How to use the pypykatz.crypto.aes.AESModeOfOperationCBC function in pypykatz
To help you get started, we’ve selected a few pypykatz examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
skelsec / pypykatz / pypykatz / registry / sam / sam.py View on Github 
domain_properties = DOMAIN_ACCOUNT_F.from_bytes(F)
if isinstance(domain_properties.key_0, SAM_KEY_DATA):
rc4_key = hashlib.md5(domain_properties.key_0.salt + QWERTY + self.bootkey +DIGITS).digest()
self.hashed_bootkey = RC4(rc4_key).encrypt(domain_properties.key_0.key + domain_properties.key_0.checksum)
checksum = hashlib.md5(self.hashed_bootkey[:16] + DIGITS + self.hashed_bootkey[:16] + QWERTY).digest()
if checksum != self.hashed_bootkey[16:]:
logger.error('[SAM] HBootkey checksum verification failed!')
raise Exception('[SAM] HBootkey checksum verification failed!')
elif isinstance(domain_properties.key_0, SAM_KEY_DATA_AES):
self.hashed_bootkey = b''
cipher = AESModeOfOperationCBC(self.bootkey, iv = domain_properties.key_0.salt)
n = 16
for block in [domain_properties.key_0.data[i:i+n] for i in range(0, len(domain_properties.key_0.data), n)]: #terrible, terrible workaround
self.hashed_bootkey += cipher.decrypt(block)
logger.debug('[SAM] HBootkey: %s' % self.hashed_bootkey.hex())
return self.hashed_bootkeyself.get_lsa_key()
self.get_NKLM_key()
for value in values:
logger.debug('[SECURITY] DCC Checking value: %s' % value)
record_data = self.hive.get_value('Cache\\%s' % value.decode())[1]
record = NL_RECORD.from_bytes(record_data)
if record.IV != b'\x00'*16:
if record.Flags & 1 == 1:
# Encrypted
if self.lsa_secret_key_vista_type is True:
plaintext = b''
cipher = AESModeOfOperationCBC(self.NKLM_key[16:32], iv = record.IV)
n = 16
for block in [record.EncryptedData[i:i+n] for i in range(0, len(record.EncryptedData), n)]: #terrible, terrible workaround
if len(block) < 16:
block += b'\x00' * (16 - len(block))
plaintext += cipher.decrypt(block)
else:
key = hmac.new(self.NKLM_key,record.IV).digest()
cipher = RC4(key)
plaintext = cipher.decrypt(record.EncryptedData)
else:
# Plain! Until we figure out what this is, we skip it
#plainText = record['EncryptedData']
logger.debug('[SECURITY] DCC Skipping value %s, unknown formet' % value)
continuedef setup(self):
if self.mode == SYMMETRIC_MODE.ECB:
self.ctx = AESModeOfOperationECB(self.key)
elif self.mode == SYMMETRIC_MODE.CBC:
self.ctx = AESModeOfOperationCBC(self.key, iv = self.iv)
else:
raise Exception('Unknown mode!')domain_properties = DOMAIN_ACCOUNT_F.from_bytes(F)
#print(str(domain_properties))
if isinstance(domain_properties.key_0, SAM_KEY_DATA):
rc4_key = hashlib.md5(domain_properties.key_0.salt + QWERTY + self.bootkey +DIGITS).digest()
self.hashed_bootkey = RC4(rc4_key).encrypt(domain_properties.key_0.key + domain_properties.key_0.checksum)
checksum = hashlib.md5(self.hashed_bootkey[:16] + DIGITS + self.hashed_bootkey[:16] + QWERTY).digest()
if checksum != self.hashed_bootkey[16:]:
raise Exception('hashed_bootkey checksum failed!')
elif isinstance(domain_properties.key_0, SAM_KEY_DATA_AES):
self.hashed_bootkey = b''
cipher = AESModeOfOperationCBC(self.bootkey, iv = domain_properties.key_0.salt)
n = 16
for block in [domain_properties.key_0.data[i:i+n] for i in range(0, len(domain_properties.key_0.data), n)]: #terrible, terrible workaround
self.hashed_bootkey += cipher.decrypt(block)
print(self.hashed_bootkey.hex())
return self.hashed_bootkeydef decrypt_hash(self, rid, hashobj, constant):
key1, key2 = SAM.rid_to_key(rid)
des1 = des(key1)
des2 = des(key2)
if isinstance(hashobj, SAM_HASH):
rc4key = hashlib.md5( self.hashed_bootkey[:0x10] + int(rid, 16).to_bytes(4, 'little', signed = False) + constant )
key = RC4(rc4key).encrypt(hashobj.hash)
else:
key = b''
cipher = AESModeOfOperationCBC(self.hashed_bootkey[:0x10], iv = hashobj.salt)
n = 16
for block in [hashobj.data[i:i+n] for i in range(0, len(hashobj.data), n)]: #terrible, terrible workaround
key += cipher.decrypt(block)
key = key[:16]
dec_hash = des1.decrypt(key[:8]) + des2.decrypt(key[8:])
return dec_hashdef decrypt(self, encrypted):
# TODO: NT version specific, move from here in subclasses.
cleartext = b''
size = len(encrypted)
if size:
if size % 8:
if not self.aes_key or not self.iv:
return cleartext
cipher = AESModeOfOperationCBC(self.aes_key, iv = self.iv)
n = 16
for block in [encrypted[i:i+n] for i in range(0, len(encrypted), n)]: #terrible, terrible workaround
cleartext += cipher.decrypt(block)
else:
if not self.des_key or not self.iv:
return cleartext
#cipher = DES3.new(self.des_key, DES3.MODE_CBC, self.iv[:8])
cipher = triple_des(self.des_key, CBC, self.iv[:8])
cleartext = cipher.decrypt(encrypted)
return cleartext
Popular pypykatz functions
- pypykatz.commons.common.UniversalEncoder
- pypykatz.commons.winapi.processmanipulator.ProcessManipulator
- pypykatz.crypto.aes.AESModeOfOperationCBC
- pypykatz.crypto.aes.AESModeOfOperationECB
- pypykatz.crypto.des.des
- pypykatz.crypto.RC4.RC4
- pypykatz.crypto.unified.common.SYMMETRIC_MODE
- pypykatz.dpapi.structures.blob.DPAPI_BLOB.from_bytes
- pypykatz.logger
- pypykatz.logger.debug
- pypykatz.logger.info
- pypykatz.logging
- pypykatz.logging.debug
- pypykatz.pypykatz.pypykatz
- pypykatz.pypykatz.pypykatz.parse_minidump_file
- pypykatz.registry.logger
- pypykatz.registry.logger.debug
- pypykatz.registry.logger.error
- pypykatz.registry.logger.warning
- pypykatz.registry.offline_parser.OffineRegistry