MultiRelay initial commit

tools/MultiRelay/creddump/framework/win32/domcachedump.py

@@ -0,0 +1,117 @@
+# This file is part of creddump.
+#
+# creddump is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# creddump is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+@author:       Brendan Dolan-Gavitt
+@license:      GNU General Public License 2.0 or later
+@contact:      bdolangavitt@wesleyan.edu
+"""
+
+from framework.win32.rawreg import *
+from framework.addrspace import HiveFileAddressSpace
+#from framework.win32.hashdump import get_bootkey
+from framework.win32.lsasecrets import get_secret_by_name,get_lsa_key
+from Crypto.Hash import HMAC
+from Crypto.Cipher import ARC4
+from struct import unpack
+
+def get_nlkm(secaddr, lsakey):
+    return get_secret_by_name(secaddr, 'NL$KM', lsakey)
+
+def decrypt_hash(edata, nlkm, ch):
+    hmac_md5 = HMAC.new(nlkm,ch)
+    rc4key = hmac_md5.digest()
+
+    rc4 = ARC4.new(rc4key)
+    data = rc4.encrypt(edata)
+    return data
+
+def parse_cache_entry(cache_data):
+    (uname_len, domain_len) = unpack("<HH", cache_data[:4])
+    (domain_name_len,) = unpack("<H", cache_data[60:62])
+    ch = cache_data[64:80]
+    enc_data = cache_data[96:]
+    return (uname_len, domain_len, domain_name_len, enc_data, ch) 
+
+def parse_decrypted_cache(dec_data, uname_len,
+        domain_len, domain_name_len):
+    uname_off = 72
+    pad = 2 * ( ( uname_len / 2 ) % 2 )
+    domain_off = uname_off + uname_len + pad
+    pad = 2 * ( ( domain_len / 2 ) % 2 )
+    domain_name_off = domain_off + domain_len + pad
+
+    hash = dec_data[:0x10]
+    username = dec_data[uname_off:uname_off+uname_len]
+    username = username.decode('utf-16-le')
+    domain = dec_data[domain_off:domain_off+domain_len]
+    domain = domain.decode('utf-16-le')
+    domain_name = dec_data[domain_name_off:domain_name_off+domain_name_len]
+    domain_name = domain_name.decode('utf-16-le')
+
+    return (username, domain, domain_name, hash)
+
+def dump_hashes(Key, secaddr):
+    bootkey = Key
+    if not bootkey:
+        return []
+
+    lsakey = get_lsa_key(secaddr, bootkey)
+    if not lsakey:
+        return []
+
+    nlkm = get_nlkm(secaddr, lsakey)
+    if not nlkm:
+        return []
+
+    root = get_root(secaddr)
+    if not root:
+        return []
+
+    cache = open_key(root, ["Cache"])
+    if not cache:
+        return []
+
+    hashes = []
+    for v in values(cache):
+        if v.Name == "NL$Control": continue
+        
+        data = v.space.read(v.Data.value, v.DataLength.value)
+
+        (uname_len, domain_len, domain_name_len, 
+            enc_data, ch) = parse_cache_entry(data)
+        
+        # Skip if nothing in this cache entry
+        if uname_len == 0:
+            continue
+
+        dec_data = decrypt_hash(enc_data, nlkm, ch)
+
+        (username, domain, domain_name,
+            hash) = parse_decrypted_cache(dec_data, uname_len,
+                    domain_len, domain_name_len)
+
+        hashes.append((username, domain, domain_name, hash))
+
+    return hashes 
+
+def dump_file_hashes(Key, sechive_fname):
+    sysaddr = Key
+    secaddr = HiveFileAddressSpace(sechive_fname)
+
+    for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr):
+        print "%s:%s:%s:%s" % (u.lower(), hash.encode('hex'),
+                               d.lower(), dn.lower())
+

tools/MultiRelay/creddump/framework/win32/hashdump.py

@@ -0,0 +1,220 @@
+# This file is part of creddump.
+#
+# creddump is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# creddump is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+@author:       Brendan Dolan-Gavitt
+@license:      GNU General Public License 2.0 or later
+@contact:      bdolangavitt@wesleyan.edu
+"""
+
+from framework.win32.rawreg import *
+from framework.addrspace import HiveFileAddressSpace
+try:
+    from Crypto.Hash import MD5
+    from Crypto.Cipher import ARC4,DES
+except ImportError:
+    pass
+from struct import unpack,pack
+
+odd_parity = [
+  1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
+  16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
+  32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
+  49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
+  64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
+  81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
+  97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
+  112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
+  128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
+  145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
+  161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
+  176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
+  193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
+  208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
+  224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
+  241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
+]
+
+# Permutation matrix for boot key
+p = [ 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3,
+      0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 ]
+
+# Constants for SAM decrypt algorithm
+aqwerty = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0"
+anum = "0123456789012345678901234567890123456789\0"
+antpassword = "NTPASSWORD\0"
+almpassword = "LMPASSWORD\0"
+
+empty_lm = "aad3b435b51404eeaad3b435b51404ee".decode('hex')
+empty_nt = "31d6cfe0d16ae931b73c59d7e0c089c0".decode('hex')
+
+def str_to_key(s):
+    key = []
+    key.append( ord(s[0])>>1 )
+    key.append( ((ord(s[0])&0x01)<<6) | (ord(s[1])>>2) )
+    key.append( ((ord(s[1])&0x03)<<5) | (ord(s[2])>>3) )
+    key.append( ((ord(s[2])&0x07)<<4) | (ord(s[3])>>4) )
+    key.append( ((ord(s[3])&0x0F)<<3) | (ord(s[4])>>5) )
+    key.append( ((ord(s[4])&0x1F)<<2) | (ord(s[5])>>6) )
+    key.append( ((ord(s[5])&0x3F)<<1) | (ord(s[6])>>7) )
+    key.append( ord(s[6])&0x7F )
+    for i in range(8):
+        key[i] = (key[i]<<1)
+        key[i] = odd_parity[key[i]]
+    return "".join(chr(k) for k in key)
+
+def sid_to_key(sid):
+    s1 = ""
+    s1 += chr(sid & 0xFF)
+    s1 += chr((sid>>8) & 0xFF)
+    s1 += chr((sid>>16) & 0xFF)
+    s1 += chr((sid>>24) & 0xFF)
+    s1 += s1[0];
+    s1 += s1[1];
+    s1 += s1[2];
+    s2 = s1[3] + s1[0] + s1[1] + s1[2]
+    s2 += s2[0] + s2[1] + s2[2]
+
+    return str_to_key(s1),str_to_key(s2)
+    
+def find_control_set(sysaddr):
+    root = get_root(sysaddr)
+    if not root:
+        return 1
+
+    csselect = open_key(root, ["Select"])
+    if not csselect:
+        return 1
+
+    for v in values(csselect):
+        if v.Name == "Current": return v.Data.value
+
+def get_hbootkey(samaddr, bootkey):
+    sam_account_path = ["SAM", "Domains", "Account"]
+
+    root = get_root(samaddr)
+    if not root: return None
+
+    sam_account_key = open_key(root, sam_account_path)
+    if not sam_account_key: return None
+
+    F = None
+    for v in values(sam_account_key):
+        if v.Name == 'F':
+            F = samaddr.read(v.Data.value, v.DataLength.value)
+    if not F: return None
+
+    md5 = MD5.new()
+    md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
+    rc4_key = md5.digest()
+
+    rc4 = ARC4.new(rc4_key)
+    hbootkey = rc4.encrypt(F[0x80:0xA0])
+    
+    return hbootkey
+
+def get_user_keys(samaddr):
+    user_key_path = ["SAM", "Domains", "Account", "Users"]
+
+    root = get_root(samaddr)
+    if not root: return []
+
+    user_key = open_key(root, user_key_path)
+    if not user_key: return []
+
+    return [k for k in subkeys(user_key) if k.Name != "Names"]
+
+def decrypt_single_hash(rid, hbootkey, enc_hash, lmntstr):
+    (des_k1,des_k2) = sid_to_key(rid)
+    d1 = DES.new(des_k1, DES.MODE_ECB)
+    d2 = DES.new(des_k2, DES.MODE_ECB)
+
+    md5 = MD5.new()
+    md5.update(hbootkey[:0x10] + pack("<L",rid) + lmntstr)
+    rc4_key = md5.digest()
+    rc4 = ARC4.new(rc4_key)
+    obfkey = rc4.encrypt(enc_hash)
+    hash = d1.decrypt(obfkey[:8]) + d2.decrypt(obfkey[8:])
+
+    return hash
+
+def decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey):
+    # LM Hash
+    if enc_lm_hash:
+        lmhash = decrypt_single_hash(rid, hbootkey, enc_lm_hash, almpassword)
+    else:
+        lmhash = ""
+    
+    # NT Hash
+    if enc_nt_hash:
+        nthash = decrypt_single_hash(rid, hbootkey, enc_nt_hash, antpassword)
+    else:
+        nthash = ""
+
+    return lmhash,nthash
+
+def get_user_hashes(user_key, hbootkey):
+    samaddr = user_key.space
+    rid = int(user_key.Name, 16)
+    V = None
+    for v in values(user_key):
+        if v.Name == 'V':
+            V = samaddr.read(v.Data.value, v.DataLength.value)
+    if not V: return None
+
+    hash_offset = unpack("<L", V[0x9c:0x9c+4])[0] + 0xCC
+
+    lm_exists = True if unpack("<L", V[0x9c+4:0x9c+8])[0] == 20 else False
+    nt_exists = True if unpack("<L", V[0x9c+16:0x9c+20])[0] == 20 else False
+
+    enc_lm_hash = V[hash_offset+4:hash_offset+20] if lm_exists else ""
+    enc_nt_hash = V[hash_offset+(24 if lm_exists else 8):hash_offset+(24 if lm_exists else 8)+16] if nt_exists else ""
+
+    return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)
+
+def get_user_name(user_key):
+    samaddr = user_key.space
+    V = None
+    for v in values(user_key):
+        if v.Name == 'V':
+            V = samaddr.read(v.Data.value, v.DataLength.value)
+    if not V: return None
+
+    name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC
+    name_length = unpack("<L", V[0x10:0x14])[0]
+
+    username = V[name_offset:name_offset+name_length].decode('utf-16-le')
+    return username
+
+def dump_hashes(Key, samaddr):
+    bootkey = Key
+    hbootkey = get_hbootkey(samaddr,bootkey)
+    Output = ""
+    for user in get_user_keys(samaddr):
+        lmhash,nthash = get_user_hashes(user,hbootkey)
+        if not lmhash: lmhash = empty_lm
+        if not nthash: nthash = empty_nt
+        hashes = "%s:%d:%s:%s:::" % (get_user_name(user), int(user.Name,16),
+                            lmhash.encode('hex'), nthash.encode('hex'))
+        hashesdump = "%s:%d:%s:%s:::\n" % (get_user_name(user), int(user.Name,16),
+                            lmhash.encode('hex'), nthash.encode('hex'))
+        print hashes
+        Output += hashesdump
+    return Output
+
+def dump_file_hashes(Key, samhive_fname):
+    samaddr = HiveFileAddressSpace(samhive_fname)
+    Output = dump_hashes(Key, samaddr)
+    return Output

tools/MultiRelay/creddump/framework/win32/lsasecrets.py

@@ -0,0 +1,137 @@
+# This file is part of creddump.
+#
+# creddump is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# creddump is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+@author:       Brendan Dolan-Gavitt
+@license:      GNU General Public License 2.0 or later
+@contact:      bdolangavitt@wesleyan.edu
+"""
+
+from framework.win32.rawreg import *
+from framework.addrspace import HiveFileAddressSpace
+#from framework.win32.hashdump import get_bootkey,str_to_key
+from Crypto.Hash import MD5
+from Crypto.Cipher import ARC4,DES
+
+def get_lsa_key(secaddr, bootkey):
+    root = get_root(secaddr)
+    if not root:
+        return None
+
+    enc_reg_key = open_key(root, ["Policy", "PolSecretEncryptionKey"])
+    if not enc_reg_key:
+        exit(1)
+        return None
+
+    enc_reg_value = enc_reg_key.ValueList.List[0]
+    if not enc_reg_value:
+        return None
+
+    obf_lsa_key = secaddr.read(enc_reg_value.Data.value,
+            enc_reg_value.DataLength.value)
+    if not obf_lsa_key:
+        return None
+
+    md5 = MD5.new()
+    md5.update(bootkey)
+    for i in range(1000):
+        md5.update(obf_lsa_key[60:76])
+    rc4key = md5.digest()
+
+    rc4 = ARC4.new(rc4key)
+    lsa_key = rc4.decrypt(obf_lsa_key[12:60])
+
+    return lsa_key[0x10:0x20]
+
+def decrypt_secret(secret, key):
+    """Python implementation of SystemFunction005.
+
+    Decrypts a block of data with DES using given key.
+    Note that key can be longer than 7 bytes."""
+    decrypted_data = ''
+    j = 0   # key index
+    for i in range(0,len(secret),8):
+        enc_block = secret[i:i+8]
+        block_key = key[j:j+7]
+        des_key = str_to_key(block_key)
+
+        des = DES.new(des_key, DES.MODE_ECB)
+        decrypted_data += des.decrypt(enc_block)
+        
+        j += 7
+        if len(key[j:j+7]) < 7:
+            j = len(key[j:j+7])
+
+    (dec_data_len,) = unpack("<L", decrypted_data[:4])
+    return decrypted_data[8:8+dec_data_len]
+
+def get_secret_by_name(secaddr, name, lsakey):
+    root = get_root(secaddr)
+    if not root:
+        return None
+    
+    enc_secret_key = open_key(root, ["Policy", "Secrets", name, "CurrVal"])
+    if not enc_secret_key:
+        return None
+
+    enc_secret_value = enc_secret_key.ValueList.List[0]
+    if not enc_secret_value:
+        return None
+
+    enc_secret = secaddr.read(enc_secret_value.Data.value,
+            enc_secret_value.DataLength.value)
+    if not enc_secret:
+        return None
+
+    return decrypt_secret(enc_secret[0xC:], lsakey)
+
+def get_secrets(Key, secaddr):
+    root = get_root(secaddr)
+    if not root:
+        return None
+
+    bootkey = Key
+    lsakey = get_lsa_key(secaddr, bootkey)
+
+    secrets_key = open_key(root, ["Policy", "Secrets"])
+    if not secrets_key:
+        print "no secret"
+        return None
+    
+    secrets = {}
+    for key in subkeys(secrets_key):
+        sec_val_key = open_key(key, ["CurrVal"])
+        if not sec_val_key:
+            continue
+        
+        enc_secret_value = sec_val_key.ValueList.List[0]
+        if not enc_secret_value:
+            continue
+        
+        enc_secret = secaddr.read(enc_secret_value.Data.value,
+                enc_secret_value.DataLength.value)
+        if not enc_secret:
+            continue
+
+        secret = decrypt_secret(enc_secret[0xC:], lsakey)
+        secrets[key.Name] = secret
+
+    return secrets
+
+def get_file_secrets(Key, secfile):
+    secaddr = HiveFileAddressSpace(secfile)
+
+    return get_secrets(Key, secaddr)
+

tools/MultiRelay/creddump/framework/win32/rawreg.py

@@ -0,0 +1,73 @@
+# This file is part of creddump.
+#
+# creddump is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# creddump is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+@author:       Brendan Dolan-Gavitt
+@license:      GNU General Public License 2.0 or later
+@contact:      bdolangavitt@wesleyan.edu
+"""
+
+from framework.newobj import Obj,Pointer
+from struct import unpack
+
+ROOT_INDEX = 0x20
+LH_SIG = unpack("<H","lh")[0]
+LF_SIG = unpack("<H","lf")[0]
+RI_SIG = unpack("<H","ri")[0]
+
+def get_root(address_space):
+    return Obj("_CM_KEY_NODE", ROOT_INDEX, address_space)
+
+def open_key(root, key):
+    if key == []:
+        return root
+    
+    keyname = key.pop(0)
+    for s in subkeys(root):
+        if s.Name.upper() == keyname.upper():
+            return open_key(s, key)
+    print "ERR: Couldn't find subkey %s of %s" % (keyname, root.Name)
+    return None
+
+def subkeys(key,stable=True):
+    if stable: k = 0
+    else: k = 1
+    sk = (key.SubKeyLists[k]/["pointer", ["_CM_KEY_INDEX"]]).value
+    sub_list = []
+    if (sk.Signature.value == LH_SIG or
+            sk.Signature.value == LF_SIG):
+        sub_list = sk.List
+    elif sk.Signature.value == RI_SIG:
+        lfs = []
+        for i in range(sk.Count.value):
+            off,tp = sk.get_offset(['List', i])
+            lfs.append(Pointer("pointer", sk.address+off, sk.space,
+                ["_CM_KEY_INDEX"]))
+        for lf in lfs:
+            sub_list += lf.List
+
+    for s in sub_list:
+        if s.is_valid() and s.Signature.value == 27502:
+            yield s.value
+
+def values(key):
+    for v in key.ValueList.List:
+        yield v.value
+
+def walk(root):
+    for k in subkeys(root):
+        yield k
+        for j in walk(k):
+            yield j