def decrypt_lsa_key_nt6(lsakey, syskey):
"""
This function decrypts the LSA keys using the syskey
"""
dg = hashlib.sha256()
dg.update(syskey)
for i in range(1000):
dg.update(lsakey[28:60])
k = AESModeOfOperationECB(dg.digest())
keys = b"".join([k.encrypt(lsakey[60:][i:i + AES_BLOCK_SIZE]) for i in range(0, len(lsakey[60:]), AES_BLOCK_SIZE)])
size = struct.unpack_from("<L", keys)[0]
keys = keys[16:16 + size]
currentkey = "%0x-%0x-%0x-%0x%0x-%0x%0x%0x%0x%0x%0x" % struct.unpack("<L2H8B", keys[4:20])
nb = struct.unpack("<L", keys[24:28])[0]
off = 28
kd = {}
for i in range(nb):
g = "%0x-%0x-%0x-%0x%0x-%0x%0x%0x%0x%0x%0x" % struct.unpack("<L2H8B", keys[off:off + 16])
t, l = struct.unpack_from("<2L", keys[off + 16:])
k = keys[off + 24:off + 24 + l]
kd[g] = {"type": t, "key": k}
off += 24 + l
return (currentkey, kd)
def decrypt_lsa_key_nt6(lsakey, syskey):
"""
This function decrypts the LSA keys using the syskey
"""
dg = hashlib.sha256()
dg.update(syskey)
for i in range(1000):
dg.update(lsakey[28:60])
k = AESModeOfOperationECB(dg.digest())
keys = b"".join([
k.encrypt(lsakey[60:][i:i + AES_BLOCK_SIZE])
for i in range(0, len(lsakey[60:]), AES_BLOCK_SIZE)
])
size = struct.unpack_from("<L", keys)[0]
keys = keys[16:16 + size]
currentkey = "%0x-%0x-%0x-%0x%0x-%0x%0x%0x%0x%0x%0x" % struct.unpack(
"<L2H8B", keys[4:20])
nb = struct.unpack("<L", keys[24:28])[0]
off = 28
kd = {}
for i in range(nb):
g = "%0x-%0x-%0x-%0x%0x-%0x%0x%0x%0x%0x%0x" % struct.unpack(
"<L2H8B", keys[off:off + 16])
t, l = struct.unpack_from("<2L", keys[off + 16:])
k = keys[off + 24:off + 24 + l]
kd[g] = {"type": t, "key": k}
off += 24 + l
return (currentkey, kd)
def transform_key(key, seed, rounds):
"""Transform `key` with `seed` `rounds` times using AES ECB."""
# create transform cipher with transform seed
cipher = AESModeOfOperationECB(seed)
# transform composite key rounds times
for n in range(0, rounds):
key = cipher.encrypt(key)
# return hash of transformed key
return sha256(key)
def transform_key(key, seed, rounds):
"""Transform `key` with `seed` `rounds` times using AES ECB."""
# create transform cipher with transform seed
cipher = AESModeOfOperationECB(seed)
# transform composite key rounds times
for n in range(0, rounds):
key = b"".join([cipher.encrypt(key[i:i + AES_BLOCK_SIZE]) for i in range(0, len(key), AES_BLOCK_SIZE)])
# return hash of transformed key
return sha256(key)
def transform_key(key, seed, rounds):
"""Transform `key` with `seed` `rounds` times using AES ECB."""
# create transform cipher with transform seed
cipher = AESModeOfOperationECB(seed)
# transform composite key rounds times
for n in range(0, rounds):
key = b"".join([
cipher.encrypt(key[i:i + AES_BLOCK_SIZE])
for i in range(0, len(key), AES_BLOCK_SIZE)
])
# return hash of transformed key
return sha256(key)
def decrypt_lsa_secret(secret, lsa_keys):
"""
This function replaces SystemFunction005 for newer Windows
"""
keyid = "%0x-%0x-%0x-%0x%0x-%0x%0x%0x%0x%0x%0x" % struct.unpack("<L2H8B", secret[4:20])
if keyid not in lsa_keys:
return None
algo = struct.unpack("<L", secret[20:24])[0]
dg = hashlib.sha256()
dg.update(lsa_keys[keyid]["key"])
for i in xrange(1000):
dg.update(secret[28:60])
c = AESModeOfOperationECB(dg.digest())
clear = b"".join([c.encrypt(secret[60:][i:i + AES_BLOCK_SIZE]) for i in range(0, len(secret[60:]), AES_BLOCK_SIZE)])
size = struct.unpack_from("<L", clear)[0]
return clear[16:16 + size]
def decrypt_lsa_secret(secret, lsa_keys):
"""
This function replaces SystemFunction005 for newer Windows
"""
keyid = "%0x-%0x-%0x-%0x%0x-%0x%0x%0x%0x%0x%0x" % struct.unpack("<L2H8B", secret[4:20])
if keyid not in lsa_keys:
return None
algo = struct.unpack("<L", secret[20:24])[0]
dg = hashlib.sha256()
dg.update(lsa_keys[keyid]["key"])
for i in xrange(1000):
dg.update(secret[28:60])
c = AESModeOfOperationECB(dg.digest())
clear = b"".join([c.encrypt(secret[60:][i:i + AES_BLOCK_SIZE]) for i in range(0, len(secret[60:]), AES_BLOCK_SIZE)])
size = struct.unpack_from("<L", clear)[0]
return clear[16:16 + size]