex")
r = "b150b4b4d14976cb9709fd3c8e001eab".decode("hex")
keys = crypto.decrypt_lsa_key_nt5(lsakey, syskey)
self.assertEquals(len(keys), 3)
self.assertEquals(len(keys[1]), len(r))
self.assertEquals(keys[1], r)
def test_decrypt_lsa_key_nt5(self):
lsakey = ("010000000100000000000000060677c4"
"63ced8d548dc2c528f2a64a5a4427907"
"5941537344cb7231c657f294ee4c5df0"
"e57268683de207cba0338cf0ea6b8e51"
"54a2ac6b219e2099ece22650").decode("hex")
syskey = "35bc7242385ed971867e722369bd8db4".decode("hex")
r = "b150b4b4d14976cb9709fd3c8e001eab".decode("hex")
keys = crypto.decrypt_lsa_key_nt5(lsakey, syskey)
self.assertEquals(len(keys), 3)
self.assertEquals(len(keys[1]), len(r))
self.assertEquals(keys[1], r)
def get_lsa_key(self, security):
"""Returns and decrypts the LSA secret key for "CurrentControlSet".
It is stored under Policy\\PolSecretEncryptionKey.
security is the full path the the SECURITY registry file (usually
located under %WINDIR%\\system32\\config\\ directory.
To decrypt the LSA key, syskey is required. Thus you must first call
self.get_syskey() if it has not been previously done.
"""
lsakey = ""
if self.syskey is None:
raise ValueError(
"Must provide syskey or call get_syskey() method first")
with open(security, 'rb') as f:
r = Registry.Registry(f)
rev = eater.Eater(
r.open("Policy\\PolRevision").value("(default)").value())
self.policy["minor"] = rev.eat("H")
self.policy["major"] = rev.eat("H")
self.policy["value"] = float(
"%d.%02d" % (self.policy["major"], self.policy["minor"]))
if self.policy["value"] > 1.09:
# NT6
r2 = r.open("Policy\\PolEKList")
lsakey = r2.value("(default)").value()
else:
# NT5
r2 = r.open("Policy\\PolSecretEncryptionKey")
lsakey = r2.value("(default)").value()
rv = None
if self.policy["value"] > 1.09:
currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6(
lsakey, self.syskey)
rv = self.lsakeys[currentKey]["key"]
else:
self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey)
rv = self.lsakeys[1]
return rv
def get_lsa_key(self, security):
"""Returns and decrypts the LSA secret key for "CurrentControlSet".
It is stored under Policy\\PolSecretEncryptionKey.
security is the full path the the SECURITY registry file (usually
located under %WINDIR%\\system32\\config\\ directory.
To decrypt the LSA key, syskey is required. Thus you must first call
self.get_syskey() if it has not been previously done.
"""
lsakey = ""
if self.syskey is None:
raise ValueError("Must provide syskey or call get_syskey() method first")
with open(security, 'rb') as f:
r = Registry.Registry(f)
rev = eater.Eater(r.open("Policy\\PolRevision").value("(default)").value())
self.policy["minor"] = rev.eat("H")
self.policy["major"] = rev.eat("H")
self.policy["value"] = float("%d.%02d" % (self.policy["major"], self.policy["minor"]))
if self.policy["value"] > 1.09:
# NT6
r2 = r.open("Policy\\PolEKList")
lsakey = r2.value("(default)").value()
else:
# NT5
r2 = r.open("Policy\\PolSecretEncryptionKey")
lsakey = r2.value("(default)").value()
rv = None
if self.policy["value"] > 1.09:
currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6(lsakey, self.syskey)
rv = self.lsakeys[currentKey]["key"]
else:
self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey)
rv = self.lsakeys[1]
return rv
