def get_secrets():
global xp
bootkey = get_bootkey()
lsakey = get_lsa_key(bootkey)
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets")
if not r.is_present:
print "[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets"
return None
secrets = {}
for service_key in r.get_subkeys():
service_name = service_key.get_name().split("\\")[-1]
skey = regkey(service_key.get_name() + "\\CurrVal")
enc_secret = skey.get_value("")
if not enc_secret:
continue
if xp:
encryptedSecretSize = unpack("<I", enc_secret[:4])[0]
offset = len(enc_secret) - encryptedSecretSize
secret = decrypt_secret(enc_secret[offset:], lsakey)
else:
secret = decrypt_lsa2(enc_secret, lsakey)
secrets[service_name] = secret
return secrets
def get_secrets():
global xp
bootkey = get_bootkey()
lsakey = get_lsa_key(bootkey)
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets")
if not r.is_present:
print(
"[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets"
)
return None
secrets = {}
for service_key in r.get_subkeys():
service_name = service_key.get_name().split("\\")[-1]
skey = regkey(service_key.get_name() + "\\CurrVal")
enc_secret = skey.get_value("")
if not enc_secret:
continue
if xp:
encryptedSecretSize = unpack('<I', enc_secret[:4])[0]
offset = len(enc_secret) - encryptedSecretSize
secret = decrypt_secret(enc_secret[offset:], lsakey)
else:
secret = decrypt_lsa2(enc_secret, lsakey)
secrets[service_name] = secret
return secrets
def dump_hashes():
bootkey = get_bootkey()
if not bootkey:
return []
lsakey = get_lsa_key(bootkey)
# import binascii
# print "lsakey : %s"%(binascii.hexlify(lsakey))
if not lsakey:
return []
nlkm = get_nlkm(lsakey)
# print "nlkm : %s"%(binascii.hexlify(nlkm))
if not nlkm:
return []
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
if not r.is_present():
return []
hashes = []
for v in r.get_values():
if v == "NL$Control": continue
data = r.get_value(v)
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# print "cache entry encodeddata: %s"%(binascii.hexlify(enc_data))
# Skip if nothing in this cache entry
if uname_len == 0:
continue
global xp
xp = isXp()
if xp:
dec_data = decrypt_hash(enc_data, nlkm, ch)
else:
dec_data = decrypt_hash_vista(enc_data, nlkm, ch)
(username, domain, domain_name,
hash) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hash))
return hashes
def dump_hashes():
bootkey = get_bootkey()
if not bootkey:
return []
lsakey = get_lsa_key(bootkey)
if not lsakey:
return []
nlkm = get_nlkm(lsakey)
if not nlkm:
return []
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
if not r.is_present():
return []
hashes = []
for v in r.get_values():
if v == "NL$Control": continue
data = r.get_value(v)
(uname_len, domain_len, domain_name_len, enc_data,
ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch)
(username, domain, domain_name,
hash) = parse_decrypted_cache(dec_data, uname_len, domain_len,
domain_name_len)
hashes.append((username, domain, domain_name, hash))
return hashes
def dump_hashes():
bootkey = get_bootkey()
if not bootkey:
return []
lsakey = get_lsa_key(bootkey)
if not lsakey:
return []
nlkm = get_nlkm(lsakey)
if not nlkm:
return []
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
if not r.is_present():
return []
hashes = []
for v in r.get_values():
if v == "NL$Control": continue
data = r.get_value(v)
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch)
(username, domain, domain_name,
hash) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hash))
return hashes
if package[k]:
print "%s:" % k
sys.stdout.write(dump(package[k], 16))
else:
print "%s: %s" % (k, "<empty / cannot decrypt>")
else:
print "%s: %s" % (k, package[k])
print ""
options = parseOptions()
# bootkey
if options.do_all or options.do_bootkey:
section("Dumping Bootkey")
print "Bootkey: %s" % hexlify(get_bootkey())
# cachedump
if options.do_all or options.do_cacheddomcreds:
section("Dumping Cached Domain Credentials")
got_a_hash = 0
for hash in cachedump_reg_hashes():
got_a_hash = 1
print hash
if not got_a_hash:
print "[E] No cached hashes. Are you running as SYSTEM? Or machine not a domain member?"
# pwdump
if options.do_all or options.do_samhashes:
section("Dumping Password Hashes From SAM")
if package[k]:
print("%s:" % k)
sys.stdout.write(dump(package[k], 16))
else:
print("%s: %s" % (k, "<empty / cannot decrypt>"))
else:
print("%s: %s" % (k, package[k]))
print()
options = parseOptions()
# bootkey
if options.do_all or options.do_bootkey:
section("Dumping Bootkey")
bootkey = get_bootkey()
print(f"Bootkey: {hexlify(bootkey).decode()}")
# cachedump
if options.do_all or options.do_cacheddomcreds:
section("Dumping Cached Domain Credentials")
got_a_hash = 0
for hash in cachedump_reg_hashes():
got_a_hash = 1
print(hash)
if not got_a_hash:
print(
"[E] No cached hashes. Are you running as SYSTEM? Or machine not a domain member?"
)
if k == "CredentialBlob":
if package[k]:
print "%s:" % k
sys.stdout.write(dump(package[k], 16))
else:
print "%s: %s" % (k, "<empty / cannot decrypt>")
else:
print "%s: %s" % (k, package[k])
print ""
options = parseOptions()
# bootkey
if options.do_all or options.do_bootkey:
section("Dumping Bootkey")
print "Bootkey: %s" % hexlify(get_bootkey())
# cachedump
if options.do_all or options.do_cacheddomcreds:
section("Dumping Cached Domain Credentials")
got_a_hash = 0
for hash in cachedump_reg_hashes():
got_a_hash = 1
print hash
if not got_a_hash:
print "[E] No cached hashes. Are you running as SYSTEM? Or machine not a domain member?"
# pwdump
if options.do_all or options.do_samhashes:
section("Dumping Password Hashes From SAM")