public IActionResult Create([FromBody] string content) { if (content == null) { return(BadRequest()); } byte[] cipherText = Convert.FromBase64String(content); string plaintext; // AES encrypt the password { sCrypt.setConfig(this.Configuration); sCrypt.SetKey("AES"); plaintext = sCrypt.Decrypt(content); } // Read XML and parse RegParser parser = new RegParser(plaintext, Configuration, sCrypt, aGuid); parser.Parse(); // does order already exist ? _context.Auser.Add(parser.auser); _context.Sources.Add(parser.source); foreach (AOrder _order in parser.itemorders) { _context.AOrder.Add(_order); } _context.SaveChanges(); return(Ok(true)); }
/// <summary> /// /// </summary> /// <returns></returns> private List <ProfilePath> ExtractProfilePaths() { RegParser regParser = new RegParser(_softwareFile); RegKey rootKey = regParser.RootKey; RegKey regKey = rootKey.Key("Microsoft\\Windows NT\\CurrentVersion\\ProfileList"); if (regKey == null) { Console.WriteLine("Unable to locate the following registry key: Microsoft\\Windows NT\\CurrentVersion\\ProfileList"); return(null); } List <ProfilePath> profilePaths = new List <ProfilePath>(); List <RegKey> subKeys = regKey.SubKeys; for (int index = 0; index < subKeys.Count; index++) { RegValue regValue = subKeys[index].Value("ProfileImagePath"); if (regValue == null) { continue; } ProfilePath profilePath = new ProfilePath(); string temp = regValue.Data.ToString().Replace("\0", string.Empty); profilePath.Path = temp; profilePath.Rid = woanware.Helper.RemoveHivePrefix(subKeys[index].Name).Replace("Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", string.Empty); profilePaths.Add(profilePath); } return(profilePaths); }
/// <summary> /// /// </summary> /// <param name="bootKey"></param> /// <returns></returns> private byte[] GenerateHashedBootKey(List <byte> bootKey) { try { RegParser regParser = new RegParser(_samFile); RegKey rootKey = regParser.RootKey; RegKey regKey = rootKey.Key(@"SAM\Domains\Account"); if (regKey == null) { this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account"); return(null); } RegValue regValue = regKey.Value("F"); if (regValue == null) { this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account\\F"); return(null); } byte[] hashedBootKey = new byte[16]; Buffer.BlockCopy((byte[])regValue.Data, 112, hashedBootKey, 0, 16); //this.PrintHex("Hashed bootkey", hashedBootKey.ToArray()); List <byte> data = new List <byte>(); data.AddRange(hashedBootKey.ToArray()); data.AddRange(Encoding.ASCII.GetBytes(_aqwerty)); data.AddRange(bootKey.ToArray()); data.AddRange(Encoding.ASCII.GetBytes(_anum)); byte[] md5 = MD5.Create().ComputeHash(data.ToArray()); byte[] encData = new byte[32]; byte[] encOutput = new byte[32]; Buffer.BlockCopy((byte[])regValue.Data, 128, encData, 0, 32); RC4Engine rc4Engine = new RC4Engine(); rc4Engine.Init(true, new KeyParameter(md5)); rc4Engine.ProcessBytes(encData, 0, 32, encOutput, 0); return(encOutput); } catch (Exception ex) { this.OnError("An error occured whilst generating the hashed boot key"); Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error); return(null); } }
private void RunParser() { try { var inputStream = new AntlrInputStream(Pattern); var lexer = new RegLexer(inputStream); var tokenStream = new CommonTokenStream(lexer); var parser = new RegParser(tokenStream); var headContext = parser.pattern(); var visitor = new RegVisitor(); visitor.Alphabet = Alphabet; Line = (PatternLine)visitor.Visit(headContext); } catch (Exception ex) { Console.WriteLine("Error: " + ex); } }
public IActionResult Post([FromBody] string value) { if (value == null) { return(BadRequest()); } // Read XML and parse RegParser parser = new RegParser(value, this.Configuration, sCrypt, aGuid); parser.Parse(); _context.Auser.Add(parser.auser); _context.Sources.Add(parser.source); foreach (AOrder _order in parser.itemorders) { _context.AOrder.Add(_order); } _context.SaveChanges(); return(Ok(true)); }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <returns></returns> private List <UserGroup> ExtractGroups() { RegParser regParser = new RegParser(_samFile); RegKey rootKey = regParser.RootKey; RegKey regKey = rootKey.Key("SAM\\Domains\\Builtin\\Aliases"); if (regKey == null) { Console.WriteLine("Unable to locate the following registry key: SAM\\Domains\\Builtin\\Aliases"); return(null); } List <UserGroup> userGroups = new List <UserGroup>(); List <RegKey> regKeys = regKey.SubKeys; for (int indexKeys = 0; indexKeys < regKeys.Count; indexKeys++) { //Console.WriteLine(regKeys[indexKeys].Name); RegValue regValue = regKeys[indexKeys].Value("C"); if (regValue == null) { continue; } byte[] data = (byte[])regValue.Data; int offset = BitConverter.ToInt32((byte[])data, 16); int length = BitConverter.ToInt32((byte[])data, 20); offset += 52; byte[] extract = new byte[length]; Buffer.BlockCopy(data, offset, extract, 0, length); // Group Name //Console.WriteLine("Group Name: " + Functions.ConvertUnicodeToAscii(Functions.ByteArray2String(extract, false, false))); string groupName = Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false)); offset = BitConverter.ToInt32((byte[])data, 28); length = BitConverter.ToInt32((byte[])data, 32); offset += 52; extract = new byte[length]; Buffer.BlockCopy(data, offset, extract, 0, length); // Comment //Console.WriteLine("Comment: " + Functions.ConvertUnicodeToAscii(Functions.ByteArray2String(extract, false, false))); int users = BitConverter.ToInt32((byte[])data, 48); // No. Users //Console.WriteLine("No. Users: " + users); offset = BitConverter.ToInt32((byte[])data, 40); length = BitConverter.ToInt32((byte[])data, 44); if (users > 0) { int count = 0; for (int indexUsers = 1; indexUsers <= users; indexUsers++) { int dataOffset = offset + 52 + count; int sidType = BitConverter.ToInt32((byte[])data, dataOffset); UserGroup userGroup = new UserGroup(); if (sidType == 257) { extract = new byte[12]; Buffer.BlockCopy(data, dataOffset, extract, 0, 12); int rev = extract[0]; int dashes = BitConverter.ToInt32((byte[])extract, 1); byte[] ntauthData = new byte[8]; Buffer.BlockCopy(extract, 2, ntauthData, 2, 6); string ntauth = Text.ConvertByteArrayToHexString(ntauthData); ntauth = Regex.Replace(ntauth, "^0+", string.Empty); byte[] ntnonunique = new byte[4]; Buffer.BlockCopy(extract, 8, ntnonunique, 0, 4); uint intntnonunique = BitConverter.ToUInt32((byte[])ntnonunique, 0); //Console.WriteLine("S-" + rev + "-" + ntauth + "-" + intntnonunique); userGroup.Group = groupName; userGroup.Rid = "S-" + rev + "-" + ntauth + "-" + intntnonunique; userGroups.Add(userGroup); count += 12; } else if (sidType == 1281) { extract = new byte[26]; Buffer.BlockCopy(data, dataOffset, extract, 0, 26); int rev = extract[0]; int dashes = BitConverter.ToInt32((byte[])extract, 1); byte[] ntauthData = new byte[8]; Buffer.BlockCopy(extract, 2, ntauthData, 2, 6); string ntauth = Text.ConvertByteArrayToHexString(ntauthData); ntauth = Regex.Replace(ntauth, "^0+", string.Empty); byte[] ntnonunique = new byte[4]; Buffer.BlockCopy(extract, 8, ntnonunique, 0, 4); uint intntnonunique = BitConverter.ToUInt32((byte[])ntnonunique, 0); byte[] part1 = new byte[4]; Buffer.BlockCopy(extract, 12, part1, 0, 4); uint intpart1 = BitConverter.ToUInt32((byte[])part1, 0); byte[] part2 = new byte[4]; Buffer.BlockCopy(extract, 16, part2, 0, 4); uint intpart2 = BitConverter.ToUInt32((byte[])part2, 0); byte[] part3 = new byte[4]; Buffer.BlockCopy(extract, 20, part3, 0, 4); uint intpart3 = BitConverter.ToUInt32((byte[])part3, 0); byte[] rid = new byte[4]; Buffer.BlockCopy(extract, 24, rid, 0, 2); int intrid = BitConverter.ToInt32((byte[])rid, 0); //Console.WriteLine("S-" + rev + "-" + ntauth + "-" + intntnonunique + "-" + intpart1 + "-" + intpart2 + "-" + intpart3 + "-" + intrid); userGroup.Group = groupName; userGroup.Rid = "S-" + rev + "-" + ntauth + "-" + intntnonunique + "-" + intpart1 + "-" + intpart2 + "-" + intpart3 + "-" + intrid; userGroups.Add(userGroup); count += 28; } } } } return(userGroups); }
/// <summary> /// /// </summary> /// <param name="hashedBootKey"></param> /// <returns></returns> private bool EnumerateUsers(byte[] hashedBootKey) { try { RegParser regParser = new RegParser(_samFile); RegKey rootKey = regParser.RootKey; RegKey regkey = rootKey.Key("SAM\\Domains\\Account\\Users"); if (regkey == null) { this.OnError("Unable to locate the following registry key: SAM\\Domains\\Account\\Users"); return(false); } List <RegKey> regKeys = regkey.SubKeys; for (int indexKeys = 0; indexKeys < regKeys.Count; indexKeys++) { RegValue regValue = regKeys[indexKeys].Value("V"); if (regValue == null) { continue; } UserAccount userAccount = new UserAccount(); string hexRid = Helper.RemoveHivePrefix(regKeys[indexKeys].Name).Replace("SAM\\Domains\\Account\\Users\\", string.Empty); hexRid = Helper.RemoveHivePrefix(hexRid).Replace("SAM\\", string.Empty); hexRid = Helper.RemoveHivePrefix(hexRid).Replace("ROOT\\", string.Empty); byte[] data = (byte[])regValue.Data; int offset = BitConverter.ToInt32((byte[])data, 12); int length = BitConverter.ToInt32((byte[])data, 16); offset += 204; byte[] extract = new byte[length]; Buffer.BlockCopy(data, offset, extract, 0, length); userAccount.LoginName = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false))); offset = BitConverter.ToInt32((byte[])data, 24); length = BitConverter.ToInt32((byte[])data, 28); offset += 204; extract = new byte[length]; Buffer.BlockCopy(data, offset, extract, 0, length); // Name userAccount.Name = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false))); offset = BitConverter.ToInt32((byte[])data, 36); length = BitConverter.ToInt32((byte[])data, 40); offset += 204; extract = new byte[length]; Buffer.BlockCopy(data, offset, extract, 0, length); // Description if (length > 0) { userAccount.Description = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false))); } offset = BitConverter.ToInt32((byte[])data, 48); length = BitConverter.ToInt32((byte[])data, 52); offset += 204; extract = new byte[length]; Buffer.BlockCopy(data, offset, extract, 0, length); // User Comment if (length > 0) { userAccount.UserComment = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false))); } // LM Hash offset = BitConverter.ToInt32((byte[])data, 156); length = BitConverter.ToInt32((byte[])data, 160); offset += 204; userAccount.EncLmHash = new byte[length]; Buffer.BlockCopy(data, offset, userAccount.EncLmHash, 0, length); // NT Hash offset = BitConverter.ToInt32((byte[])data, 168); length = BitConverter.ToInt32((byte[])data, 172); offset += 204; userAccount.EncNtHash = new byte[length]; Buffer.BlockCopy(data, offset, userAccount.EncNtHash, 0, length); if (userAccount.EncLmHash.Length == 20) { byte[] tempLmHash = new byte[16]; Buffer.BlockCopy(userAccount.EncLmHash, 4, tempLmHash, 0, 16); userAccount.EncLmHash = tempLmHash; this.DecryptHash(hexRid, hashedBootKey, _lmpassword, true, userAccount); } else { userAccount.Rid = Int32.Parse(hexRid, System.Globalization.NumberStyles.HexNumber); Debug.WriteLine("**LMLEN**: " + userAccount.EncLmHash.Length); } if (userAccount.EncNtHash.Length == 20) { byte[] tempNtHash = new byte[16]; Buffer.BlockCopy(userAccount.EncNtHash, 4, tempNtHash, 0, 16); userAccount.EncNtHash = tempNtHash; this.DecryptHash(hexRid, hashedBootKey, _ntpassword, false, userAccount); } else { userAccount.Rid = Int32.Parse(hexRid, System.Globalization.NumberStyles.HexNumber); Debug.WriteLine("**NTLEN**: " + userAccount.EncNtHash.Length); } // F regValue = regKeys[indexKeys].Value("F"); data = (byte[])regValue.Data; extract = new byte[8]; Buffer.BlockCopy(data, 8, extract, 0, 8); long i = BitConverter.ToInt64((byte[])extract, 0); DateTime dateTime = DateTime.FromFileTimeUtc(i); userAccount.LastLoginDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString(); extract = new byte[8]; Buffer.BlockCopy(data, 24, extract, 0, 8); i = BitConverter.ToInt64((byte[])extract, 0); dateTime = DateTime.FromFileTimeUtc(i); userAccount.PasswordResetDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString(); extract = new byte[8]; Buffer.BlockCopy(data, 32, extract, 0, 8); i = BitConverter.ToInt64((byte[])extract, 0); if (i == 0 | i == 9223372036854775807) { userAccount.AccountExpiryDate = string.Empty; } else { dateTime = DateTime.FromFileTimeUtc(i); userAccount.AccountExpiryDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString(); } extract = new byte[8]; Buffer.BlockCopy(data, 40, extract, 0, 8); i = BitConverter.ToInt64((byte[])extract, 0); dateTime = DateTime.FromFileTimeUtc(i); userAccount.LoginFailedDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString(); //extract = new byte[4]; //Buffer.BlockCopy(data, 48, extract, 0, 4); //i = BitConverter.ToInt32((byte[])extract, 0); //output.AppendLine("RID: " + i); extract = new byte[2]; Buffer.BlockCopy(data, 56, extract, 0, 2); i = BitConverter.ToInt16((byte[])extract, 0); if ((i & (int)0x0001) == 0x0001) { userAccount.IsDisabled = true; } //foreach (DictionaryEntry de in _acbs) //{ // if ((i & (int)de.Key) == (int)de.Key) // { // output.AppendLine(de.Value.ToString()); // } //} extract = new byte[2]; Buffer.BlockCopy(data, 64, extract, 0, 2); i = BitConverter.ToInt16((byte[])extract, 0); userAccount.FailedLogins = i; extract = new byte[2]; Buffer.BlockCopy(data, 66, extract, 0, 2); i = BitConverter.ToInt16((byte[])extract, 0); userAccount.LoginCount = i; _userAccounts.Add(userAccount); } return(true); } catch (Exception ex) { this.OnError("An error occured whilst enumerating users"); Misc.WriteToEventLog(Application.ProductName, "An error occured whilst enumerating users: " + ex.Message, EventLogEntryType.Error); return(false); } }
/// <summary> /// /// </summary> /// <returns></returns> private List <byte> ExtractBootKey() { try { RegParser regParser = new RegParser(_systemFile); RegKey rootKey = regParser.RootKey; StringBuilder output = new StringBuilder(); RegKey regKey = rootKey.Key(@"Select"); if (regKey == null) { this.OnError("Unable to locate the following registry key: Select"); return(null); } List <byte> bootKeyTemp = new List <byte>(); RegValue regValueCcs = regKey.Value("Current"); if (regValueCcs == null) { this.OnError("Unable to locate the following registry key: Current"); return(null); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD"); return(null); } string temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1"); return(null); } temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG"); return(null); } temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data"); return(null); } temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } List <byte> bootKey = new List <byte>(); for (int index = 0; index < bootKeyTemp.Count; index++) { bootKey.Add(bootKeyTemp[_permutationMatrix[index]]); } //this.PrintHex("Bootkey", bootKey.ToArray()); return(bootKey); } catch (Exception ex) { this.OnError("An error occured whilst extracting the boot key"); Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error); return(null); } }