Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
logger.debug('[SECURITY] dump_dcc invoked')
cache_reg = self.hive.find_key('Cache', False)
if cache_reg is None:
logger.debug('[SECURITY] No DCC secrets found')
return
values = self.hive.list_values(cache_reg)
if values == []:
logger.debug('[SECURITY] No DCC secrets found')
return
if b'NL$Control' in values:
values.remove(b'NL$Control')
if b'NL$IterationCount' in values:
logger.debug('[SECURITY] DCC Setting iteration count')
values.remove(b'NL$IterationCount')
record = self.getValue('Cache\\NL$IterationCount')[1]
if record > 10240:
self.dcc_iteration_count = record & 0xfffffc00
else:
self.dcc_iteration_count = record * 1024
self.get_lsa_key()
self.get_NKLM_key()
for value in values:
logger.debug('[SECURITY] DCC Checking value: %s' % value)
record_data = self.hive.get_value('Cache\\%s' % value.decode())[1]
record = NL_RECORD.from_bytes(record_data)
def dump_dcc(self):
logger.debug('[SECURITY] dump_dcc invoked')
cache_reg = self.hive.find_key('Cache', False)
if cache_reg is None:
logger.debug('[SECURITY] No DCC secrets found')
return
values = self.hive.list_values(cache_reg)
if values == []:
logger.debug('[SECURITY] No DCC secrets found')
return
if b'NL$Control' in values:
values.remove(b'NL$Control')
if b'NL$IterationCount' in values:
logger.debug('[SECURITY] DCC Setting iteration count')
values.remove(b'NL$IterationCount')
def get_lsa_key(self):
logger.debug('[SECURITY] Fetching LSA key...')
value = self.hive.get_value('Policy\\PolEKList\\default', False)
if value is None:
value = self.hive.get_value('Policy\\PolSecretEncryptionKey\\default', False)
if not value:
logger.debug('[SECURITY] LSA key not found!')
return None
self.lsa_secret_key_vista_type = False
logger.debug('[SECURITY] LSA secrets default to VISTA type')
return self.decrypt_lsa_key(value[1])
def dump_dcc(self):
logger.debug('[SECURITY] dump_dcc invoked')
cache_reg = self.hive.find_key('Cache', False)
if cache_reg is None:
logger.debug('[SECURITY] No DCC secrets found')
return
values = self.hive.list_values(cache_reg)
if values == []:
logger.debug('[SECURITY] No DCC secrets found')
return
if b'NL$Control' in values:
values.remove(b'NL$Control')
if b'NL$IterationCount' in values:
logger.debug('[SECURITY] DCC Setting iteration count')
values.remove(b'NL$IterationCount')
record = self.getValue('Cache\\NL$IterationCount')[1]
if record > 10240:
self.dcc_iteration_count = record & 0xfffffc00
else:
self.dcc_iteration_count = record * 1024
self.get_lsa_key()
def decrypt_lsa_key(self, data):
logger.debug('[SECURITY] Decrypting LSA key...')
if self.lsa_secret_key_vista_type is True:
record = LSA_SECRET.from_bytes(data)
key = SECURITY.sha256_multi(self.bootkey, record.data[:32])
secret_dec = b''
cipher = AESModeOfOperationECB(key)
n = 16
for block in [record.data[32:][i:i+n] for i in range(0, len(record.data[32:]), n)]: #terrible, terrible workaround
if len(block) < n:
block += b'\x00' * (n - len(block))
secret_dec += cipher.decrypt(block)
record = LSA_SECRET_BLOB.from_bytes(secret_dec)
self.lsa_key = record.secret[52:][:32]
else:
ctx = hashlib.md5(self.bootkey)
for i in range(1000):
def get_NKLM_key(self):
logger.debug('[SECURITY] Fetching NK$LM key...')
if self.lsa_key is None:
self.get_lsa_secret_key()
value = self.hive.get_value('Policy\\Secrets\\NL$KM\\CurrVal\\default')
if value is None:
logger.error('[SECURITY] Could not find NL$KM in registry')
raise Exception('Could not find NL$KM in registry :(')
if self.lsa_secret_key_vista_type is True:
self.NKLM_key = b''
record = LSA_SECRET.from_bytes(value[1])
key = SECURITY.sha256_multi(self.lsa_key, record.data[:32])
cipher = AESModeOfOperationECB(key)
n = 16
for block in [record.data[32:][i:i+n] for i in range(0, len(record.data[32:]), n)]: #terrible, terrible workaround
if len(block) < n:
if self.bootkey is not None:
return self.bootkey
if self.currentcontrol is None:
self.get_currentcontrol()
transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
bootkey_obf = ''
for key in ['JD', 'Skew1', 'GBG', 'Data']:
bootkey_obf += self.hive.get_class('%s\\Control\\Lsa\\%s' % (self.currentcontrol, key))
bootkey_obf = bytes.fromhex(bootkey_obf)
self.bootkey = b''
for i in range(len(bootkey_obf)):
self.bootkey += bootkey_obf[transforms[i]:transforms[i] + 1]
logger.debug('[SYSTEM] bootkey: %s' % self.bootkey.hex())
return self.bootkey
def get_lsa_key(self):
logger.debug('[SECURITY] Fetching LSA key...')
value = self.hive.get_value('Policy\\PolEKList\\default', False)
if value is None:
value = self.hive.get_value('Policy\\PolSecretEncryptionKey\\default', False)
if not value:
logger.debug('[SECURITY] LSA key not found!')
return None
self.lsa_secret_key_vista_type = False
logger.debug('[SECURITY] LSA secrets default to VISTA type')
return self.decrypt_lsa_key(value[1])
import ntpath
except Exception as e:
logger.error('Could not import necessary packages! Are you on Windows? Error: %s' % str(e))
raise
sam_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
system_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
security_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
locations = [
('SAM', sam_name),
('SYSTEM', system_name),
('SECURITY', security_name),
]
logger.debug('Obtaining SE_BACKUP privilege...')
try:
po = ProcessManipulator()
po.set_privilege(SE_BACKUP)
except Exception as e:
logger.error('Failed to obtain SE_BACKUP privilege! Registry dump will not work! Reason: %s' % str(e))
raise e
logger.debug('Obtaining SE_BACKUP OK!')
dumped_names = {}
for reg_name, location in locations:
logger.debug('Dumping %s...' % reg_name)
try:
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, reg_name, access=0x00020000)
winreg.SaveKey(key, location)
key.Close()
except Exception as e:
def get_currentcontrol(self):
logger.debug('[SYSTEM] determining current control set')
if self.currentcontrol is not None:
return self.currentcontrol
ccs = self.hive.get_value('Select\\Current')[1]
self.currentcontrol = "ControlSet%03d" % ccs
logger.debug('[SYSTEM] current control set name: %s' % self.currentcontrol)
return self.currentcontrol