Ejemplo n.º 1
0
        private static byte[] DumpSecret(NodeKey secret, byte[] lsaKey)
        {
            NodeKey secretCurrVal = secret.ChildNodes.Find(x => x.Name.Contains("CurrVal"));

            byte[]    value  = secretCurrVal.getChildValues("Default");
            LsaSecret record = new LsaSecret(value);

            byte[] tempKey   = Crypto.ComputeSha256(lsaKey, record.data.Take(32).ToArray());
            byte[] dataVal2  = record.data.Skip(32).Take(record.data.Length - 32).ToArray();
            byte[] plaintext = Crypto.DecryptAES_ECB(dataVal2, tempKey);

            return(plaintext);
        }
Ejemplo n.º 2
0
        public static List <string> ParseLsa(RegistryHive security, byte[] bootKey, RegistryHive system)
        {
            List <string> retVal = new List <string>();

            try
            {
                byte[]    fVal            = GetValueKey(security, @"Policy\PolEKList\Default").Data;
                LsaSecret record          = new LsaSecret(fVal);
                byte[]    dataVal         = record.data.Take(32).ToArray();
                byte[]    tempKey         = Crypto.ComputeSha256(bootKey, dataVal);
                byte[]    dataVal2        = record.data.Skip(32).Take(record.data.Length - 32).ToArray();
                byte[]    decryptedLsaKey = Crypto.DecryptAES_ECB(dataVal2, tempKey).Skip(68).Take(32).ToArray();

                //get NLKM Secret
                byte[]  nlkmKey = null;
                NodeKey nlkm    = GetNodeKey(security, @"Policy\Secrets\NL$KM");
                if (nlkm != null)
                {
                    retVal.Add("  [*] Cached domain logon information(domain/username:hash)");
                    nlkmKey = DumpSecret(nlkm, decryptedLsaKey);
                    foreach (ValueKey cachedLogin in GetNodeKey(security, @"Cache").ChildValues)
                    {
                        if (string.Compare(cachedLogin.Name, "NL$Control", StringComparison.OrdinalIgnoreCase) != 0 && !IsZeroes(cachedLogin.Data.Take(16).ToArray()))
                        {
                            NL_Record cachedUser = new NL_Record(cachedLogin.Data);
                            byte[]    plaintext  = Crypto.DecryptAES_CBC(cachedUser.encryptedData, nlkmKey.Skip(16).Take(16).ToArray(), cachedUser.IV);
                            byte[]    hashedPW   = plaintext.Take(16).ToArray();
                            string    username   = Encoding.Unicode.GetString(plaintext.Skip(72).Take(cachedUser.userLength).ToArray());
                            string    domain     = Encoding.Unicode.GetString(plaintext.Skip(72 + Pad(cachedUser.userLength) + Pad(cachedUser.domainNameLength)).Take(Pad(cachedUser.dnsDomainLength)).ToArray());
                            domain = domain.Replace("\0", "");
                            retVal.Add(string.Format("{0}/{1}:$DCC2$10240#{2}#{3}", domain, username, username, BitConverter.ToString(hashedPW).Replace("-", "").ToLower()));
                        }
                    }
                }

                try
                {
                    retVal.Add("  [*] LSA Secrets");
                    foreach (NodeKey secret in GetNodeKey(security, @"Policy\Secrets").ChildNodes)
                    {
                        if (string.Compare(secret.Name, "NL$Control", StringComparison.OrdinalIgnoreCase) != 0)
                        {
                            if (string.Compare(secret.Name, "NL$KM", StringComparison.OrdinalIgnoreCase) != 0)
                            {
                                LsaSecretBlob secretBlob = new LsaSecretBlob(DumpSecret(secret, decryptedLsaKey));
                                if (secretBlob.length > 0)
                                {
                                    retVal.Add(PrintSecret(secret.Name, secretBlob, system));
                                }
                            }
                            else
                            {
                                LsaSecretBlob secretBlob = new LsaSecretBlob(nlkmKey);
                                if (secretBlob.length > 0)
                                {
                                    retVal.Add(PrintSecret(secret.Name, secretBlob, system));
                                }
                            }
                        }
                    }
                }
                catch
                {
                    retVal.Add("[-] No secrets to parse");
                }
            }
            catch (Exception e)
            {
                retVal.Add("[-] Error parsing SECURITY dump file: " + e.ToString());
            }
            return(retVal);
        }