def test_decrypt_lsa_key_nt6(self): lsakey = ("00000001ecffe17b2a997440aa939adb" "ff26f1fc0300000000000000ee645edd" "3156e5d6c69dc2851f3b59701730733b" "fe63a748a37165aeb4b402b344848e99" "f1442ba42ede3009b35552eb9001e917" "22ac479d752432f239c4412cde0d9f24" "f181cb75bcdc8aab3740f9d1c2153284" "b82651508b4117ea190f4a4bb8fd0100" "88857660ffa44d24e7de12d5bc49105c" "a74e80a204f5272413237ea2ed9aa743" "3743d0674dc4fe828581de36").decode("hex") syskey = "9acd05908157e45449e2ee795a9cc87e".decode("hex") r = "c6afbd790aa01079860362face32818b155facf4666a0e061b91597c46c9d1a8".decode("hex") c, d = crypto.decrypt_lsa_key_nt6(lsakey, syskey) self.assertTrue(c in d) self.assertEquals(len(d[c]["key"]), len(r)) self.assertEquals(d[c]["key"], r)
def get_lsa_key(self, security): """Returns and decrypts the LSA secret key for "CurrentControlSet". It is stored under Policy\\PolSecretEncryptionKey. security is the full path the the SECURITY registry file (usually located under %WINDIR%\\system32\\config\\ directory. To decrypt the LSA key, syskey is required. Thus you must first call self.get_syskey() if it has not been previously done. """ lsakey = "" if self.syskey is None: raise ValueError( "Must provide syskey or call get_syskey() method first") with open(security, 'rb') as f: r = Registry.Registry(f) rev = eater.Eater( r.open("Policy\\PolRevision").value("(default)").value()) self.policy["minor"] = rev.eat("H") self.policy["major"] = rev.eat("H") self.policy["value"] = float( "%d.%02d" % (self.policy["major"], self.policy["minor"])) if self.policy["value"] > 1.09: # NT6 r2 = r.open("Policy\\PolEKList") lsakey = r2.value("(default)").value() else: # NT5 r2 = r.open("Policy\\PolSecretEncryptionKey") lsakey = r2.value("(default)").value() rv = None if self.policy["value"] > 1.09: currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6( lsakey, self.syskey) rv = self.lsakeys[currentKey]["key"] else: self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey) rv = self.lsakeys[1] return rv
def get_lsa_key(self, security): """Returns and decrypts the LSA secret key for "CurrentControlSet". It is stored under Policy\\PolSecretEncryptionKey. security is the full path the the SECURITY registry file (usually located under %WINDIR%\\system32\\config\\ directory. To decrypt the LSA key, syskey is required. Thus you must first call self.get_syskey() if it has not been previously done. """ lsakey = "" if self.syskey is None: raise ValueError("Must provide syskey or call get_syskey() method first") with open(security, 'rb') as f: r = Registry.Registry(f) rev = eater.Eater(r.open("Policy\\PolRevision").value("(default)").value()) self.policy["minor"] = rev.eat("H") self.policy["major"] = rev.eat("H") self.policy["value"] = float("%d.%02d" % (self.policy["major"], self.policy["minor"])) if self.policy["value"] > 1.09: # NT6 r2 = r.open("Policy\\PolEKList") lsakey = r2.value("(default)").value() else: # NT5 r2 = r.open("Policy\\PolSecretEncryptionKey") lsakey = r2.value("(default)").value() rv = None if self.policy["value"] > 1.09: currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6(lsakey, self.syskey) rv = self.lsakeys[currentKey]["key"] else: self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey) rv = self.lsakeys[1] return rv