def decrypt_hash(edata, nlkm, ch):
hmac_md5 = hmac.new(nlkm, ch, hashlib.md5)
rc4key = hmac_md5.digest()
rc4 = RC4(rc4key)
data = rc4.encrypt(edata)
return data
def get_lsa_key(secaddr, bootkey, vista):
root = get_root(secaddr)
if not root:
return None
if vista:
enc_reg_key = open_key(root, [b"Policy", b"PolEKList"])
else:
enc_reg_key = open_key(root, [b"Policy", b"PolSecretEncryptionKey"])
if not enc_reg_key:
return None
enc_reg_value = enc_reg_key.ValueList.List[0]
if not enc_reg_value:
return None
obf_lsa_key = secaddr.read(enc_reg_value.Data.value, enc_reg_value.DataLength.value)
if not obf_lsa_key:
return None
if not vista:
md5 = hashlib.md5()
md5.update(bootkey)
for i in range(1000):
md5.update(obf_lsa_key[60:76])
rc4key = md5.digest()
rc4 = RC4(rc4key)
lsa_key = rc4.encrypt(obf_lsa_key[12:60])
lsa_key = lsa_key[0x10:0x20]
else:
lsa_key = decrypt_aes(obf_lsa_key, bootkey)
lsa_key = lsa_key[68:100]
return lsa_key
def get_hbootkey(samaddr, bootkey):
sam_account_path = [b"SAM", b"Domains", b"Account"]
root = get_root(samaddr)
if not root:
return None
sam_account_key = open_key(root, sam_account_path)
if not sam_account_key:
return None
F = None
for v in values(sam_account_key):
if v.Name == b'F':
F = samaddr.read(v.Data.value, v.DataLength.value)
if not F:
return None
revision = ord(F[0x00:0x01])
if revision == 2:
md5 = hashlib.md5(F[0x70:0x80] + aqwerty + bootkey + anum)
rc4_key = md5.digest()
rc4 = RC4(rc4_key)
hbootkey = rc4.encrypt(F[0x80:0xA0])
return hbootkey
elif revision == 3:
iv = F[0x78:0x88]
encryptedHBootKey = F[0x88:0xA8]
cipher = AESModeOfOperationCBC(bootkey, iv=iv)
hbootkey = b"".join([cipher.decrypt(encryptedHBootKey[i:i + AES_BLOCK_SIZE]) for i in range(0, len(encryptedHBootKey), AES_BLOCK_SIZE)])
return hbootkey[:16]
def decrypt_lsa_key_nt5(lsakey, syskey):
"""
This function decrypts the LSA key using the syskey
"""
dg = hashlib.md5()
dg.update(syskey)
for i in xrange(1000):
dg.update(lsakey[60:76])
arcfour = RC4(dg.digest())
deskey = arcfour.encrypt(lsakey[12:60])
return [deskey[16 * x:16 * (x + 1)] for x in xrange(3)]
def decrypt_single_hash(rid, hbootkey, enc_hash, lmntstr):
(des_k1, des_k2) = sid_to_key(rid)
d1 = des(des_k1, ECB)
d2 = des(des_k2, ECB)
md5 = hashlib.md5()
md5.update(hbootkey[:0x10] + pack("<L", rid) + lmntstr)
rc4_key = md5.digest()
rc4 = RC4(rc4_key)
obfkey = rc4.encrypt(enc_hash)
hash_ = d1.decrypt(obfkey[:8]) + d2.decrypt(obfkey[8:])
return hash_
def get_hbootkey(samaddr, bootkey):
sam_account_path = [b"SAM", b"Domains", b"Account"]
root = get_root(samaddr)
if not root:
return None
sam_account_key = open_key(root, sam_account_path)
if not sam_account_key:
return None
F = None
for v in values(sam_account_key):
if v.Name == b'F':
F = samaddr.read(v.Data.value, v.DataLength.value)
if not F:
return None
md5 = hashlib.md5(F[0x70:0x80] + aqwerty + bootkey + anum)
rc4_key = md5.digest()
rc4 = RC4(rc4_key)
hbootkey = rc4.encrypt(F[0x80:0xA0])
return hbootkey