How to use the pypykatz.registry.logger function in pypykatz
To help you get started, we’ve selected a few pypykatz examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
skelsec / pypykatz / pypykatz / registry / security / security.py View on Github 
def decrypt_lsa_key(self, data):
logger.debug('[SECURITY] Decrypting LSA key...')
if self.lsa_secret_key_vista_type is True:
record = LSA_SECRET.from_bytes(data)
key = SECURITY.sha256_multi(self.bootkey, record.data[:32])
secret_dec = b''
cipher = AESModeOfOperationECB(key)
n = 16
for block in [record.data[32:][i:i+n] for i in range(0, len(record.data[32:]), n)]: #terrible, terrible workaround
if len(block) < n:
block += b'\x00' * (n - len(block))
secret_dec += cipher.decrypt(block)
record = LSA_SECRET_BLOB.from_bytes(secret_dec)
self.lsa_key = record.secret[52:][:32]
else:
ctx = hashlib.md5(self.bootkey)
for i in range(1000):def get_NKLM_key(self):
logger.debug('[SECURITY] Fetching NK$LM key...')
if self.lsa_key is None:
self.get_lsa_secret_key()
value = self.hive.get_value('Policy\\Secrets\\NL$KM\\CurrVal\\default')
if value is None:
logger.error('[SECURITY] Could not find NL$KM in registry')
raise Exception('Could not find NL$KM in registry :(')
if self.lsa_secret_key_vista_type is True:
self.NKLM_key = b''
record = LSA_SECRET.from_bytes(value[1])
key = SECURITY.sha256_multi(self.lsa_key, record.data[:32])
cipher = AESModeOfOperationECB(key)
n = 16
for block in [record.data[32:][i:i+n] for i in range(0, len(record.data[32:]), n)]: #terrible, terrible workaround
if len(block) < n:if self.bootkey is not None:
return self.bootkey
if self.currentcontrol is None:
self.get_currentcontrol()
transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
bootkey_obf = ''
for key in ['JD', 'Skew1', 'GBG', 'Data']:
bootkey_obf += self.hive.get_class('%s\\Control\\Lsa\\%s' % (self.currentcontrol, key))
bootkey_obf = bytes.fromhex(bootkey_obf)
self.bootkey = b''
for i in range(len(bootkey_obf)):
self.bootkey += bootkey_obf[transforms[i]:transforms[i] + 1]
logger.debug('[SYSTEM] bootkey: %s' % self.bootkey.hex())
return self.bootkeydef get_secrets(self):
"""
For obtaining all secrets from the registry on-the-fly, SYSTEM user MUST be used!
In case this is not achievable, Administrator can be used to first dump the registry hives to disk, then parse them offline
There is a 3rd way: As administrator you can obtain SE_TAKE_OWNERSHIP privileges, then you can open any hive with the WRITE_OWNER permission.
After doing that you'd need to change the SID of each target hive to include the administrator user with full access.
This is so intrusive I'm not implementing that, if you mess that up your computer will turn to potato. Like literally... (also it's a lot of work)
"""
pm = ProcessManipulator()
try:
#getting a SYSTEM token...
pm.assign_token_thread_sid()
except Exception as e:
logger.error('Failed to obtain SYSTEM prvis. On-the-fly parsing is not possible.')
raise e
else:
self.system = SYSTEM(self.system_hive)
bootkey = self.system.get_bootkey()
if self.sam_hive:
self.sam = SAM(self.sam_hive, bootkey)
self.sam.get_secrets()
if self.security_hive:
self.security = SECURITY(self.security_hive, bootkey)
self.security.get_secrets()
if self.software_hive:
try:
self.software = SOFTWARE(self.software_hive, bootkey)bootkey = self.system.get_bootkey()
if self.sam_hive:
self.sam = SAM(self.sam_hive, bootkey)
self.sam.get_secrets()
if self.security_hive:
self.security = SECURITY(self.security_hive, bootkey)
self.security.get_secrets()
if self.software_hive:
try:
self.software = SOFTWARE(self.software_hive, bootkey)
self.software.get_default_logon()
except Exception as e:
logger.warning('Failed to parse SOFTWARE hive. Reason: %s' % str(e))
self.cleanup()self.hashed_bootkey = RC4(rc4_key).encrypt(domain_properties.key_0.key + domain_properties.key_0.checksum)
checksum = hashlib.md5(self.hashed_bootkey[:16] + DIGITS + self.hashed_bootkey[:16] + QWERTY).digest()
if checksum != self.hashed_bootkey[16:]:
logger.error('[SAM] HBootkey checksum verification failed!')
raise Exception('[SAM] HBootkey checksum verification failed!')
elif isinstance(domain_properties.key_0, SAM_KEY_DATA_AES):
self.hashed_bootkey = b''
cipher = AESModeOfOperationCBC(self.bootkey, iv = domain_properties.key_0.salt)
n = 16
for block in [domain_properties.key_0.data[i:i+n] for i in range(0, len(domain_properties.key_0.data), n)]: #terrible, terrible workaround
self.hashed_bootkey += cipher.decrypt(block)
logger.debug('[SAM] HBootkey: %s' % self.hashed_bootkey.hex())
return self.hashed_bootkeydef get_HBoot_key(self):
logger.debug('SAM parsing hashed bootkey')
QWERTY = b"!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0"
DIGITS = b"0123456789012345678901234567890123456789\0"
F = self.hive.get_value(r'SAM\Domains\Account\F')[1]
logger.log(1,'[SAM] F key value: %s' % F)
domain_properties = DOMAIN_ACCOUNT_F.from_bytes(F)
if isinstance(domain_properties.key_0, SAM_KEY_DATA):
rc4_key = hashlib.md5(domain_properties.key_0.salt + QWERTY + self.bootkey +DIGITS).digest()
self.hashed_bootkey = RC4(rc4_key).encrypt(domain_properties.key_0.key + domain_properties.key_0.checksum)
checksum = hashlib.md5(self.hashed_bootkey[:16] + DIGITS + self.hashed_bootkey[:16] + QWERTY).digest()
if checksum != self.hashed_bootkey[16:]:
logger.error('[SAM] HBootkey checksum verification failed!')# Let's first see if there are cached entries
keys = self.hive.enum_key('Policy\\Secrets')
if keys is None:
logger.debug('[SECURITY] No cached secrets found in hive')
return
if b'NL$Control' in keys:
keys.remove(b'NL$Control')
for key_name in keys:
for vl in ['CurrVal', 'OldVal']:
key_path = 'Policy\\Secrets\\{}\\{}\\default'.format(key_name,vl)
logger.debug('[SECURITY] Parsing secrets in %s' % key_path)
v = self.hive.get_value(key_path, False)
if v and v[1] != 0:
logger.log(1, '[SECURITY] Key %s Value %s' % (key_path, v[1]))
if self.lsa_secret_key_vista_type is True:
record = LSA_SECRET.from_bytes(v[1])
key = SECURITY.sha256_multi(self.lsa_key, record.data[:32])
secret_dec = b''
cipher = AESModeOfOperationECB(key)
n = 16
for block in [record.data[32:][i:i+n] for i in range(0, len(record.data[32:]), n)]: #terrible, terrible workaround
if len(block) < n:
block += b'\x00' * (n - len(block))
secret_dec += cipher.decrypt(block)
record = LSA_SECRET_BLOB.from_bytes(secret_dec)
dec_blob = record.secret
else:
dec_blob = self.decrypt_secret(self.lsa_key, v[1])def from_files(system_path, sam_path = None, security_path = None, software_path = None, notfile = False):
po = OffineRegistry()
try:
if notfile == True:
sys_hive = system_path
else:
sys_hive = open(system_path, 'rb')
po.system_hive = AIOWinRegHive(sys_hive)
except Exception as e:
logger.error('Failed to open SYSTEM hive! Reason: %s' % str(e))
raise e
if sam_path:
try:
if notfile == True:
sam_hive = sam_path
else:
sam_hive = open(sam_path, 'rb')
po.sam_hive = AIOWinRegHive(sam_hive)
except Exception as e:
logger.error('Failed to open SAM hive! Reason: %s' % str(e))
raise e
else:
logger.warning('SAM hive path not supplied! Parsing SAM will not work')
Popular pypykatz functions
- pypykatz.commons.common.UniversalEncoder
- pypykatz.commons.winapi.processmanipulator.ProcessManipulator
- pypykatz.crypto.aes.AESModeOfOperationCBC
- pypykatz.crypto.aes.AESModeOfOperationECB
- pypykatz.crypto.des.des
- pypykatz.crypto.RC4.RC4
- pypykatz.crypto.unified.common.SYMMETRIC_MODE
- pypykatz.dpapi.structures.blob.DPAPI_BLOB.from_bytes
- pypykatz.logger
- pypykatz.logger.debug
- pypykatz.logger.info
- pypykatz.logging
- pypykatz.logging.debug
- pypykatz.pypykatz.pypykatz
- pypykatz.pypykatz.pypykatz.parse_minidump_file
- pypykatz.registry.logger
- pypykatz.registry.logger.debug
- pypykatz.registry.logger.error
- pypykatz.registry.logger.warning
- pypykatz.registry.offline_parser.OffineRegistry