def dump_hashes(addr_space, sysaddr, secaddr): bootkey = hashdump.get_bootkey(sysaddr) if not bootkey: return [] lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey) if not lsakey: return [] nlkm = get_nlkm(addr_space, secaddr, lsakey) if not nlkm: return [] root = rawreg.get_root(secaddr) if not root: return [] cache = rawreg.open_key(root, ["Cache"]) if not cache: return [] xp = addr_space.profile.metadata.get('major', 0) == 5 hashes = [] for v in rawreg.values(cache): if v.Name == "NL$Control": continue data = v.obj_vm.read(v.Data, v.DataLength) if data == None: continue ( uname_len, domain_len, domain_name_len, enc_data, ch, ) = parse_cache_entry(data) # Skip if nothing in this cache entry if uname_len == 0: continue dec_data = decrypt_hash(enc_data, nlkm, ch, xp) (username, domain, domain_name, hashh) = parse_decrypted_cache(dec_data, uname_len, domain_len, domain_name_len) hashes.append((username, domain, domain_name, hashh)) return hashes
def dump_hashes(addr_space, sysaddr, secaddr): bootkey = hashdump.get_bootkey(sysaddr) if not bootkey: return [] lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey) if not lsakey: return [] nlkm = get_nlkm(addr_space, secaddr, lsakey) if not nlkm: return [] root = rawreg.get_root(secaddr) if not root: return [] cache = rawreg.open_key(root, ["Cache"]) if not cache: return [] xp = addr_space.profile.metadata.get('major', 0) == 5 hashes = [] for v in rawreg.values(cache): if v.Name == "NL$Control": continue data = v.obj_vm.read(v.Data, v.DataLength) if data == None: continue (uname_len, domain_len, domain_name_len, enc_data, ch) = parse_cache_entry(data) # Skip if nothing in this cache entry if uname_len == 0: continue dec_data = decrypt_hash(enc_data, nlkm, ch, xp) (username, domain, domain_name, hashh) = parse_decrypted_cache(dec_data, uname_len, domain_len, domain_name_len) hashes.append((username, domain, domain_name, hashh)) return hashes
def dump_hashes(sysaddr, secaddr): bootkey = hashdump.get_bootkey(sysaddr) if not bootkey: return None lsakey = lsasecrets.get_lsa_key(secaddr, bootkey) if not lsakey: return None nlkm = get_nlkm(secaddr, lsakey) if not nlkm: return None root = rawreg.get_root(secaddr) if not root: return None cache = rawreg.open_key(root, ["Cache"]) if not cache: return None hashes = [] for v in rawreg.values(cache): if v.Name == "NL$Control": continue data = v.obj_vm.read(v.Data, v.DataLength) (uname_len, domain_len, domain_name_len, enc_data, ch) = parse_cache_entry(data) # Skip if nothing in this cache entry if uname_len == 0: continue dec_data = decrypt_hash(enc_data, nlkm, ch) (username, domain, domain_name, hashh) = parse_decrypted_cache(dec_data, uname_len, domain_len, domain_name_len) hashes.append((username, domain, domain_name, hashh)) return hashes