def get_secrets(sysaddr, secaddr, profile): root = get_root(secaddr, profile) if not root: return None bootkey = get_bootkey(sysaddr, profile) lsakey = get_lsa_key(secaddr, bootkey, profile) if not bootkey or not lsakey: return None secrets_key = open_key(root, ["Policy", "Secrets"]) if not secrets_key: return None secrets = {} for key in subkeys(secrets_key): sec_val_key = open_key(key, ["CurrVal"]) if not sec_val_key: continue enc_secret_value = sec_val_key.ValueList.List[0] if not enc_secret_value: continue enc_secret = secaddr.read(enc_secret_value.Data, enc_secret_value.DataLength) if not enc_secret: continue secret = decrypt_secret(enc_secret[0xC:], lsakey) secrets[key.Name] = secret return secrets
def dump_hashes(sysaddr, secaddr, profile): bootkey = get_bootkey(sysaddr, profile) if not bootkey: return None lsakey = get_lsa_key(secaddr, bootkey, profile) if not lsakey: return None nlkm = get_nlkm(secaddr, lsakey, profile) if not nlkm: return None root = get_root(secaddr, profile) if not root: return None cache = open_key(root, ["Cache"]) if not cache: return None hashes = [] for v in values(cache): if v.Name == "NL$Control": continue data = v.vm.read(v.Data, v.DataLength) (uname_len, domain_len, domain_name_len, enc_data, ch) = parse_cache_entry(data) # Skip if nothing in this cache entry if uname_len == 0: continue dec_data = decrypt_hash(enc_data, nlkm, ch) (username, domain, domain_name, hash) = parse_decrypted_cache(dec_data, uname_len, domain_len, domain_name_len) hashes.append((username, domain, domain_name, hash)) return hashes