I've made some enhancements to Hive Report extension and I'd
like to share
them with the Mobius Forensic Toolkit project.
Based upon Brendan Dolan-Gavitt's code in the 'creddump'
, functions related to
LM/NT hashes, LSA Secrets and Cached Domain Credentials are now
to Hive Report extension. Moreover, it has been implemented a
reading Protected Storage System Provider data in offline mode,
the creation of new reports based upon data stored there.
Using those function, new reports were implemented and new
added to existing ones. Some small bug fixes were also made,
exceptions in code.
Changes made to the extension version in attachment are:
* new registry secrets functions as explained above;
* updated cryptography algorithms, including DES-CBC mode, for
protected storage system provider decryption;
* new function 'candidate_passwords', which generates
upon lsa secrets and protected storage contents;
* updated function 'get_username_from_sid', checking if the
user SID is
from the same machine registry;
* updated function 'get_product_key', checking if the function
is 'None' before trying to read it (this happens in Windows
* updated report 'UserPasswordReport', now using the new
above. It also tries to find user passwords using
function and can export the found ones to John The Ripper
* new report 'OSLSASecretReport', which shows decrypted lsa
data. Currently, it only works with Windows 2k/XP registry.
* new report 'UserCachedCredentialReport', which shows cached
credentials stored in the registry and tries to find user
using 'candidate_passwords' function. As long as lsa secrets
don't work with Windows NT 4 and Vista/7, cached user hashes
read in NT 4 and cached credentials can't be read at all in
* new report 'UserProtectedStorageReport', which shows
protected storage data.
* updated report 'OSInfoReport', including a field for the
activation date of the Windows copy, read from the lsa
fixing a exception that was raised after removing all
from the Hive;
* updated report 'OSFoldersReport', fixing a exception that
after removing all registry files from the Hive;
* updated report 'EmailAccountsReport', retrieving passwords
protected storage for Outlook Express/98/2000 e-mail