|
From: | Vladimir Santos |
Subject: | [Mobiusft-list] Subject: Hive Report extension - registry secrets |
Date: | Sun, 28 Aug 2011 07:57:17 +0300 |
Hi Eduardo,
I've made some enhancements to Hive Report extension and I'd like to share them with the Mobius Forensic Toolkit project. Based upon Brendan Dolan-Gavitt's code in the 'creddump' <http://code.google.com/p/creddump/>, functions related to user password LM/NT hashes, LSA Secrets and Cached Domain Credentials are now available to Hive Report extension. Moreover, it has been implemented a decoder for reading Protected Storage System Provider data in offline mode, allowing the creation of new reports based upon data stored there. Using those function, new reports were implemented and new features were added to existing ones. Some small bug fixes were also made, avoiding exceptions in code. Changes made to the extension version in attachment are: * new registry secrets functions as explained above; * updated cryptography algorithms, including DES-CBC mode, for use in protected storage system provider decryption; * new function 'candidate_passwords', which generates passwords based upon lsa secrets and protected storage contents; * updated function 'get_username_from_sid', checking if the user SID is from the same machine registry; * updated function 'get_product_key', checking if the function parameter is 'None' before trying to read it (this happens in Windows NT 4); * updated report 'UserPasswordReport', now using the new functions cited above. It also tries to find user passwords using 'candidate_passwords' function and can export the found ones to John The Ripper .pot files; * new report 'OSLSASecretReport', which shows decrypted lsa secrets data. Currently, it only works with Windows 2k/XP registry. * new report 'UserCachedCredentialReport', which shows cached domain credentials stored in the registry and tries to find user passwords using 'candidate_passwords' function. As long as lsa secrets functions don't work with Windows NT 4 and Vista/7, cached user hashes can't be read in NT 4 and cached credentials can't be read at all in Vista/7; * new report 'UserProtectedStorageReport', which shows decrypted protected storage data. * updated report 'OSInfoReport', including a field for the maximum activation date of the Windows copy, read from the lsa secrets, and fixing a exception that was raised after removing all registry files from the Hive; * updated report 'OSFoldersReport', fixing a exception that was raised after removing all registry files from the Hive; * updated report 'EmailAccountsReport', retrieving passwords from protected storage for Outlook Express/98/2000 e-mail accounts. Best regards, Vladimir Santos |
hive-report_0.1.4-rc1.mobius
Description: Binary data
[Prev in Thread] | Current Thread | [Next in Thread] |