From 704c8cadd98d1a9906044b3cb4eeb0e3569b1dd5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 27 Jul 2015 16:19:01 -0500 Subject: [PATCH 1/3] Fix lsa_secrets --- modules/post/windows/gather/lsa_secrets.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/post/windows/gather/lsa_secrets.rb b/modules/post/windows/gather/lsa_secrets.rb index 756e7c0f95..812691a029 100644 --- a/modules/post/windows/gather/lsa_secrets.rb +++ b/modules/post/windows/gather/lsa_secrets.rb @@ -59,7 +59,12 @@ class Metasploit3 < Msf::Post decrypted = decrypt_lsa_data(encrypted_secret, lsa_key) else # and here - encrypted_secret = encrypted_secret[0xC..-1] + if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/ + encrypted_secret = encrypted_secret[0x10..-1] + else # 32 bits + encrypted_secret = encrypted_secret[0xC..-1] + end + decrypted = decrypt_secret_data(encrypted_secret, lsa_key) end From ab7ffb1a08b892e5ad948236148e3f408d29b1eb Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 27 Jul 2015 17:26:53 -0500 Subject: [PATCH 2/3] Fich cachedump --- modules/post/windows/gather/cachedump.rb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index 09fb149da8..cec73a7b07 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -44,7 +44,11 @@ class Metasploit3 < Msf::Post if lsa_vista_style? nlkm_dec = decrypt_lsa_data(nlkm, lsakey) else - nlkm_dec = decrypt_secret_data(nlkm[0xC..-1], lsakey) + if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/ + nlkm_dec = decrypt_secret_data(nlkm[0x10..-1], lsakey) + else # 32 bits + nlkm_dec = decrypt_secret_data(nlkm[0xC..-1], lsakey) + end end return nlkm_dec @@ -291,7 +295,13 @@ class Metasploit3 < Msf::Post begin print_status("Executing module against #{sysinfo['Computer']}") client.railgun.netapi32() - if client.railgun.netapi32.NetGetJoinInformation(nil,4,4)["BufferType"] != 3 + join_status = client.railgun.netapi32.NetGetJoinInformation(nil,4,4)["BufferType"] + + if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/ + join_status = join_status & 0x0000ffff + end + + if join_status != 3 print_error("System is not joined to a domain, exiting..") return end From e966545e088bb73ae25e8eddd12cfffb23def9b4 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 29 Jul 2015 09:13:37 -0500 Subject: [PATCH 3/3] Fix mask --- modules/post/windows/gather/cachedump.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index cec73a7b07..f5eebd432c 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -297,8 +297,8 @@ class Metasploit3 < Msf::Post client.railgun.netapi32() join_status = client.railgun.netapi32.NetGetJoinInformation(nil,4,4)["BufferType"] - if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/ - join_status = join_status & 0x0000ffff + if sysinfo['Architecture'] =~ /x64/ + join_status = join_status & 0x00000000ffffffff end if join_status != 3