# This file is part of creddump. # # creddump is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # creddump is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with creddump. If not, see . """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 or later @contact: bdolangavitt@wesleyan.edu """ import hmac import hashlib from .rawreg import * from ..addrspace import HiveFileAddressSpace from .hashdump import get_bootkey from .lsasecrets import get_secret_by_name, get_lsa_key from struct import unpack from foreign.client_handling.lazagne.config.crypto.pyaes.aes import AESModeOfOperationCBC from foreign.client_handling.lazagne.config.crypto.rc4 import RC4 AES_BLOCK_SIZE = 16 def get_nlkm(secaddr, lsakey, vista): return get_secret_by_name(secaddr, 'NL$KM', lsakey, vista) def decrypt_hash(edata, nlkm, ch): hmac_md5 = hmac.new(nlkm, ch, hashlib.md5) rc4key = hmac_md5.digest() rc4 = RC4(rc4key) data = rc4.encrypt(edata) return data def decrypt_hash_vista(edata, nlkm, ch): """ Based on code from http://lab.mediaservice.net/code/cachedump.rb """ aes = AESModeOfOperationCBC(nlkm[16:32], iv=ch) out = "" for i in range(0, len(edata), 16): buf = edata[i:i+16] if len(buf) < 16: buf += (16 - len(buf)) * "\00" out += b"".join([aes.decrypt(buf[i:i + AES_BLOCK_SIZE]) for i in range(0, len(buf), AES_BLOCK_SIZE)]) return out def parse_cache_entry(cache_data): (uname_len, domain_len) = unpack("