def get_secrets(sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
secret = decrypt_secret(enc_secret[0xC:], lsakey)
secrets[key.Name] = secret
return secrets
def get_secrets(sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
secret = decrypt_secret(enc_secret[0xC:], lsakey)
secrets[key.Name] = secret
return secrets
def dump_hashes(addr_space, sysaddr, secaddr):
bootkey = hashdump.get_bootkey(sysaddr)
if not bootkey:
return []
lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey)
if not lsakey:
return []
nlkm = get_nlkm(addr_space, secaddr, lsakey)
if not nlkm:
return []
root = rawreg.get_root(secaddr)
if not root:
return []
cache = rawreg.open_key(root, ["Cache"])
if not cache:
return []
xp = addr_space.profile.metadata.get('major', 0) == 5
hashes = []
for v in rawreg.values(cache):
if v.Name == "NL$Control":
continue
data = v.obj_vm.read(v.Data, v.DataLength)
if data == None:
continue
(
uname_len,
domain_len,
domain_name_len,
enc_data,
ch,
) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch, xp)
(username, domain, domain_name,
hashh) = parse_decrypted_cache(dec_data, uname_len, domain_len,
domain_name_len)
hashes.append((username, domain, domain_name, hashh))
return hashes
def dump_hashes(addr_space, sysaddr, secaddr):
bootkey = hashdump.get_bootkey(sysaddr)
if not bootkey:
return []
lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey)
if not lsakey:
return []
nlkm = get_nlkm(addr_space, secaddr, lsakey)
if not nlkm:
return []
root = rawreg.get_root(secaddr)
if not root:
return []
cache = rawreg.open_key(root, ["Cache"])
if not cache:
return []
xp = addr_space.profile.metadata.get('major', 0) == 5
hashes = []
for v in rawreg.values(cache):
if v.Name == "NL$Control":
continue
data = v.obj_vm.read(v.Data, v.DataLength)
if data == None:
continue
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch, xp)
(username, domain, domain_name,
hashh) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hashh))
return hashes
def dump_hashes(sysaddr, secaddr):
bootkey = hashdump.get_bootkey(sysaddr)
if not bootkey:
return None
lsakey = lsasecrets.get_lsa_key(secaddr, bootkey)
if not lsakey:
return None
nlkm = get_nlkm(secaddr, lsakey)
if not nlkm:
return None
root = rawreg.get_root(secaddr)
if not root:
return None
cache = rawreg.open_key(root, ["Cache"])
if not cache:
return None
hashes = []
for v in rawreg.values(cache):
if v.Name == "NL$Control":
continue
data = v.obj_vm.read(v.Data, v.DataLength)
(uname_len, domain_len, domain_name_len, enc_data,
ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch)
(username, domain, domain_name,
hashh) = parse_decrypted_cache(dec_data, uname_len, domain_len,
domain_name_len)
hashes.append((username, domain, domain_name, hashh))
return hashes
def get_secrets(addr_space, sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(addr_space, secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
if addr_space.profile.metadata.get('major', 0) == 5:
secret = enc_secret[0xC:]
else:
secret = enc_secret
secrets[key.Name] = secret
return secrets
def get_secrets(addr_space, sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(addr_space, secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
if addr_space.profile.metadata.get('major', 0) == 5:
secret = enc_secret[0xC:]
else:
secret = enc_secret
secrets[key.Name] = secret
return secrets
