def dump_file_hashes(syshive_fname, sechive_fname):
sysaddr = HiveFileAddressSpace(syshive_fname)
secaddr = HiveFileAddressSpace(sechive_fname)
for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr):
print "%s:%s:%s:%s" % (u.lower(), hash.encode('hex'), d.lower(),
dn.lower())
def dump_file_hashes(syshive_fname, sechive_fname):
sysaddr = HiveFileAddressSpace(syshive_fname)
secaddr = HiveFileAddressSpace(sechive_fname)
ret_val = []
for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr):
ret_val.append("%s:%s:%s:%s" % (u.lower(), hash.encode('hex'),
d.lower(), dn.lower()))
return ret_val
def dump_file_hashes(syshive_fname, samhive_fname):
print syshive_fname
print samhive_fname
var = ''
try:
sysaddr = HiveFileAddressSpace(syshive_fname)
samaddr = HiveFileAddressSpace(samhive_fname)
var = dump_hashes(sysaddr, samaddr)
except Exception as e:
print e
return var
def dsReadNtdsMachineDNName():
"""
Every keytab entry must include a realm that may be extracted from user
principal name attribute of the corresponding pricipal object. However
some security principals have blank user principal names, so we need go get
the realm the other way.
You may notice that user principal name is missing on computer accounts and
on user accounts that was created on the server before it was promoted to Domain Controller.
For example, Guest and Administrator accounts do not have user principal names.
Default realm is uppercased domain name.
Domain name is stored in ATTm1376281 attribute of Dns-Zone object
(dsGetTypeIdByTypeName(db, "Dns-Zone")). Unfortunately there are a number
of Dns-Zone objects and it's unclear how to select the right one.
Dns-Zone records probably originate from DNS service hosted on the same machine.
Active Directory Domain Services Installation Wizard insists on installing DNS,
but it is not imposible to bump into a Domain Controller missing DNS.
The idea implemented here relies on reading parameters of NTDS service,
namely "Machine DN Name" value. It is the distinguished name of the current
machine. For example:
CN=NTDS Settings,CN=WIN2008X64R2S7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=universe3,DC=test
Components at the end of the value prefixed with "DC=" string are parts of domain.
You are welcome to propose a better way of detecting the current domain.
"""
sysaddr = HiveFileAddressSpace(systemHive)
cs = find_control_set(sysaddr)
ntdsParams = ["ControlSet%03d" % cs, "services", "NTDS", "Parameters"]
root = get_root(sysaddr)
if not root:
return None
key = open_key(root, ntdsParams)
if not key:
return None
for v in key.ValueList.List:
if v.Name.lower() == "Machine DN Name".lower():
if v.Type.value != 1:
return None
if v.DataLength.value & (1 << 31) != 0:
# not implemented
return None
data = v.space.read(v.Data.value, v.DataLength.value)
return data.decode('utf-16').strip(u'\x00')
return None
def dump_file_hashes(syshive_fname, samhive_fname):
sysaddr = HiveFileAddressSpace(syshive_fname)
samaddr = HiveFileAddressSpace(samhive_fname)
return dump_hashes(sysaddr, samaddr)
def get_syskey(syshive_fname):
sysaddr = HiveFileAddressSpace(syshive_fname)
bootkey = get_bootkey(sysaddr)
return bootkey
def get_file_secrets(Key, secfile):
secaddr = HiveFileAddressSpace(secfile)
return get_secrets(Key, secaddr)
def dump_file_hashes(Key, samhive_fname):
samaddr = HiveFileAddressSpace(samhive_fname)
Output = dump_hashes(Key, samaddr)
return Output
def get_file_secrets(sysfile, secfile, vista):
sysaddr = HiveFileAddressSpace(sysfile)
secaddr = HiveFileAddressSpace(secfile)
return get_secrets(sysaddr, secaddr, vista)
def dump_file_hashes(syshive_fname, sechive_fname, vista):
sysaddr = HiveFileAddressSpace(syshive_fname)
secaddr = HiveFileAddressSpace(sechive_fname)
for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr, vista):
print("%s:%s:%s:%s" % (u.lower(), hash.hex(), d.lower(), dn.lower()))
