Module: Msf::Util::WindowsRegistry::Security

Includes:

Msf::Util::WindowsCryptoHelpers

Defined in:

lib/msf/util/windows_registry/security.rb

Overview

This module include helpers for the SECURITY hive

Defined Under Namespace

Classes: CacheData, CacheEntry, CacheInfo

Instance Attribute Summary

• #lsa_vista_style ⇒ Object

  Returns the value of attribute lsa_vista_style.

Instance Method Summary

• #cached_infos(nlkm_key) ⇒ Array

  Returns the decrypted Cache data and information from HKLMCache.

• #lsa_secret_key(boot_key) ⇒ String

  Retrieve the decrypted LSA secret key from a given BootKey.

• #lsa_secrets(lsa_key) ⇒ Hash

  Returns the decrypted LSA secrets under HKLMSECURITYPolicySecrets.

• #nlkm_secret_key(lsa_key) ⇒ String

  Returns the decrypted NLKM secret key from HKLMSECURITYPolicySecretsNL$KMCurrVal.

• #normalize_key(key) ⇒ Object

Methods included from Msf::Util::WindowsCryptoHelpers

#add_parity, #aes128_cts_hmac_sha1_96, #aes256_cts_hmac_sha1_96, #aes_cts_hmac_sha1_96, #convert_des_56_to_64, #decrypt_aes, #decrypt_hash, #decrypt_lsa_data, #decrypt_secret_data, #decrypt_user_hash, #decrypt_user_key, #des_cbc_md5, #fix_parity, #rc4_hmac, #rid_to_key, #weak_des_key?

Instance Attribute Details

#lsa_vista_style ⇒ Object

Returns the value of attribute lsa_vista_style.

# File 'lib/msf/util/windows_registry/security.rb', line 80

def lsa_vista_style
  @lsa_vista_style
end

Instance Method Details

#cached_infos(nlkm_key) ⇒ Array

Returns the decrypted Cache data and information from HKLMCache. For this, the NLKM secret key must be provided, which can be retrieved with the #nlkm_secret_key method.

Parameters:

• nlkm_key (String) —

  The NLKM secret key

Returns:

• (Array) —

  An array of CacheInfo structures containing the Cache information

# File 'lib/msf/util/windows_registry/security.rb', line 193

def cached_infos(nlkm_key)
  values = enum_values(normalize_key('HKLM\\SECURITY\\Cache'))
  unless values
    elog('[Msf::Util::WindowsRegistry::Sam::cached_hashes] No cashed entries')
    return
  end

  values.delete('NL$Control')

  iteration_count = nil
  if values.delete('NL$IterationCount')
    _value_type, value_data = reg_parser.get_value(normalize_key('HKLM\\SECURITY\\Cache'), 'NL$IterationCount')
    iteration_count = value_data.to_i
  end

  values.map do |value|
    _value_type, value_data = get_value(normalize_key('HKLM\\SECURITY\\Cache'), value)
    cache = CacheEntry.read(value_data)

    cache_info = CacheInfo.new(name: value, entry: cache)

    next cache_info unless cache.user_name_length > 0

    enc_data = cache.enc_data.map(&:chr).join
    if @lsa_vista_style
      dec_data = decrypt_aes(enc_data, nlkm_key[16...32], cache.iv)
    else
      dec_data = decrypt_hash(enc_data, nlkm_key, cache.iv)
    end

    params = cache.snapshot.to_h.select { |key, _v| key.to_s.end_with?('_length') }
    params[:group_count] = cache.group_count
    cache_data = CacheData.new(params).read(dec_data)
    cache_info.data = cache_data

    if @lsa_vista_style
      cache_info.iteration_count = iteration_count ? iteration_count : cache.iteration_count
      if (cache_info.iteration_count > 10240)
        cache_info.real_iteration_count = cache_info.iteration_count & 0xfffffc00
      else
        cache_info.real_iteration_count = cache_info.iteration_count * 1024
      end
    end

    cache_info
  end
end

#lsa_secret_key(boot_key) ⇒ String

Retrieve the decrypted LSA secret key from a given BootKey. This also sets the @lsa_vista_style attributes according to the registry keys found under ‘HKLMSECURITYPolicy`. If set to `true`, the system version is Windows Vista and above, otherwise it is Windows XP or below.

Parameters:

• boot_key (String) —

  The BootKey

Returns:

• (String) —

  The decrypted LSA secret key

# File 'lib/msf/util/windows_registry/security.rb', line 93

def lsa_secret_key(boot_key)
  # vprint_status('Getting PolEKList...')
  _value_type, value_data = get_value(normalize_key('HKLM\\SECURITY\\Policy\\PolEKList'))
  if value_data
    # Vista or above system
    @lsa_vista_style = true

    lsa_key = decrypt_lsa_data(value_data, boot_key)
    lsa_key = lsa_key[68, 32] unless lsa_key.empty?
  else
    # vprint_status('Getting PolSecretEncryptionKey...')
    _value_type, value_data = get_value(normalize_key('HKLM\\SECURITY\\Policy\\PolSecretEncryptionKey'))
    # If that didn't work, then we're out of luck
    return nil if value_data.nil?

    # XP or below system
    @lsa_vista_style = false

    md5x = Digest::MD5.new
    md5x << boot_key
    1000.times do
      md5x << value_data[60, 16]
    end

    rc4 = OpenSSL::Cipher.new('rc4')
    rc4.decrypt
    rc4.key = md5x.digest
    lsa_key = rc4.update(value_data[12, 48])
    lsa_key << rc4.final
    lsa_key = lsa_key[0x10..0x1F]
  end

  lsa_key
end

#lsa_secrets(lsa_key) ⇒ Hash

Returns the decrypted LSA secrets under HKLMSECURITYPolicySecrets. For this, the LSA secret key must be provided, which can be retrieved with the #lsa_secret_key method.

Parameters:

• lsa_key (String) —

  The LSA secret key

Returns:

• (Hash) —

  A hash containing the LSA secrets.

# File 'lib/msf/util/windows_registry/security.rb', line 134

def lsa_secrets(lsa_key)
  keys = enum_key(normalize_key('HKLM\\SECURITY\\Policy\\Secrets'))
  return unless keys

  keys.delete('NL$Control')

  keys.each_with_object({}) do |key, lsa_secrets|
    _value_type, value_data = get_value(normalize_key("HKLM\\SECURITY\\Policy\\Secrets\\#{key}\\CurrVal"))
    encrypted_secret = value_data
    next unless encrypted_secret

    if @lsa_vista_style
      decrypted = decrypt_lsa_data(encrypted_secret, lsa_key)
      secret_size = decrypted[0, 4].unpack('L<').first
      secret = decrypted[16, secret_size]
    else
      encrypted_secret_size = encrypted_secret[0, 4].unpack('L<').first
      secret = decrypt_secret_data(encrypted_secret[(encrypted_secret.size - encrypted_secret_size)..-1], lsa_key)
    end
    lsa_secrets[key] = secret
  end
end

#nlkm_secret_key(lsa_key) ⇒ String

Returns the decrypted NLKM secret key from HKLMSECURITYPolicySecretsNL$KMCurrVal. For this, the LSA secret key must be provided, which can be retrieved with the #lsa_secret_key method.

Parameters:

• lsa_key (String) —

  The LSA secret key

Returns:

• (String) —

  The NLKM secret key

# File 'lib/msf/util/windows_registry/security.rb', line 163

def nlkm_secret_key(lsa_key)
  _value_type, value_data = get_value(normalize_key('HKLM\\SECURITY\\Policy\\Secrets\\NL$KM\\CurrVal'))
  return nil unless value_data

  if @lsa_vista_style
    nlkm_dec = decrypt_lsa_data(value_data, lsa_key)
  else
    value_data_size = value_data[0, 4].unpack('L<').first
    nlkm_dec = decrypt_secret_data(value_data[(value_data.size - value_data_size)..-1], lsa_key)
  end

  nlkm_dec
end

#normalize_key(key) ⇒ Object

# File 'lib/msf/util/windows_registry/security.rb', line 82

def normalize_key(key)
  @root.blank? ? key : key.delete_prefix(@root)
end