diff --git a/tools/reg.rb b/tools/reg.rb index 0ff739a8a2..f2d71bae98 100755 --- a/tools/reg.rb +++ b/tools/reg.rb @@ -25,40 +25,40 @@ def print_all_keys(nodekey) return if !nodekey.lf_record return if !nodekey.lf_record.children return if nodekey.lf_record.children.length == 0 - - table = Rex::Ui::Text::Table.new( - 'Header' => "Child Keys for #{nodekey.full_path}", - 'Indent' => ' '.length, - 'Columns' => [ 'Name', 'Last Edited', 'Subkey Count', 'Value Count' ] + +table = Rex::Ui::Text::Table.new( + 'Header' => "Child Keys for #{nodekey.full_path}", + 'Indent' => ' '.length, + 'Columns' => [ 'Name', 'Last Edited', 'Subkey Count', 'Value Count' ] ) - if nodekey.lf_record && nodekey.lf_record.children && nodekey.lf_record.children.length > 0 - nodekey.lf_record.children.each do |key| - table << [key.name, key.readable_timestamp, key.subkeys_count, key.value_count] - end - end + if nodekey.lf_record && nodekey.lf_record.children && nodekey.lf_record.children.length > 0 + nodekey.lf_record.children.each do |key| + table << [key.name, key.readable_timestamp, key.subkeys_count, key.value_count] + end + end puts table.to_s -end + end -def print_all_values(nodekey) + def print_all_values(nodekey) - return if !nodekey - return if !nodekey.lf_record - return if !nodekey.lf_record.children - return if nodekey.lf_record.children.length == 0 + return if !nodekey + return if !nodekey.lf_record + return if !nodekey.lf_record.children + return if nodekey.lf_record.children.length == 0 + + table = Rex::Ui::Text::Table.new( + 'Header' => "Values in key #{nodekey.full_path}", + 'Indent' => ' '.length, + 'Columns' => ['Name','Value Type', 'Value'] + ) + if nodekey.value_list && nodekey.value_list.values.length > 0 + nodekey.value_list.values.each do |value| + table << [value.name, value.readable_value_type, value.value.data] + end + end - table = Rex::Ui::Text::Table.new( - 'Header' => "Values in key #{nodekey.full_path}", - 'Indent' => ' '.length, - 'Columns' => ['Name','Value Type', 'Value'] - ) - if nodekey.value_list && nodekey.value_list.values.length > 0 - nodekey.value_list.values.each do |value| - table << [value.name, value.readable_value_type, value.value.data] - end - end - puts table.to_s end @@ -68,14 +68,14 @@ def get_system_information current_control_set_key = @hive.value_query('\Select\Default') current_control_set = "ControlSet00" + current_control_set_key.value.data.unpack('c').first.to_s if current_control_set_key - + computer_name_key = @hive.value_query("\\" + current_control_set + "\\Control\\ComputerName\\ComputerName") if current_control_set computer_name = computer_name_key.value.data.to_s if computer_name_key - + event_log_info_key = @hive.relative_query("\\" + current_control_set + "\\Services\\EventLog") if current_control_set - + puts "Computer Name: " + computer_name if computer_name - + print_all_values(event_log_info_key) if event_log_info_key puts "-----------------------------------------" if event_log_info_key @@ -96,9 +96,9 @@ end def get_user_information - + local_groups_info_key = @hive.relative_query("\\SAM\\Domains\\Builtin\\Aliases\\Names") - local_users_info_key = @hive.relative_query("\\SAM\\Domains\\Account\\Users\\Names") + local_users_info_key = @hive.relative_query("\\SAM\\Domains\\Account\\Users\\Names") print_all(local_groups_info_key) puts "------------------------------------------------" if local_groups_info_key && local_groups_info_key.lf_record.children @@ -117,9 +117,9 @@ def get_boot_key puts "Getting boot key" puts "Root key: " + @hive.root_key.name - + default_control_set = @hive.value_query('\Select\Default').value.data.unpack("c").first - + puts "Default ControlSet: ControlSet00#{default_control_set}" bootkey = "" @@ -128,18 +128,18 @@ def get_boot_key %W{JD Skew1 GBG Data}.each do |k| ok = @hive.relative_query(basekey + "\\" + k) return nil if not ok - + tmp = "" 0.upto(ok.class_name_length - 1) do |i| next if i%2 == 1 - + tmp << ok.class_name_data[i,1] - end + end bootkey << [tmp.to_i(16)].pack('V') end - - + + keybytes = bootkey.unpack("C*") descrambled = "" @@ -160,10 +160,10 @@ def list_drivers end def get_aol_instant_messenger_information - + if @hive.hive_regf.hive_name != /NTUSER\.dat/i users_list_key = @hive.relative_query('\Software\America Online\AOL Instant Messenger(TM)\CurrentVersion\Users') - last_logged_in_user_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Login - Screen Name") + last_logged_in_user_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Login - Screen Name") print_all_keys(user_list_key) @@ -172,13 +172,13 @@ def get_aol_instant_messenger_information file_xfer_settings_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Users\\#{screenname.name}\\Xfer") profile_info_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Users\\#{screenname.name}\\DirEntry") recent_contacts_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Users\\#{screenname.name}\\Recent IM ScreenNames") - + print_all(away_messages_key) print_all(file_xfer_settings_key) print_all(profile_info_key) - print_all(recent_contacts_key) + print_all(recent_contacts_key) end - + end end @@ -192,7 +192,7 @@ def get_msn_messenger_information print_all(general_information_key) print_all(file_sharing_information_key) print_all(file_transfers_information_key) - end + end end def get_windows_messenger_information @@ -210,11 +210,11 @@ end def get_icq_information if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i general_information_key = @hive.relative_query("\\Software\\Mirabalis\\ICQ") - + print_all(general_information_key) elsif @hive.hive_regf.hive_name =~ /SOFTWARE/ owner_number_key = @hive.relative_query("\\Software\\Mirabalis\\ICQ\\Owner") - + print_all(owner_number_key) end end @@ -229,7 +229,7 @@ def get_ie_information intelliforms_information_key = @hive.relative_query("\\Software\\Microsoft\\Internet Explorer\\Intelliforms") autocomplete_web_addresses_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage System Provider") default_download_dir = @hive.relative_query("\\Software\\Microsoft\\Internet Explorer") - + print_all(stored_logon_information_key) print_all(stored_search_terms_information_key) print_all(ie_settings_information_key) @@ -245,7 +245,7 @@ end def get_outlook_information if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i account_information_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage System Provider\\SID\\Identification\\INETCOMM Server Passwords") - + print_all(account_information_key) end end @@ -259,7 +259,7 @@ def get_yahoo_messenger_information profiles_key.lf_record.children.each do |child| file_transfers_information_key = @hive.relative_query("\\Software\\Yahoo\\Pager\\profiles\\#{child.name}\\FileTransfer") message_archiving_information_key = @hive.relative_query("\\Software\\Yahoo\\Pager\\profiles\\#{child.name}\\Archive") - + print_all(file_transfer_information_key) print_all(message_archiving_information_key) end @@ -267,7 +267,7 @@ def get_yahoo_messenger_information end def get_networking_information - + end def get_user_application_information @@ -278,252 +278,258 @@ if ARGV.length == 0 || ARGV[0] == "help" Usage: reg.rb Available commands: - query_key Query for more information about a specific node key - query_value Query for the value of a specific value key - get_boot_key Extract the boot key from the SYSTEM hive - dump_creds Dump the usernames and password hashes of the users from the SAM hive - list_applications List all the applications installed via the SOFTWARE hive - list_drivers List all the devices and their respective drivers and driver versions from SYSTEM hive - get_everything When pointed to a directory with hives, it will run all commands on all available hives - get_aol_instant_messenger_information Get credentials and general information on AOL Instant Messenger users from NTUSER.dat - get_msn_messenger_information Get credentials and general information on MSN Messenger users from NTUSER.dat - get_windows_messenger_information Get credentials and general information on Windows Messenger users from NTUSER.dat - get_icq_information Get credentials and general information on ICQ users from NTUSER.dat - get_ie_information Get stored credentials, typed history, search terms, and general settings from NTUSER.dat - get_outlook_information Gets outlook and outlook express stored credentials and general information from NTUSER.dat - get_yahoo_messenger_information Gets credentials and general information on Yahoo! Messenger users from NTUSER.dat - get_system_information Gets general system administration from both SOFTWARE and SYSTEM hives - get_networking_information Gets networing information from the SAM, SYSTEM, and NTUSER.dat hives - get_user_information Gets general user information from the SYSTEM, SECURITY, SAM, and NTUSER.dat hives - get_user_application_information Gets user-specific application information from the NTUSER.DAT and SOFTWARE hives + query_key Query for more information about a specific node key + query_value Query for the value of a specific value key + get_boot_key Extract the boot key from the SYSTEM hive + dump_creds Dump the usernames and password hashes of the users from the SAM hive + list_applications List all the applications installed via the SOFTWARE hive + list_drivers List all the devices and their respective drivers and driver versions from SYSTEM hive + get_everything When pointed to a directory with hives, it will run all commands on all available hives + get_aol_instant_messenger_information Get credentials and general information on AOL Instant Messenger users from NTUSER.dat + get_msn_messenger_information Get credentials and general information on MSN Messenger users from NTUSER.dat + get_windows_messenger_information Get credentials and general information on Windows Messenger users from NTUSER.dat + get_icq_information Get credentials and general information on ICQ users from NTUSER.dat + get_ie_information Get stored credentials, typed history, search terms, and general settings from NTUSER.dat + get_outlook_information Gets outlook and outlook express stored credentials and general information from NTUSER.dat + get_yahoo_messenger_information Gets credentials and general information on Yahoo! Messenger users from NTUSER.dat + get_system_information Gets general system administration from both SOFTWARE and SYSTEM hives + get_networking_information Gets networing information from the SAM, SYSTEM, and NTUSER.dat hives + get_user_information Gets general user information from the SYSTEM, SECURITY, SAM, and NTUSER.dat hives + get_user_application_information Gets user-specific application information from the NTUSER.DAT and SOFTWARE hives } puts no_args - exit + exit end -case ARGV[0] - when "query_key" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - puts "Hive name: #{@hive.hive_regf.hive_name}" + case ARGV[0] - 1.upto(ARGV.length - 2) do |arg| - selected = @hive.relative_query(ARGV[arg]) + when "query_key" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + puts "Hive name: #{@hive.hive_regf.hive_name}" - print_all(selected) - end + 1.upto(ARGV.length - 2) do |arg| + selected = @hive.relative_query(ARGV[arg]) - when "query_value" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - puts "Hive name: #{@hive.hive_regf.hive_name}" + print_all(selected) + end - 1.upto(ARGV.length - 2) do |i| - selected = @hive.value_query(ARGV[i]) + when "query_value" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + puts "Hive name: #{@hive.hive_regf.hive_name}" - if !selected - puts "Value not found." - return - end + 1.upto(ARGV.length - 2) do |i| + selected = @hive.value_query(ARGV[i]) - puts "Value Name: #{selected.name}" - puts "Value Data: #{selected.value.data.inspect}" - end + if !selected + puts "Value not found." + return + end - when "get_boot_key" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + puts "Value Name: #{selected.name}" + puts "Value Data: #{selected.value.data.inspect}" + end - if @hive.hive_regf.hive_name !~ /SYSTEM/ - puts "I need a SYSTEM hive to grab the boot key, not a #{@hive.hive_regf.hive_name}." - else - get_boot_key - end + when "get_boot_key" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "dump_creds" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /SYSTEM/ + puts "I need a SYSTEM hive to grab the boot key, not a #{@hive.hive_regf.hive_name}." + else + get_boot_key + end - if @hive.hive_regf.hive_name !~ /SAM/ - puts "I need a SAM hive, not a #{@hive.hive_regf.hive_name}" - else - dump_creds - end + when "dump_creds" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "list_applications" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /SAM/ + puts "I need a SAM hive, not a #{@hive.hive_regf.hive_name}" + else + dump_creds + end - if @hive.hive_regf.hive_name !~ /SOFTWARE/ - puts "I need a SOFTWARE hive, not a #{@hive.hive_regf.hive_name}." - else - list_applications - end + when "list_applications" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "list_drivers" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /SOFTWARE/ + puts "I need a SOFTWARE hive, not a #{@hive.hive_regf.hive_name}." + else + list_applications + end - if @hive.hive_regf.hive_name !~ /SYSTEM/ - puts "I need a SYSTEM hive, not a #{@hive.hive_regf.hive_name}." - else - list_drivers - end + when "list_drivers" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "get_everything" - Dir.foreach(ARGV[1]) do |file| - next if file =~ /^\./ + if @hive.hive_regf.hive_name !~ /SYSTEM/ + puts "I need a SYSTEM hive, not a #{@hive.hive_regf.hive_name}." + else + list_drivers + end - @hive = Rex::Registry::Hive.new(ARGV[1] + "/" + file) + when "get_everything" + Dir.foreach(ARGV[1]) do |file| + next if file =~ /^\./ - next if !@hive.hive_regf - next if !@hive.hive_regf.hive_name + @hive = Rex::Registry::Hive.new(ARGV[1] + "/" + file) - if @hive.hive_regf.hive_name =~ /SYSTEM/ + next if !@hive.hive_regf + next if !@hive.hive_regf.hive_name - puts "Found a SYSTEM hive..." + case @hive.hive_regf.hive_name - list_drivers - get_boot_key - get_system_information - get_networking_information - get_user_information + when /SYSTEM/ - elsif @hive.hive_regf.hive_name =~ /SOFTWARE/ + puts "Found a SYSTEM hive..." - puts "Found a SOFTWARE hive..." + list_drivers + get_boot_key + get_system_information + get_networking_information + get_user_information - list_applications - get_icq_information - get_system_information - get_networking_information - get_user_information - get_user_application_information + when /SOFTWARE/ - elsif @hive.hive_regf.hive_name =~ /SAM/ + puts "Found a SOFTWARE hive..." - puts "Found a SAM hive..." + list_applications + get_icq_information + get_system_information + get_networking_information + get_user_information + get_user_application_information - get_networking_information - get_user_information + when /SAM/ - elsif @hive.hive_regf.hive_name =~ /SECURITY/ + puts "Found a SAM hive..." - puts "Found a SECURITY hive..." + get_networking_information + get_user_information - get_user_information + when /SECURITY/ - elsif @hive.hive_regf.hive_name =~ /NTUSER\.dat/i + puts "Found a SECURITY hive..." - puts "Found a NTUSER.dat hive..." + get_user_information - get_aol_instant_messenger_information - get_icq_information - get_ie_information - get_msn_messenger_information - get_outlook_information - get_windows_messenger_information - get_yahoo_messenger_information - get_networking_information - get_user_information - get_user_application_information + when /NTUSER\.dat/i - end - end + puts "Found a NTUSER.dat hive..." - when "get_aol_instant_messenger_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + get_aol_instant_messenger_information + get_icq_information + get_ie_information + get_msn_messenger_information + get_outlook_information + get_windows_messenger_information + get_yahoo_messenger_information + get_networking_information + get_user_information + get_user_application_information - if @hive.hive_regf.hive_name !~ /NTUSER\.DAT/i - puts "I need the NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." - else - get_aol_instant_messenger_information - end + end + end - when "get_icq_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + when "get_aol_instant_messenger_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/ - puts "I need either a SOFTWARE or NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." - else - get_icq_information - end - when "get_ie_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /NTUSER\.DAT/i + puts "I need the NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." + else + get_aol_instant_messenger_information + end - if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i - puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." - else - get_ie_information - end + when "get_icq_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "get_msn_messenger_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/ + puts "I need either a SOFTWARE or NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." + else + get_icq_information + end - if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i - puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." - else - get_msn_messenger_information - end + when "get_ie_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "get_outlook_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i + puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." + else + get_ie_information + end - if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i - puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." - else - get_outlook_information - end + when "get_msn_messenger_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "get_windows_messenger_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i + puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." + else + get_msn_messenger_information + end - if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i - puts "I need an NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}." - else - get_windows_messenger_information - end + when "get_outlook_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "get_yahoo_messenger_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i + puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}." + else + get_outlook_information + end - if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i - puts "I need an NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}." - else - get_yahoo_messenger_information - end + when "get_windows_messenger_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - when "get_system_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i + puts "I need an NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}." + else + get_windows_messenger_information + end - if @hive.hive_regf.hive_name !~ /SYSTEM/ && @hive.hive_regf.hive_name !~ /SOFTWARE/ - puts "I need the SYSTEM or SOFTWARE hive, not #{@hive.hive_regf.hive_name}." - else - get_system_information - end - when "get_networking_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + when "get_yahoo_messenger_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - if @hive.hive_regf.hive_name !~ /SAM/ && @hive.hive_regf.hive_name !~ /SYSTEM/ && @hive.hive_regf.hive_name !~ /NTUSER\.dat/i - puts "I need either a SAM, SYSTEM, or NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}." - else - get_networking_information - end + if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i + puts "I need an NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}." + else + get_yahoo_messenger_information + end - when "get_user_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + when "get_system_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - if @hive.hive_regf.hive_name !~ /SAM/ - puts "I need a SAM hive. Not a #{@hive.hive_regf.hive_name}." - else - get_user_information + if @hive.hive_regf.hive_name !~ /SYSTEM/ && @hive.hive_regf.hive_name !~ /SOFTWARE/ + puts "I need the SYSTEM or SOFTWARE hive, not #{@hive.hive_regf.hive_name}." + else + get_system_information + end - end - when "get_user_application_information" - @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + when "get_networking_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) - if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/ - puts "I need either an NTUSER.dat or SOFTWARE hive, not a #{@hive.hive_regf.hive_name}." - else - get_user_application_information - end - else - puts "Sorry invalid command, try with \"help\"" -end + if @hive.hive_regf.hive_name !~ /SAM/ && @hive.hive_regf.hive_name !~ /SYSTEM/ && @hive.hive_regf.hive_name !~ /NTUSER\.dat/i + puts "I need either a SAM, SYSTEM, or NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}." + else + get_networking_information + end + when "get_user_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + + if @hive.hive_regf.hive_name !~ /SAM/ + puts "I need a SAM hive. Not a #{@hive.hive_regf.hive_name}." + else + get_user_information + end + + when "get_user_application_information" + @hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1]) + + if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/ + puts "I need either an NTUSER.dat or SOFTWARE hive, not a #{@hive.hive_regf.hive_name}." + else + get_user_application_information + end + + else + + puts "Sorry invalid command, try with \"help\"" +end \ No newline at end of file