-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvolhash.py
67 lines (48 loc) · 1.71 KB
/
volhash.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#
#
# Volhash
#
# Tool for grabbing password hashes from vmem images usisg Volatility framework
#
# Based on implementation presented in 'Black Hat Python' by Justin Seitz
#
#
import sys
import struct
import volatility.conf as conf
import volatility.registry as registry
memory_file = input("Enter vmem file name: ")
syspath = input("Please provide Volatility installation path: ")
sys.path.append(syspath)
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
prof = input("Choose volaility profile: ")
config.parse_options()
config.PROFILE = prof
config.LOCATION = "file://%s" % memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
from volatility.plugins.registry.registryapi import registryapi
from volatility.plugins.registry.lsadump import HashDump
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endwith("\\SAM"):
sam_offset = offset
print( "[*] System 0x%08x" % offset)
if registry.all_offsets[offset].endwith("\\system"):
sys_offset = offset
print ("[*] System: 0x%08x" % offset)
if sam_offset is not None and sys_offset is not None:
config.sys_offset = sys_offset
config.sam_offset = sam_offset
hashdump = HashDump(config)
for hash in hashdump.calculate():
print( hash)
break
if sam_offset in None or sys_offset in None:
print( "[*] Failed to find the system or SAM offset")