def test_decrypt_lsa_key_nt5(self): lsakey = ("010000000100000000000000060677c4" "63ced8d548dc2c528f2a64a5a4427907" "5941537344cb7231c657f294ee4c5df0" "e57268683de207cba0338cf0ea6b8e51" "54a2ac6b219e2099ece22650").decode("hex") syskey = "35bc7242385ed971867e722369bd8db4".decode("hex") r = "b150b4b4d14976cb9709fd3c8e001eab".decode("hex") keys = crypto.decrypt_lsa_key_nt5(lsakey, syskey) self.assertEquals(len(keys), 3) self.assertEquals(len(keys[1]), len(r)) self.assertEquals(keys[1], r)
def get_lsa_key(self, security): """Returns and decrypts the LSA secret key for "CurrentControlSet". It is stored under Policy\\PolSecretEncryptionKey. security is the full path the the SECURITY registry file (usually located under %WINDIR%\\system32\\config\\ directory. To decrypt the LSA key, syskey is required. Thus you must first call self.get_syskey() if it has not been previously done. """ lsakey = "" if self.syskey is None: raise ValueError( "Must provide syskey or call get_syskey() method first") with open(security, 'rb') as f: r = Registry.Registry(f) rev = eater.Eater( r.open("Policy\\PolRevision").value("(default)").value()) self.policy["minor"] = rev.eat("H") self.policy["major"] = rev.eat("H") self.policy["value"] = float( "%d.%02d" % (self.policy["major"], self.policy["minor"])) if self.policy["value"] > 1.09: # NT6 r2 = r.open("Policy\\PolEKList") lsakey = r2.value("(default)").value() else: # NT5 r2 = r.open("Policy\\PolSecretEncryptionKey") lsakey = r2.value("(default)").value() rv = None if self.policy["value"] > 1.09: currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6( lsakey, self.syskey) rv = self.lsakeys[currentKey]["key"] else: self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey) rv = self.lsakeys[1] return rv
def get_lsa_key(self, security): """Returns and decrypts the LSA secret key for "CurrentControlSet". It is stored under Policy\\PolSecretEncryptionKey. security is the full path the the SECURITY registry file (usually located under %WINDIR%\\system32\\config\\ directory. To decrypt the LSA key, syskey is required. Thus you must first call self.get_syskey() if it has not been previously done. """ lsakey = "" if self.syskey is None: raise ValueError("Must provide syskey or call get_syskey() method first") with open(security, 'rb') as f: r = Registry.Registry(f) rev = eater.Eater(r.open("Policy\\PolRevision").value("(default)").value()) self.policy["minor"] = rev.eat("H") self.policy["major"] = rev.eat("H") self.policy["value"] = float("%d.%02d" % (self.policy["major"], self.policy["minor"])) if self.policy["value"] > 1.09: # NT6 r2 = r.open("Policy\\PolEKList") lsakey = r2.value("(default)").value() else: # NT5 r2 = r.open("Policy\\PolSecretEncryptionKey") lsakey = r2.value("(default)").value() rv = None if self.policy["value"] > 1.09: currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6(lsakey, self.syskey) rv = self.lsakeys[currentKey]["key"] else: self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey) rv = self.lsakeys[1] return rv