From 541d932d776cfe7cfdddea6565bfd8473b824856 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Wed, 16 Oct 2013 23:53:33 -0400 Subject: [PATCH] move decrypt_lsa to priv as well --- lib/msf/core/post/windows/priv.rb | 28 +++++++++++++++++++ modules/post/windows/gather/cachedump.rb | 25 ----------------- .../post/windows/gather/credentials/lsa.rb | 27 ------------------ 3 files changed, 28 insertions(+), 52 deletions(-) diff --git a/lib/msf/core/post/windows/priv.rb b/lib/msf/core/post/windows/priv.rb index 6b773fbcc3..6cff475da9 100644 --- a/lib/msf/core/post/windows/priv.rb +++ b/lib/msf/core/post/windows/priv.rb @@ -194,5 +194,33 @@ module Msf::Post::Windows::Priv return lsakey end + # + # Decrypts the LSA key + # + def decrypt_lsa(pol, encryptedkey) + + sha256x = Digest::SHA256.new() + sha256x << encryptedkey + (1..1000).each do + sha256x << pol[28,32] + end + + aes = OpenSSL::Cipher::Cipher.new("aes-256-cbc") + aes.key = sha256x.digest + + vprint_status("digest #{sha256x.digest.unpack("H*")[0]}") + + decryptedkey = '' + + for i in (60...pol.length).step(16) + aes.decrypt + aes.padding = 0 + xx = aes.update(pol[i...i+16]) + decryptedkey += xx + end + vprint_good("Dec_Key #{decryptedkey}") + + return decryptedkey + end end diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index 616030f2c4..76d1c02aa2 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -83,31 +83,6 @@ class Metasploit3 < Msf::Post end - def decrypt_lsa(pol, encryptedkey) - - sha256x = Digest::SHA256.new() - sha256x << encryptedkey - (1..1000).each do - sha256x << pol[28,32] - end - - aes = OpenSSL::Cipher::Cipher.new("aes-256-cbc") - aes.key = sha256x.digest - - print_status("digest #{sha256x.digest.unpack("H*")[0]}") if( datastore['DEBUG'] ) - - decryptedkey = '' - - for i in (60...pol.length).step(16) - aes.decrypt - aes.padding = 0 - xx = aes.update(pol[i...i+16]) - decryptedkey += xx - end - - return decryptedkey - end - def capture_nlkm(lsakey) ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\Secrets\\NL$KM\\CurrVal", KEY_READ) nlkm = ok.query_value("").data diff --git a/modules/post/windows/gather/credentials/lsa.rb b/modules/post/windows/gather/credentials/lsa.rb index 772eab3e7d..36092f189f 100644 --- a/modules/post/windows/gather/credentials/lsa.rb +++ b/modules/post/windows/gather/credentials/lsa.rb @@ -60,33 +60,6 @@ class Metasploit3 < Msf::Post end - def decrypt_lsa(pol, encryptedkey) - - sha256x = Digest::SHA256.new() - sha256x << encryptedkey - (1..1000).each do - sha256x << pol[28,32] - end - - aes = OpenSSL::Cipher::Cipher.new("aes-256-cbc") - aes.key = sha256x.digest - - vprint_status("digest #{sha256x.digest.unpack("H*")[0]}") - - decryptedkey = '' - - for i in (60...pol.length).step(16) - aes.decrypt - aes.padding = 0 - xx = aes.update(pol[i...i+16]) - decryptedkey += xx - end - vprint_good("Dec_Key #{decryptedkey}") - - return decryptedkey - end - - def reg_getvaldata(key,valname) v = nil begin