def get_lsa_secrets(self, security, system):
"""Retrieves and decrypts LSA secrets from the registry.
security and system arguments are the full path to the corresponding
registry files.
This function automatically calls self.get_syskey() and
self.get_lsa_key() functions prior to the secrets retrieval.
Returns a dictionary of secrets.
"""
self.get_syskey(system)
currentKey = self.get_lsa_key(security)
self.lsa_secrets = {}
with open(security, 'rb') as f:
r = Registry.Registry(f)
r2 = r.open("Policy\\Secrets")
for i in r2.subkeys():
self.lsa_secrets[i.name()] = {}
for j in i.subkeys():
self.lsa_secrets[i.name()][j.name()] = j.value('(default)').value()
for k, v in self.lsa_secrets.iteritems():
for s in ["CurrVal", "OldVal"]:
if v[s] != "":
if self.policy["value"] > 1.09:
# NT6
self.lsa_secrets[k][s] = crypto.decrypt_lsa_secret(v[s], self.lsakeys)
else:
self.lsa_secrets[k][s] = crypto.SystemFunction005(v[s][0xc:], currentKey)
for s in ["OupdTime", "CupdTime"]:
if self.lsa_secrets[k][s] > 0:
t = eater.Eater(self.lsa_secrets[k][s])
self.lsa_secrets[k][s] = (t.eat("Q") / 10000000) - 11644473600
return self.lsa_secrets
def test_decrypt_lsa_secret(self):
secret=("00000001b31b971b40ab9c1ba577d333"
"685b2f430300000000000000f725e552"
"7ebd98a928a9e903ddd243a7baa9761b"
"43237f66ce9a0061652b429269c06e25"
"d84e8e52195265497843fa95ce3b5472"
"42c0dea92ab8e7ff0cf266e7e59b7583"
"3a8a6c92d125cc866198db59e77f66c4"
"fe1f4f92d276aff94e29a685").decode("hex")
key = "c6afbd790aa01079860362face32818b155facf4666a0e061b91597c46c9d1a8".decode("hex")
r = ("01 00 00 00 EB F6 82 84 52 F6 CA 25 BA 36 2F CD"
"6C 76 36 88 70 70 87 CD 1C 14 65 17 23 BF EB 3A"
"0E 96 25 31 36 8A DF 95 44 DE D9 78").replace(" ", "").decode("hex")
d = {"1b971bb3-ab40-1b9c-a577-d333685b2f43": {"key": key}}
self.assertEquals(crypto.decrypt_lsa_secret(secret, d), r)
def test_decrypt_lsa_secret(self):
secret=("00000001b31b971b40ab9c1ba577d333"
"685b2f430300000000000000f725e552"
"7ebd98a928a9e903ddd243a7baa9761b"
"43237f66ce9a0061652b429269c06e25"
"d84e8e52195265497843fa95ce3b5472"
"42c0dea92ab8e7ff0cf266e7e59b7583"
"3a8a6c92d125cc866198db59e77f66c4"
"fe1f4f92d276aff94e29a685").decode("hex")
key = "c6afbd790aa01079860362face32818b155facf4666a0e061b91597c46c9d1a8".decode("hex")
r = ("01 00 00 00 EB F6 82 84 52 F6 CA 25 BA 36 2F CD"
"6C 76 36 88 70 70 87 CD 1C 14 65 17 23 BF EB 3A"
"0E 96 25 31 36 8A DF 95 44 DE D9 78").replace(" ", "").decode("hex")
d = {"1b971bb3-ab40-1b9c-a577-d333685b2f43": {"key": key}}
self.assertEquals(crypto.decrypt_lsa_secret(secret, d), r)
def get_lsa_secrets(self, security, system):
"""Retrieves and decrypts LSA secrets from the registry.
security and system arguments are the full path to the corresponding
registry files.
This function automatically calls self.get_syskey() and
self.get_lsa_key() functions prior to the secrets retrieval.
Returns a dictionary of secrets.
"""
self.get_syskey(system)
currentKey = self.get_lsa_key(security)
self.lsa_secrets = {}
with open(security, 'rb') as f:
r = Registry.Registry(f)
r2 = r.open("Policy\\Secrets")
for i in r2.subkeys():
self.lsa_secrets[i.name()] = {}
for j in i.subkeys():
self.lsa_secrets[i.name()][j.name()] = j.value(
'(default)').value()
for k, v in self.lsa_secrets.iteritems():
for s in ["CurrVal", "OldVal"]:
if v[s] != "":
if self.policy["value"] > 1.09:
# NT6
self.lsa_secrets[k][s] = crypto.decrypt_lsa_secret(
v[s], self.lsakeys)
else:
self.lsa_secrets[k][s] = crypto.SystemFunction005(
v[s][0xc:], currentKey)
for s in ["OupdTime", "CupdTime"]:
if self.lsa_secrets[k][s] > 0:
t = eater.Eater(self.lsa_secrets[k][s])
self.lsa_secrets[k][s] = (t.eat("Q") /
10000000) - 11644473600
return self.lsa_secrets
