def dump_file_hashes(syshive_fname, sechive_fname): sysaddr = HiveFileAddressSpace(syshive_fname) secaddr = HiveFileAddressSpace(sechive_fname) for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr): print "%s:%s:%s:%s" % (u.lower(), hash.encode('hex'), d.lower(), dn.lower())
def dump_file_hashes(syshive_fname, sechive_fname): sysaddr = HiveFileAddressSpace(syshive_fname) secaddr = HiveFileAddressSpace(sechive_fname) ret_val = [] for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr): ret_val.append("%s:%s:%s:%s" % (u.lower(), hash.encode('hex'), d.lower(), dn.lower())) return ret_val
def dump_file_hashes(syshive_fname, samhive_fname): print syshive_fname print samhive_fname var = '' try: sysaddr = HiveFileAddressSpace(syshive_fname) samaddr = HiveFileAddressSpace(samhive_fname) var = dump_hashes(sysaddr, samaddr) except Exception as e: print e return var
def dsReadNtdsMachineDNName(): """ Every keytab entry must include a realm that may be extracted from user principal name attribute of the corresponding pricipal object. However some security principals have blank user principal names, so we need go get the realm the other way. You may notice that user principal name is missing on computer accounts and on user accounts that was created on the server before it was promoted to Domain Controller. For example, Guest and Administrator accounts do not have user principal names. Default realm is uppercased domain name. Domain name is stored in ATTm1376281 attribute of Dns-Zone object (dsGetTypeIdByTypeName(db, "Dns-Zone")). Unfortunately there are a number of Dns-Zone objects and it's unclear how to select the right one. Dns-Zone records probably originate from DNS service hosted on the same machine. Active Directory Domain Services Installation Wizard insists on installing DNS, but it is not imposible to bump into a Domain Controller missing DNS. The idea implemented here relies on reading parameters of NTDS service, namely "Machine DN Name" value. It is the distinguished name of the current machine. For example: CN=NTDS Settings,CN=WIN2008X64R2S7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=universe3,DC=test Components at the end of the value prefixed with "DC=" string are parts of domain. You are welcome to propose a better way of detecting the current domain. """ sysaddr = HiveFileAddressSpace(systemHive) cs = find_control_set(sysaddr) ntdsParams = ["ControlSet%03d" % cs, "services", "NTDS", "Parameters"] root = get_root(sysaddr) if not root: return None key = open_key(root, ntdsParams) if not key: return None for v in key.ValueList.List: if v.Name.lower() == "Machine DN Name".lower(): if v.Type.value != 1: return None if v.DataLength.value & (1 << 31) != 0: # not implemented return None data = v.space.read(v.Data.value, v.DataLength.value) return data.decode('utf-16').strip(u'\x00') return None
def dump_file_hashes(syshive_fname, samhive_fname): sysaddr = HiveFileAddressSpace(syshive_fname) samaddr = HiveFileAddressSpace(samhive_fname) return dump_hashes(sysaddr, samaddr)
def get_syskey(syshive_fname): sysaddr = HiveFileAddressSpace(syshive_fname) bootkey = get_bootkey(sysaddr) return bootkey
def get_file_secrets(Key, secfile): secaddr = HiveFileAddressSpace(secfile) return get_secrets(Key, secaddr)
def dump_file_hashes(Key, samhive_fname): samaddr = HiveFileAddressSpace(samhive_fname) Output = dump_hashes(Key, samaddr) return Output
def get_file_secrets(sysfile, secfile, vista): sysaddr = HiveFileAddressSpace(sysfile) secaddr = HiveFileAddressSpace(secfile) return get_secrets(sysaddr, secaddr, vista)
def dump_file_hashes(syshive_fname, sechive_fname, vista): sysaddr = HiveFileAddressSpace(syshive_fname) secaddr = HiveFileAddressSpace(sechive_fname) for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr, vista): print("%s:%s:%s:%s" % (u.lower(), hash.hex(), d.lower(), dn.lower()))