# This file is part of creddump.
#
# creddump is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# creddump is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with creddump. If not, see .
"""
@author: Brendan Dolan-Gavitt
@license: GNU General Public License 2.0 or later
@contact: bdolangavitt@wesleyan.edu
"""
import hmac
import hashlib
from .rawreg import *
from ..addrspace import HiveFileAddressSpace
from .hashdump import get_bootkey
from .lsasecrets import get_secret_by_name, get_lsa_key
from struct import unpack
from foreign.client_handling.lazagne.config.crypto.pyaes.aes import AESModeOfOperationCBC
from foreign.client_handling.lazagne.config.crypto.rc4 import RC4
AES_BLOCK_SIZE = 16
def get_nlkm(secaddr, lsakey, vista):
return get_secret_by_name(secaddr, 'NL$KM', lsakey, vista)
def decrypt_hash(edata, nlkm, ch):
hmac_md5 = hmac.new(nlkm, ch, hashlib.md5)
rc4key = hmac_md5.digest()
rc4 = RC4(rc4key)
data = rc4.encrypt(edata)
return data
def decrypt_hash_vista(edata, nlkm, ch):
"""
Based on code from http://lab.mediaservice.net/code/cachedump.rb
"""
aes = AESModeOfOperationCBC(nlkm[16:32], iv=ch)
out = ""
for i in range(0, len(edata), 16):
buf = edata[i:i+16]
if len(buf) < 16:
buf += (16 - len(buf)) * "\00"
out += b"".join([aes.decrypt(buf[i:i + AES_BLOCK_SIZE]) for i in range(0, len(buf), AES_BLOCK_SIZE)])
return out
def parse_cache_entry(cache_data):
(uname_len, domain_len) = unpack("