|Subject:||[Mobiusft-list] Subject: Hive Report extension - registry secrets|
|Date:||Sun, 28 Aug 2011 07:57:17 +0300|
I've made some enhancements to Hive Report extension and I'd like to share
them with the Mobius Forensic Toolkit project.
Based upon Brendan Dolan-Gavitt's code in the 'creddump'
<http://code.google.com/p/creddump/>, functions related to user password
LM/NT hashes, LSA Secrets and Cached Domain Credentials are now available
to Hive Report extension. Moreover, it has been implemented a decoder for
reading Protected Storage System Provider data in offline mode, allowing
the creation of new reports based upon data stored there.
Using those function, new reports were implemented and new features were
added to existing ones. Some small bug fixes were also made, avoiding
exceptions in code.
Changes made to the extension version in attachment are:
* new registry secrets functions as explained above;
* updated cryptography algorithms, including DES-CBC mode, for use in
protected storage system provider decryption;
* new function 'candidate_passwords', which generates passwords based
upon lsa secrets and protected storage contents;
* updated function 'get_username_from_sid', checking if the user SID is
from the same machine registry;
* updated function 'get_product_key', checking if the function parameter
is 'None' before trying to read it (this happens in Windows NT 4);
* updated report 'UserPasswordReport', now using the new functions cited
above. It also tries to find user passwords using 'candidate_passwords'
function and can export the found ones to John The Ripper .pot files;
* new report 'OSLSASecretReport', which shows decrypted lsa secrets
data. Currently, it only works with Windows 2k/XP registry.
* new report 'UserCachedCredentialReport', which shows cached domain
credentials stored in the registry and tries to find user passwords
using 'candidate_passwords' function. As long as lsa secrets functions
don't work with Windows NT 4 and Vista/7, cached user hashes can't be
read in NT 4 and cached credentials can't be read at all in Vista/7;
* new report 'UserProtectedStorageReport', which shows decrypted
protected storage data.
* updated report 'OSInfoReport', including a field for the maximum
activation date of the Windows copy, read from the lsa secrets, and
fixing a exception that was raised after removing all registry files
from the Hive;
* updated report 'OSFoldersReport', fixing a exception that was raised
after removing all registry files from the Hive;
* updated report 'EmailAccountsReport', retrieving passwords from
protected storage for Outlook Express/98/2000 e-mail accounts.
Description: Binary data
|[Prev in Thread]||Current Thread||[Next in Thread]|