def get_bootkey(cls, syshive: registry.RegistryHive) -> Optional[bytes]:
cs = 1
lsa_base = "ControlSet{0:03}".format(cs) + "\\Control\\Lsa"
lsa_keys = ["JD", "Skew1", "GBG", "Data"]
lsa = syshive.get_key(lsa_base)
if not lsa:
return None
bootkey = ''
for lk in lsa_keys:
key = syshive.get_key(lsa_base + '\\' + lk)
class_data = syshive.read(key.Class + 4, key.ClassLength)
if class_data is None:
return None
bootkey += class_data.decode('utf-16-le')
bootkey_str = binascii.unhexlify(bootkey)
bootkey_scrambled = bytes([
bootkey_str[cls.bootkey_perm_table[i]]
for i in range(len(bootkey_str))
])
return bootkey_scrambled
def get_hbootkey(cls, samhive: registry.RegistryHive, bootkey: bytes) -> Optional[bytes]:
sam_account_path = "SAM\\Domains\\Account"
if not bootkey:
return None
sam_account_key = cls.get_hive_key(samhive, sam_account_path)
if not sam_account_key:
return None
sam_data = None
for v in sam_account_key.get_values():
if v.get_name() == 'F':
sam_data = samhive.read(v.Data + 4, v.DataLength)
if not sam_data:
return None
revision = sam_data[0x00]
if revision == 2:
md5 = hashlib.md5()
md5.update(sam_data[0x70:0x80] + cls.aqwerty + bootkey + cls.anum)
rc4_key = md5.digest()
rc4 = ARC4.new(rc4_key)
hbootkey = rc4.encrypt(sam_data[0x80:0xA0])
return hbootkey
elif revision == 3:
# AES encrypted
iv = sam_data[0x78:0x88]
encryptedHBootKey = sam_data[0x88:0xA8]
cipher = AES.new(bootkey, AES.MODE_CBC, iv)
hbootkey = cipher.decrypt(encryptedHBootKey)
return hbootkey[:16]
return None
def get_hive_key(cls, hive: registry.RegistryHive, key: str):
result = None
try:
result = hive.get_key(key)
except KeyError:
vollog.info(
"Unable to load the required registry key {}\\{} from this memory image".format(hive.get_name(), key))
return result
def get_user_keys(
cls, samhive: registry.RegistryHive
) -> List[interfaces.objects.ObjectInterface]:
user_key_path = "SAM\\Domains\\Account\\Users"
user_key = samhive.get_key(user_key_path)
if not user_key:
return []
return [k for k in user_key.get_subkeys() if k.Name != "Names"]
def get_user_hashes(cls, user: registry.CM_KEY_NODE,
samhive: registry.RegistryHive,
hbootkey: bytes) -> Optional[Tuple[bytes, bytes]]:
## Will sometimes find extra user with rid = NAMES, returns empty strings right now
try:
rid = int(str(user.get_name()), 16)
except ValueError:
return None
sam_data = None
for v in user.get_values():
if v.get_name() == 'V':
sam_data = samhive.read(v.Data + 4, v.DataLength)
if not sam_data:
return None
lm_offset = unpack("<L", sam_data[0x9c:0xa0])[0] + 0xCC
lm_len = unpack("<L", sam_data[0xa0:0xa4])[0]
nt_offset = unpack("<L", sam_data[0xa8:0xac])[0] + 0xCC
nt_len = unpack("<L", sam_data[0xac:0xb0])[0]
lm_revision = sam_data[lm_offset + 2:lm_offset + 3]
lmhash = None
if lm_revision == b'\x01':
if lm_len == 20:
enc_lm_hash = sam_data[lm_offset + 0x04:lm_offset + 0x14]
lmhash = cls.decrypt_single_hash(rid, hbootkey, enc_lm_hash,
cls.almpassword)
elif lm_revision == b'\x02':
if lm_len == 56:
lm_salt = sam_data[lm_offset + 4:lm_offset + 20]
enc_lm_hash = sam_data[lm_offset + 20:lm_offset + 52]
lmhash = cls.decrypt_single_salted_hash(
rid, hbootkey, enc_lm_hash, cls.almpassword, lm_salt)
# NT hash decryption
nthash = None
nt_revision = sam_data[nt_offset + 2:nt_offset + 3]
if nt_revision == b'\x01':
if nt_len == 20:
enc_nt_hash = sam_data[nt_offset + 4:nt_offset + 20]
nthash = cls.decrypt_single_hash(rid, hbootkey, enc_nt_hash,
cls.antpassword)
elif nt_revision == b'\x02':
if nt_len == 56:
nt_salt = sam_data[nt_offset + 8:nt_offset + 24]
enc_nt_hash = sam_data[nt_offset + 24:nt_offset + 56]
nthash = cls.decrypt_single_salted_hash(
rid, hbootkey, enc_nt_hash, cls.antpassword, nt_salt)
return lmhash, nthash
def get_user_name(cls, user: registry.CM_KEY_NODE, samhive: registry.RegistryHive) -> Optional[bytes]:
value = None
for v in user.get_values():
if v.get_name() == 'V':
value = samhive.read(v.Data + 4, v.DataLength)
if not value:
return None
name_offset = unpack("<L", value[0x0c:0x10])[0] + 0xCC
name_length = unpack("<L", value[0x10:0x14])[0]
if name_length > len(value):
return None
username = value[name_offset:name_offset + name_length]
return username
def get_user_name(cls, user: interfaces.objects.ObjectInterface,
samhive: registry.RegistryHive) -> Optional[bytes]:
V = None
for v in user.get_values():
if v.get_name() == 'V':
V = samhive.read(v.Data + 4, v.DataLength)
if not V:
return None
name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC
name_length = unpack("<L", V[0x10:0x14])[0]
if name_length > len(V):
return None
username = V[name_offset:name_offset + name_length]
return username