Exemple #1
0
def main():
	parser = argparse.ArgumentParser(description = "Hashed password grabber")
	parser.add_argument("-mf",action="store",dest="file",help="memory file(.vmem)")
	parser.add_argument("-p",action="store",dest="path",type=int,help="path to volatility")
	results = parser.parse_args()

	if results.file is None or results.path is None:
		parser.print_help()
		exit(0)

	memory_file = results.file #.vmem
	sys.path.append(results.path)
	registry.PluginImporter()
	config = conf.ConfObject()
	config.parse_options()
	config.PROFILE = "WinXPSP2x86"
	config.LOCATION = "file://{0}".format(memory_file)

	registry.register_global_options(config,commands.Command)
	registry.register_global_options(config,addrspace.BaseAddressSpace)

	registry = RegistryApi(config)
	registry.populate_offsets()

	sam_offset = None
	sys_offset = None

	for offset in registry.all_offsets:
	    if  registry.all_offsets[offset].endswith("\\SAM"):
	        sam_offset  = offset
	        print("[*]SAM: 0x%08x".format(offset))

	    if  registry.all_offsets[offset].endswith("\\system"):
	        sys_offset  = offset
	        print("[*]System: 0x%08x".format(offset))

	    if sam_offset is not None and sys_offset is not None:
	        config.sys_offset = sys_offset
	        config.sam_offset = sam_offset

	        hashdump = HashDump(config)

	        for hash in hashdump.calculate():
	            print(hash)

	        break

	    if sam_offset is None or sys_offset is None:
	print("[*]Failed to find the system or SAM offset.")
Exemple #2
0
from volatility.plugins.registry.lsadump import HashDump

registry = RegistryApi(config)
registry.populate_offsets()

sam_offset = None
sys_offset = None

for offset in registry.all_offsets:

    if registry.all_offsets[offset].endswith("\\SAM"):
        sam_offset = offset
        print("[*] SAM: 0x%08x" % offset)

    if registry.all_offsets[offset].endswith("\\system"):
        sys_offset = offset
        print("[*] System: 0x%08x" % offset)

    if sam_offset is not None and sys_offset is not None:
        config.sys_offset = sys_offset
        config.sam_offset = sam_offset

        hashdump = HashDump(config)

        for hash in hashdump.calculate():
            print(hash)

        break

if sam_offset is None or sys_offset is None:
    print("[*] Failed to find the system or SAM offsets.")
Exemple #3
0
    )  # https://github.com/volatilityfoundation/volatility
    config.LOCATION = memory_file
    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    registry = RegistryApi(config)
    registry.populate_offsets(
    )  # populate_offsets 함수는 hivelist 명령을 실행하는 작업을 수행한다.
    sam_offset = None
    sys_offset = None
    for offset in registry.all_offsets:  # 발견된 하이브를 모두 확인
        if registry.all_offsets[offset].endswith("\\SAM"):  # SAM 하이브를 찾는다.
            sam_offset = offset
            print "[+] SAM : 0x%08x" % offset
        if registry.all_offsets[offset].endswith(
                "\\system"):  # SYSTEM 하이브를 찾는다.
            sys_offset = offset
            print "[+] System : 0x%08x" % offset
        if sam_offset is not None and sys_offset is not None:  # 두 하이브를 찾았을 경우
            config.sys_offset = sys_offset  # config 객체에 오프셋 저장
            config.sam_offset = sam_offset
            hashdump = HashDump(config)  # HashDump 객체 생성
            for hash in hashdump.calculate():  # 결과 출력
                print hash
            break
    if sam_offset is None or sys_offset is None:
        print "[-] Failed to find the system or SAM offsets."
    time.sleep(30)
except Exception, e:
    print "[-] ", e
    time.sleep(30)
    exit(0)
Exemple #4
0
registry = RegistryApi(config)
registry.populate_offsets()

sam_offset = None
sys_offset = None

for offset in registry.all_offsets:

    if registry.all_offsets[offset].endswith("\\SAM"):
        sam_offset = offset
        print "[*] SAM: 0x%08x" % offset

    if registry.all_offsets[offset].endswith("\\system"):
        sys_offset = offset
        print "[*] System: 0x%08x" % offset

    if sam_offset is not None and sys_offset is not None:
        config.sys_offset = sys_offset
        config.sam_offset = sam_offset

        hashdump = HashDump(config)

        for hash in hashdump.calculate():
            print hash

        break

if sam_offset is None or sys_offset is None:
    print "[*] Failed to find the system or SAM offsets."
Exemple #5
0
registry.populate_offsets(
)  # bu cagri daha once ele aldigimiz hivelist komutunu calistirmanin esdegerini gerceklestirir.

sam_offset = None
sys_offset = None

for offset in registry.all_offsets:
    if registry.all_offsets[offset].endswith(
            "\\SAM"
    ):  # daha sonra sam ve sytem yerlerini arayan kesfedilen kovanlarin her birinde yurumeye baslariz.
        sam_offset = offset
        print "[*] SAM: 0x%08x" % offset

    if registry.all_offsets[offset].endswith("\\system"):
        sys_offset = offset
        print "[*] System: 0x%08x" % offset

    if sam_offset is not None and sys_offset is not None:
        config.sys_offset = sys_offset  # kesfedildiklerinde mevcut konfigurasyon  nesnesini ilgili ofsetleriyle guncelleriz.
        config.sam_offset = sam_offset

        hashdump = HashDump(
            config
        )  # ardindan bir hashdump nesnesi olustuurp mevcut yapilandirma nesnesine geciyoruz.

        for hash in hashdump.calculate(
        ):  # gerek kullanici adlarini ve bunlarla iliskili hashlerini ureten hesapaam islevi cagrisindan elde edilen sonuclari yinelemektir.
            print hash
        break
if sam_offset is None or sys_offset is None:
    print "[*] Failed to find the system or SAM offsets."