forked from csababarta/ntdsxtract
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdsencryption.py
executable file
·68 lines (60 loc) · 2.08 KB
/
dsencryption.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# This file is part of ntdsxtract.
#
# ntdsxtract is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ntdsxtract is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ntdsxtract. If not, see <http://www.gnu.org/licenses/>.
'''
@author: Csaba Barta
@license: GNU General Public License 2.0 or later
@contact: [email protected]
'''
'''
Part of the code is based on creddump by Brendan Dolan-Gavitt
Many thanks to my colleague LASZLO TOTH (www.soonerorlater.hu)
for his help with researching the encryption algorithms
used by Microsoft ActiveDirectory
'''
from framework.addrspace import HiveFileAddressSpace
from framework.win32.hashdump import sid_to_key, get_bootkey
from Crypto.Hash import MD5
from Crypto.Cipher import ARC4,DES
from struct import unpack,pack
from binascii import *
import sys
import datetime
def get_syskey(syshive_fname):
sysaddr = HiveFileAddressSpace(syshive_fname)
bootkey = get_bootkey(sysaddr)
return bootkey
def dsDecryptPEK(bootkey, enc_pek):
md5=MD5.new()
md5.update(bootkey)
for i in range(1000):
md5.update(enc_pek[0:16])
rc4_key=md5.digest();
rc4 = ARC4.new(rc4_key)
pek=rc4.encrypt(enc_pek[16:])
#return pek[36:]
return pek[len(pek) - 16:]
def dsDecryptWithPEK(pek, enc_hash):
md5=MD5.new()
md5.update(pek)
md5.update(enc_hash[0:16])
rc4_key=md5.digest();
rc4 = ARC4.new(rc4_key)
return rc4.encrypt(enc_hash[16:])
def dsDecryptSingleHash(rid, enc_hash):
(des_k1,des_k2) = sid_to_key(rid)
d1 = DES.new(des_k1, DES.MODE_ECB)
d2 = DES.new(des_k2, DES.MODE_ECB)
hash = d1.decrypt(enc_hash[:8]) + d2.decrypt(enc_hash[8:])
return hash