def get_lsa_secrets(self, security, system): """Retrieves and decrypts LSA secrets from the registry. security and system arguments are the full path to the corresponding registry files. This function automatically calls self.get_syskey() and self.get_lsa_key() functions prior to the secrets retrieval. Returns a dictionary of secrets. """ self.get_syskey(system) currentKey = self.get_lsa_key(security) self.lsa_secrets = {} with open(security, 'rb') as f: r = Registry.Registry(f) r2 = r.open("Policy\\Secrets") for i in r2.subkeys(): self.lsa_secrets[i.name()] = {} for j in i.subkeys(): self.lsa_secrets[i.name()][j.name()] = j.value('(default)').value() for k, v in self.lsa_secrets.iteritems(): for s in ["CurrVal", "OldVal"]: if v[s] != "": if self.policy["value"] > 1.09: # NT6 self.lsa_secrets[k][s] = crypto.decrypt_lsa_secret(v[s], self.lsakeys) else: self.lsa_secrets[k][s] = crypto.SystemFunction005(v[s][0xc:], currentKey) for s in ["OupdTime", "CupdTime"]: if self.lsa_secrets[k][s] > 0: t = eater.Eater(self.lsa_secrets[k][s]) self.lsa_secrets[k][s] = (t.eat("Q") / 10000000) - 11644473600 return self.lsa_secrets
def test_decrypt_lsa_secret(self): secret=("00000001b31b971b40ab9c1ba577d333" "685b2f430300000000000000f725e552" "7ebd98a928a9e903ddd243a7baa9761b" "43237f66ce9a0061652b429269c06e25" "d84e8e52195265497843fa95ce3b5472" "42c0dea92ab8e7ff0cf266e7e59b7583" "3a8a6c92d125cc866198db59e77f66c4" "fe1f4f92d276aff94e29a685").decode("hex") key = "c6afbd790aa01079860362face32818b155facf4666a0e061b91597c46c9d1a8".decode("hex") r = ("01 00 00 00 EB F6 82 84 52 F6 CA 25 BA 36 2F CD" "6C 76 36 88 70 70 87 CD 1C 14 65 17 23 BF EB 3A" "0E 96 25 31 36 8A DF 95 44 DE D9 78").replace(" ", "").decode("hex") d = {"1b971bb3-ab40-1b9c-a577-d333685b2f43": {"key": key}} self.assertEquals(crypto.decrypt_lsa_secret(secret, d), r)
def get_lsa_secrets(self, security, system): """Retrieves and decrypts LSA secrets from the registry. security and system arguments are the full path to the corresponding registry files. This function automatically calls self.get_syskey() and self.get_lsa_key() functions prior to the secrets retrieval. Returns a dictionary of secrets. """ self.get_syskey(system) currentKey = self.get_lsa_key(security) self.lsa_secrets = {} with open(security, 'rb') as f: r = Registry.Registry(f) r2 = r.open("Policy\\Secrets") for i in r2.subkeys(): self.lsa_secrets[i.name()] = {} for j in i.subkeys(): self.lsa_secrets[i.name()][j.name()] = j.value( '(default)').value() for k, v in self.lsa_secrets.iteritems(): for s in ["CurrVal", "OldVal"]: if v[s] != "": if self.policy["value"] > 1.09: # NT6 self.lsa_secrets[k][s] = crypto.decrypt_lsa_secret( v[s], self.lsakeys) else: self.lsa_secrets[k][s] = crypto.SystemFunction005( v[s][0xc:], currentKey) for s in ["OupdTime", "CupdTime"]: if self.lsa_secrets[k][s] > 0: t = eater.Eater(self.lsa_secrets[k][s]) self.lsa_secrets[k][s] = (t.eat("Q") / 10000000) - 11644473600 return self.lsa_secrets