def test_decrypt_lsa_key_nt6(self):
lsakey = ("00000001ecffe17b2a997440aa939adb"
"ff26f1fc0300000000000000ee645edd"
"3156e5d6c69dc2851f3b59701730733b"
"fe63a748a37165aeb4b402b344848e99"
"f1442ba42ede3009b35552eb9001e917"
"22ac479d752432f239c4412cde0d9f24"
"f181cb75bcdc8aab3740f9d1c2153284"
"b82651508b4117ea190f4a4bb8fd0100"
"88857660ffa44d24e7de12d5bc49105c"
"a74e80a204f5272413237ea2ed9aa743"
"3743d0674dc4fe828581de36").decode("hex")
syskey = "9acd05908157e45449e2ee795a9cc87e".decode("hex")
r = "c6afbd790aa01079860362face32818b155facf4666a0e061b91597c46c9d1a8".decode("hex")
c, d = crypto.decrypt_lsa_key_nt6(lsakey, syskey)
self.assertTrue(c in d)
self.assertEquals(len(d[c]["key"]), len(r))
self.assertEquals(d[c]["key"], r)
def test_decrypt_lsa_key_nt6(self):
lsakey = ("00000001ecffe17b2a997440aa939adb"
"ff26f1fc0300000000000000ee645edd"
"3156e5d6c69dc2851f3b59701730733b"
"fe63a748a37165aeb4b402b344848e99"
"f1442ba42ede3009b35552eb9001e917"
"22ac479d752432f239c4412cde0d9f24"
"f181cb75bcdc8aab3740f9d1c2153284"
"b82651508b4117ea190f4a4bb8fd0100"
"88857660ffa44d24e7de12d5bc49105c"
"a74e80a204f5272413237ea2ed9aa743"
"3743d0674dc4fe828581de36").decode("hex")
syskey = "9acd05908157e45449e2ee795a9cc87e".decode("hex")
r = "c6afbd790aa01079860362face32818b155facf4666a0e061b91597c46c9d1a8".decode("hex")
c, d = crypto.decrypt_lsa_key_nt6(lsakey, syskey)
self.assertTrue(c in d)
self.assertEquals(len(d[c]["key"]), len(r))
self.assertEquals(d[c]["key"], r)
def get_lsa_key(self, security):
"""Returns and decrypts the LSA secret key for "CurrentControlSet".
It is stored under Policy\\PolSecretEncryptionKey.
security is the full path the the SECURITY registry file (usually
located under %WINDIR%\\system32\\config\\ directory.
To decrypt the LSA key, syskey is required. Thus you must first call
self.get_syskey() if it has not been previously done.
"""
lsakey = ""
if self.syskey is None:
raise ValueError(
"Must provide syskey or call get_syskey() method first")
with open(security, 'rb') as f:
r = Registry.Registry(f)
rev = eater.Eater(
r.open("Policy\\PolRevision").value("(default)").value())
self.policy["minor"] = rev.eat("H")
self.policy["major"] = rev.eat("H")
self.policy["value"] = float(
"%d.%02d" % (self.policy["major"], self.policy["minor"]))
if self.policy["value"] > 1.09:
# NT6
r2 = r.open("Policy\\PolEKList")
lsakey = r2.value("(default)").value()
else:
# NT5
r2 = r.open("Policy\\PolSecretEncryptionKey")
lsakey = r2.value("(default)").value()
rv = None
if self.policy["value"] > 1.09:
currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6(
lsakey, self.syskey)
rv = self.lsakeys[currentKey]["key"]
else:
self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey)
rv = self.lsakeys[1]
return rv
def get_lsa_key(self, security):
"""Returns and decrypts the LSA secret key for "CurrentControlSet".
It is stored under Policy\\PolSecretEncryptionKey.
security is the full path the the SECURITY registry file (usually
located under %WINDIR%\\system32\\config\\ directory.
To decrypt the LSA key, syskey is required. Thus you must first call
self.get_syskey() if it has not been previously done.
"""
lsakey = ""
if self.syskey is None:
raise ValueError("Must provide syskey or call get_syskey() method first")
with open(security, 'rb') as f:
r = Registry.Registry(f)
rev = eater.Eater(r.open("Policy\\PolRevision").value("(default)").value())
self.policy["minor"] = rev.eat("H")
self.policy["major"] = rev.eat("H")
self.policy["value"] = float("%d.%02d" % (self.policy["major"], self.policy["minor"]))
if self.policy["value"] > 1.09:
# NT6
r2 = r.open("Policy\\PolEKList")
lsakey = r2.value("(default)").value()
else:
# NT5
r2 = r.open("Policy\\PolSecretEncryptionKey")
lsakey = r2.value("(default)").value()
rv = None
if self.policy["value"] > 1.09:
currentKey, self.lsakeys = crypto.decrypt_lsa_key_nt6(lsakey, self.syskey)
rv = self.lsakeys[currentKey]["key"]
else:
self.lsakeys = crypto.decrypt_lsa_key_nt5(lsakey, self.syskey)
rv = self.lsakeys[1]
return rv
