Author:
Brendan Dolan-Gavitt
License:
GNU General Public License 2.0 or later
Contact:
bdolangavitt@wesleyan.edu
http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html
Code seems to be inspired by eyas_at_xfocus.org
http://www.xfocus.net/articles/200411/749.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
find_control_set(sys_registry)
Determine which control set we are currently running with. |
source code
|
|
|
|
get_bootkey(sys_registry)
Derive the boot key by unscrambling the LSA. |
source code
|
|
|
|
|
|
|
|
|
|
| decrypt_single_hash(rid,
hbootkey,
enc_hash,
lmntstr) |
source code
|
|
|
|
| decrypt_hashes(rid,
enc_lm_hash,
enc_nt_hash,
hbootkey) |
source code
|
|
|
|
| encrypt_single_hash(rid,
hbootkey,
hash,
lmntstr) |
source code
|
|
|
|
| encrypt_hashes(rid,
lm_hash,
nt_hash,
hbootkey) |
source code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
odd_parity = [1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14... |
|
|
p = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7] |
|
|
aqwerty = '!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\x00' |
|
|
anum = '0123456789012345678901234567890123456789\x00' |
|
|
antpassword = 'NTPASSWORD\x00' |
|
|
almpassword = 'LMPASSWORD\x00' |
|
|
lmkey = 'KGS!@#$%' |
|
|
empty_lm = '\xaa\xd3\xb45\xb5\x14\x04\xee\xaa\xd3\xb45\xb5\x14... |
|
|
empty_nt = '1\xd6\xcf\xe0\xd1j\xe91\xb7<Y\xd7\xe0\xc0\x89\xc0' |
|
|
__package__ = 'rekall.plugins.windows.registry' |