dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding bperry's various and sundry regex fixes 

[Closes #109]

Squashed commit of the following:

commit 692568d02f
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Mon Jan 16 12:34:35 2012 -0600

    small get_everything fix

commit 5b29a31060
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Mon Jan 16 12:31:31 2012 -0600

    regex fixes

commit a565ade7f4
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Sun Jan 15 16:39:29 2012 -0600

    registry.rb in lib/rex

commit 3609313ea3
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Sun Jan 15 16:32:06 2012 -0600

    boot key fixed

commit e591ed1815
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Sun Jan 15 15:53:21 2012 -0600

    fixes

commit 3598f3482e
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Sat Jan 14 13:47:29 2012 -0600

    stuff

commit 8a8d0dfda6
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Fri Jan 13 22:57:30 2012 -0600

    reg fixes

commit fcfb51bb64
Merge: 2c7cfde 24aaf85
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Fri Jan 13 21:54:45 2012 -0600

    Merge remote-tracking branch 'upstream/master'

commit 2c7cfdef41
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Tue Jan 10 19:16:37 2012 -0600

    typo
This commit is contained in:
Brandon Perry 2012-01-16 17:54:33 -06:00 committed by Tod Beardsley
parent 4689421201
commit d34a9f38a5
5 changed files with 139 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/rex/registry.rb Normal file
View File

@ -0,0 +1,13 @@
require 'rex/registry/hive'
require 'rex/registry/regf'
require 'rex/registry/nodekey'
require 'rex/registry/lfkey'
require 'rex/registry/valuekey'
require 'rex/registry/valuelist'
module Rex
module Registry
attr_accessor :alias
end
end

68
lib/rex/registry/hive.rb
View File

@ -24,6 +24,8 @@ class Hive
current_child = nil
paths = path.split("\\")
return if !@root_key.lf_record
@root_key.lf_record.children.each do |child|
next if child.name.downcase != paths[1].downcase
@ -40,7 +42,7 @@ class Hive
current_child.full_path = path
return current_child
else
if current_child.lf_record
if current_child.lf_record && current_child.lf_record.children
current_child.lf_record.children.each do |c|
next if c.name.downcase != paths[i].downcase
@ -54,6 +56,8 @@ class Hive
end
end
return if !current_child
current_child.full_path = path
return current_child
end
@ -64,7 +68,9 @@ class Hive
end
paths = path.split("\\")
return if !@root_key.lf_record
@root_key.lf_record.children.each do |root_child|
next if root_child.name.downcase != paths[1].downcase
@ -98,64 +104,6 @@ class Hive
end
end
def rip_boot_key
return if @hive_regf.hive_name !~ /SYSTEM/
scrambled_key = []
default_control_set = ""
@root_key.lf_record.children.each do |node|
next if node.name != "Select"
node.value_list.values.each do |value|
next if value.name != "Default"
default_control_set = "ControlSet00" + value.value.data.unpack('c').first.to_s
end
end
puts "Default Control Set: " + default_control_set
@root_key.lf_record.children.each do |node|
next if node.name != default_control_set
node.lf_record.children.each do |cchild|
next if cchild.name != "Control"
puts "Found: " + cchild.name
cchild.lf_record.children.each do |lsachild|
next if lsachild.name != "Lsa"
puts "Found: " + lsachild.name
%w[JD Skew1 GBG Data].each do |key|
lsachild.lf_record.children.each do |child|
next if child.name != key
puts "Found: " + child.name
child.class_name_data.each_byte do |byte|
scrambled_key << byte if byte != 0x00
end
end
end
end
end
end
scrambler = [ 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 ]
bootkey = scrambled_key
0.upto(0x10-1) do |i|
#p scrambler[i]
bootkey[i] = scrambled_key[scrambler[i]]
end
puts "Bootkey: " + bootkey.to_s
end
end
end

5
lib/rex/registry/nodekey.rb
View File

@ -19,7 +19,6 @@ class NodeKey
nk_type = hive[offset+0x02, 2]
if nk_header !~ /nk/
puts "nodekey broken"
return
end
@ -43,7 +42,9 @@ class NodeKey
@lf_record = LFBlock.new(hive, @lf_record_offset + 0x1000) if @lf_record_offset != -1
@value_list = ValueList.new(hive, @value_list_offset + 0x1000, @value_count) if @value_list_offset != -1
@class_name_data = hive[@class_name_offset + 0x1000, @class_name_length]
@class_name_data = hive[@class_name_offset + 0x04 + 0x1000, @class_name_length]
end
end

5
lib/rex/registry/valuelist.rb
View File

@ -14,7 +14,10 @@ class ValueList
@values = []
1.upto(number_of_values) do |v|
valuekey_offset = hive[offset + inner_offset, 4].unpack('l').first
valuekey_offset = hive[offset + inner_offset, 4]
next if !valuekey_offset
valuekey_offset = valuekey_offset.unpack('l').first
@values << ValueKey.new(hive, valuekey_offset + 0x1000)
inner_offset = inner_offset + 4
end

158
tools/reg.rb
View File

@ -20,13 +20,19 @@ def print_all(nodekey)
end
def print_all_keys(nodekey)
return if !nodekey
return if !nodekey.lf_record
return if !nodekey.lf_record.children
return if nodekey.lf_record.children.length == 0
table = Rex::Ui::Text::Table.new(
'Header' => "Child Keys for #{nodekey.full_path}",
'Indent' => ' '.length,
'Columns' => [ 'Name', 'Last Edited', 'Subkey Count', 'Value Count' ]
)
if nodekey.lf_record && nodekey.lf_record.children.length > 0
if nodekey.lf_record && nodekey.lf_record.children && nodekey.lf_record.children.length > 0
nodekey.lf_record.children.each do |key|
table << [key.name, key.readable_timestamp, key.subkeys_count, key.value_count]
end
@ -37,6 +43,11 @@ end
def print_all_values(nodekey)
return if !nodekey
return if !nodekey.lf_record
return if !nodekey.lf_record.children
return if nodekey.lf_record.children.length == 0
table = Rex::Ui::Text::Table.new(
'Header' => "Values in key #{nodekey.full_path}",
'Indent' => ' '.length,
@ -56,48 +67,90 @@ def get_system_information
mounted_devices_info_key = @hive.relative_query("\\MountedDevices")
current_control_set_key = @hive.value_query('\Select\Default')
current_control_set = "ControlSet00" + current_control_set_key.value.data.unpack('c').first.to_s
current_control_set = "ControlSet00" + current_control_set_key.value.data.unpack('c').first.to_s if current_control_set_key
computer_name_key = @hive.value_query("\\" + current_control_set + "\\Control\\ComputerName\\ComputerName")
computer_name = computer_name_key.value.data.to_s
computer_name_key = @hive.value_query("\\" + current_control_set + "\\Control\\ComputerName\\ComputerName") if current_control_set
computer_name = computer_name_key.value.data.to_s if computer_name_key
event_log_info_key = @hive.relative_query("\\" + current_control_set + "\\Services\\EventLog")
event_log_info_key = @hive.relative_query("\\" + current_control_set + "\\Services\\EventLog") if current_control_set
puts "Computer Name: " + computer_name
puts "Computer Name: " + computer_name if computer_name
print_all_values(event_log_info_key)
puts "-----------------------------------------"
print_all_values(event_log_info_key) if event_log_info_key
puts "-----------------------------------------" if event_log_info_key
print_all_values(mounted_devices_info_key)
puts "-----------------------------------------"
print_all_values(mounted_devices_info_key) if mounted_devices_info_key
puts "-----------------------------------------" if mounted_devices_info_key
elsif @hive.hive_regf.hive_name =~ /SOFTWARE/
current_version_info_key = @hive.relative_query("\\Microsoft\\Windows NT\\CurrentVersion")
login_info_key = @hive.relative_query("\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon")
print_all_values(current_version_info_key)
puts "-----------------------------------------"
puts "-----------------------------------------" if current_version_info_key
print_all_values(login_info_key)
puts "-----------------------------------------"
puts "-----------------------------------------" if login_info_key
end
end
def get_user_information
local_groups_info_key = @hive.relative_query("\\SAM\\Domains\\Builtin\\Aliases\\Names")
local_users_info_key = @hive.relative_query("\\SAM\\Domains\\Account\\Users\\Names")
print_all_keys(local_groups_info_key)
puts "------------------------------------------------"
print_all(local_groups_info_key)
puts "------------------------------------------------" if local_groups_info_key && local_groups_info_key.lf_record.children
print_all_keys(local_users_info_key)
puts "------------------------------------------------"
print_all(local_users_info_key)
puts "------------------------------------------------" if local_users_info_key && local_groups_info_key.lf_record.children
end
def dump_creds
end
def get_boot_key
return if !@hive.root_key
return if !@hive.root_key.name
puts "Getting boot key"
puts "Root key: " + @hive.root_key.name
default_control_set = @hive.value_query('\Select\Default').value.data.unpack("c").first
puts "Default ControlSet: ControlSet00#{default_control_set}"
bootkey = ""
basekey = "\\ControlSet00#{default_control_set}\\Control\\Lsa"
%W{JD Skew1 GBG Data}.each do |k|
ok = @hive.relative_query(basekey + "\\" + k)
return nil if not ok
tmp = ""
0.upto(ok.class_name_length - 1) do |i|
next if i%2 == 1
tmp << ok.class_name_data[i,1]
end
bootkey << [tmp.to_i(16)].pack('V')
end
keybytes = bootkey.unpack("C*")
descrambled = ""
# descrambler = [ 0x08, 0x05, 0x04, 0x02, 0x0b, 0x09, 0x0d, 0x03, 0x00, 0x06, 0x01, 0x0c, 0x0e, 0x0a, 0x0f, 0x07 ]
descrambler = [ 0x0b, 0x06, 0x07, 0x01, 0x08, 0x0a, 0x0e, 0x00, 0x03, 0x05, 0x02, 0x0f, 0x0d, 0x09, 0x0c, 0x04 ]
0.upto(keybytes.length-1) do |x|
descrambled << [ keybytes[ descrambler[x] ] ].pack("C")
end
puts descrambled.unpack("H*")
end
def list_applications
@ -108,7 +161,7 @@ end
def get_aol_instant_messenger_information
if @hive.hive_regf.hive_name != /NTUSER[.]dat/i
if @hive.hive_regf.hive_name != /NTUSER\.dat/i
users_list_key = @hive.relative_query('\Software\America Online\AOL Instant Messenger(TM)\CurrentVersion\Users')
last_logged_in_user_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Login - Screen Name")
@ -131,7 +184,7 @@ end
def get_msn_messenger_information
if @hive.hive_regf.hive_name =~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i
general_information_key = @hive.relative_query("\\Software\\Microsoft\\MessengerService\\ListCache\\.NETMessengerService\\")
file_sharing_information_key = @hive.relative_query("\\Software\\Microsoft\\MSNMessenger\\FileSharing - Autoshare")
file_transfers_information_key = @hive.relative_query("\\Software\\Microsoft\\MSNMessenger\\ - FTReceiveFolder")
@ -143,9 +196,9 @@ def get_msn_messenger_information
end
def get_windows_messenger_information
if @hive.hive_regf.hive_name =~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i
contact_list_information_key = @hive.relative_query("\\Software\\Microsoft\\MessengerService\\ListCache\\.NET Messenger Service")
file_transfers_information_key = @hive.realtive_query("\\Software\\Microsoft\\Messenger Service - FtReceiveFolder")
file_transfers_information_key = @hive.relative_query("\\Software\\Microsoft\\Messenger Service - FtReceiveFolder")
last_user_information_key = @hive.relative_query("\\Software\\Microsoft\\MessengerService\\ListCache\\.NET Messenger Service - IdentityName")
print_all(contact_list_information_key)
@ -155,19 +208,19 @@ def get_windows_messenger_information
end
def get_icq_information
if @hive.hive_regf.hive_name != /NTUSER[.]dat/i
if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i
general_information_key = @hive.relative_query("\\Software\\Mirabalis\\ICQ")
print_all(general_information_key)
elsif @hive.hive_regf.hive_name != /SOFTWARE/
owner_number_key = @hive.value_query("\\Software\\Mirabalis\\ICQ\\Owner")
puts "Owner UIN: #{owner_number_key.value.data.to_s}"
elsif @hive.hive_regf.hive_name =~ /SOFTWARE/
owner_number_key = @hive.relative_query("\\Software\\Mirabalis\\ICQ\\Owner")
print_all(owner_number_key)
end
end
def get_ie_information
if @hive.hive_regf.hive_name =~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i
stored_logon_information_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage System Provider\\SID\\Internet Explorer\\Internet Explorer - URL:StringData")
stored_search_terms_information_key = @hive.relative_quety("\\Software\\Microsoft\\Protected Storage SystemProvider\\SID\\Internet Explorer\\Internet Explorer - q:SearchIndex")
ie_setting_information_key = @hive.relative_query("\\Software\\Microsoft\\Internet Explorer\\Main")
@ -190,7 +243,7 @@ def get_ie_information
end
def get_outlook_information
if @hive.hive_regf.hive_name =~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i
account_information_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage System Provider\\SID\\Identification\\INETCOMM Server Passwords")
print_all(account_information_key)
@ -198,7 +251,7 @@ def get_outlook_information
end
def get_yahoo_messenger_information
if @hive.hive_regf.hive_name =~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name =~ /NTUSER\.dat/i
profiles_key = @hive.relative_query("\\Software\\Yahoo\\Pager\\profiles")
print_all(profiles_key)
@ -217,9 +270,6 @@ def get_networking_information
end
def get_user_information
end
def get_user_application_information
end
@ -311,20 +361,27 @@ elsif ARGV[0] == "list_drivers"
elsif ARGV[0] == "get_everything"
Dir.foreach(ARGV[1]) do |file|
next if file =~ /^[.]/
next if file =~ /^\./
@hive = Rex::Registry::Hive.new(ARGV[1] + "/" + file)
if @hive.hive_regf.hive_name =~ /SYSTEM$/
next if !@hive.hive_regf
next if !@hive.hive_regf.hive_name
if @hive.hive_regf.hive_name =~ /SYSTEM/
puts "Found a SYSTEM hive..."
list_drivers
get_boot_key
get_system_information
get_networking_information
get_user_information
elsif @hive.hive_regf.hive_name =~ /SOFTWARE$/
elsif @hive.hive_regf.hive_name =~ /SOFTWARE/
puts "Found a SOFTWARE hive..."
list_applications
get_icq_information
get_system_information
@ -332,16 +389,22 @@ elsif ARGV[0] == "get_everything"
get_user_information
get_user_application_information
elsif @hive.hive_regf.hive_name =~ /SAM$/
elsif @hive.hive_regf.hive_name =~ /SAM/
puts "Found a SAM hive..."
get_networking_information
get_user_information
elsif @hive.hive_regf.hive_name =~ /SECURITY$/
elsif @hive.hive_regf.hive_name =~ /SECURITY/
puts "Found a SECURITY hive..."
get_user_information
elsif @hive.hive_regf_hive_name =~ /NTUSER[.]dat$/i
elsif @hive.hive_regf.hive_name =~ /NTUSER\.dat/i
puts "Found a NTUSER.dat hive..."
get_aol_instant_messenger_information
get_icq_information
@ -360,7 +423,7 @@ elsif ARGV[0] == "get_everything"
elsif ARGV[0] == "get_aol_instant_messenger_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]DAT/i
if @hive.hive_regf.hive_name !~ /NTUSER\.DAT/i
puts "I need the NTUSER.dat hive, not #{@hive.hive_regf.hive_name}."
else
get_aol_instant_messenger_information
@ -369,7 +432,7 @@ elsif ARGV[0] == "get_aol_instant_messenger_information"
elsif ARGV[0] == "get_icq_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/
if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/
puts "I need either a SOFTWARE or NTUSER.dat hive, not #{@hive.hive_regf.hive_name}."
else
get_icq_information
@ -377,7 +440,7 @@ elsif ARGV[0] == "get_icq_information"
elsif ARGV[0] == "get_ie_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i
puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}."
else
get_ie_information
@ -386,7 +449,7 @@ elsif ARGV[0] == "get_ie_information"
elsif ARGV[0] == "get_msn_messenger_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i
puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}."
else
get_msn_messenger_information
@ -395,7 +458,7 @@ elsif ARGV[0] == "get_msn_messenger_information"
elsif ARGV[0] == "get_outlook_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i
puts "I need an NTUSER.dat hive, not #{@hive.hive_regf.hive_name}."
else
get_outlook_information
@ -404,7 +467,7 @@ elsif ARGV[0] == "get_outlook_information"
elsif ARGV[0] == "get_windows_messenger_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i
puts "I need an NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}."
else
get_windows_messenger_information
@ -413,7 +476,7 @@ elsif ARGV[0] == "get_windows_messenger_information"
elsif ARGV[0] == "get_yahoo_messenger_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i
puts "I need an NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}."
else
get_yahoo_messenger_information
@ -430,7 +493,7 @@ elsif ARGV[0] == "get_system_information"
elsif ARGV[0] == "get_networking_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /SAM/ && @hive.hive_regf.hive_name !~ /SYSTEM/ && @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i
if @hive.hive_regf.hive_name !~ /SAM/ && @hive.hive_regf.hive_name !~ /SYSTEM/ && @hive.hive_regf.hive_name !~ /NTUSER\.dat/i
puts "I need either a SAM, SYSTEM, or NTUSER.dat hive, not a #{@hive.hive_regf.hive_name}."
else
get_networking_information
@ -443,11 +506,12 @@ elsif ARGV[0] == "get_user_information"
puts "I need a SAM hive. Not a #{@hive.hive_regf.hive_name}."
else
get_user_information
end
elsif ARGV[0] == "get_user_application_information"
@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])
if @hive.hive_regf.hive_name !~ /NTUSER[.]dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/
if @hive.hive_regf.hive_name !~ /NTUSER\.dat/i && @hive.hive_regf.hive_name !~ /SOFTWARE/
puts "I need either an NTUSER.dat or SOFTWARE hive, not a #{@hive.hive_regf.hive_name}."
else
get_user_application_information