Documentation
¶
Index ¶
- Constants
- Variables
- func AESDecryptImpacketStyle(key, data []byte, useZeroIV bool) ([]byte, error)
- func ComputeHashedBootKey(samF []byte, bootKey []byte) ([]byte, int, error)
- func ComputeLSAKey(bootKey, polSecretEncryptionKey []byte, revision int) ([]byte, error)
- func DecryptLSASecretAES(lsaKey, encSecret []byte) ([]byte, error)
- func DecryptLSASecretRC4(lsaKey, encSecret []byte) ([]byte, error)
- func DecryptNLKMKey(lsaKey, encNLKM []byte) ([]byte, error)
- func DecryptNTDSHashWithRID(encHash []byte, rid uint32) ([]byte, error)
- func DecryptSAMHashAES(hashedBootKey []byte, rid uint32, encHashData []byte, isNT bool) ([]byte, error)
- func DecryptSAMHashAESWithSalt(hashedBootKey []byte, rid uint32, salt, encData []byte, isNT bool) ([]byte, error)
- func DecryptSAMHashRC4(hashedBootKey []byte, rid uint32, encHash []byte, isNT bool) ([]byte, error)
- func EditSAMPassword(samHive *Hive, bootKey []byte, username string, newNTHash []byte, ...) error
- func EncryptSAMHashAES(hashedBootKey []byte, rid uint32, plainHash []byte, salt []byte, isNT bool) ([]byte, error)
- func EncryptSAMHashRC4(hashedBootKey []byte, rid uint32, plainHash []byte, isNT bool) ([]byte, error)
- func GetBootKey(systemHive *Hive) ([]byte, error)
- func GetComputerName(systemHive *Hive) (string, error)
- func GetCurrentControlSet(systemHive *Hive) (string, error)
- func MD5With1000Rounds(key, value []byte) []byte
- func PBKDF2SHA256(password, salt []byte, iterations, keyLen int) []byte
- func ParseMachineAccountSecret(secret []byte) []byte
- func RC4Decrypt(key, data []byte) []byte
- func SHA256With1000Rounds(key, value []byte) []byte
- func UTF16LEToString(b []byte) string
- type CachedCredential
- type DPAPIKeys
- type DomainInfo
- type Hive
- func (h *Hive) Data() []byte
- func (h *Hive) EnumSubKeys(keyOffset int32) ([]string, error)
- func (h *Hive) EnumValues(keyOffset int32) ([]string, error)
- func (h *Hive) FindKey(path string) (int32, error)
- func (h *Hive) FindSubKey(parentOffset int32, name string) (int32, error)
- func (h *Hive) GetClassName(keyOffset int32) (string, error)
- func (h *Hive) GetClassNameRaw(keyOffset int32) ([]byte, error)
- func (h *Hive) GetValue(keyOffset int32, valueName string) (uint32, []byte, error)
- func (h *Hive) GetValueData(vk *VKRecord) ([]byte, error)
- func (h *Hive) RootOffset() int32
- func (h *Hive) SetValueData(keyOffset int32, valueName string, newData []byte) error
- type LSASecret
- type MachineAccountKeys
- type NKRecord
- type SAMUser
- type VKRecord
Constants ¶
const ( SAM_REVISION_1 = 1 // RC4 SAM_REVISION_2 = 2 // RC4 SAM_REVISION_3 = 3 // AES )
SAM revision constants
const ( KEY_HIVE_ENTRY = 0x0004 KEY_NO_DELETE = 0x0008 KEY_SYM_LINK = 0x0010 KEY_COMP_NAME = 0x0020 )
NK flags
Variables ¶
var ( QWERTY = []byte("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\x00") DIGITS = []byte("0123456789012345678901234567890123456789\x00") NTPASSWORD = []byte("NTPASSWORD\x00") LMPASSWORD = []byte("LMPASSWORD\x00") )
Magic strings used in SAM hash computation
var ( EmptyLMHash = []byte{0xaa, 0xd3, 0xb4, 0x35, 0xb5, 0x14, 0x04, 0xee, 0xaa, 0xd3, 0xb4, 0x35, 0xb5, 0x14, 0x04, 0xee} EmptyNTHash = []byte{0x31, 0xd6, 0xcf, 0xe0, 0xd1, 0x6a, 0xe9, 0x31, 0xb7, 0x3c, 0x59, 0xd7, 0xe0, 0xc0, 0x89, 0xc0} )
Empty hashes
var (
LSA_SECRET_KEY_LOCAL = []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
)
LSA secret decryption constants
Functions ¶
func AESDecryptImpacketStyle ¶
AESDecryptImpacketStyle is the exported version of aesDecryptImpacketStyle When useZeroIV is true, it creates a new CBC cipher with zero IV for each 16-byte block
func ComputeHashedBootKey ¶
ComputeHashedBootKey derives the hashed boot key from the SAM F value For revision 1/2: MD5(F.salt + QWERTY + bootKey + DIGITS) -> RC4 decrypt F.key For revision 3: AES decrypt
func ComputeLSAKey ¶
ComputeLSAKey derives the LSA key from boot key and policy data
func DecryptLSASecretAES ¶
DecryptLSASecretAES decrypts an LSA secret using AES (Vista+ style)
func DecryptLSASecretRC4 ¶
DecryptLSASecretRC4 decrypts an LSA secret using RC4
func DecryptNLKMKey ¶
DecryptNLKMKey decrypts the NL$KM key used for cached credentials
func DecryptNTDSHashWithRID ¶
DecryptNTDSHashWithRID decrypts an NTDS hash using RID-derived DES keys This is used after PEK decryption to remove the inner DES encryption layer
func DecryptSAMHashAES ¶
func DecryptSAMHashAES(hashedBootKey []byte, rid uint32, encHashData []byte, isNT bool) ([]byte, error)
DecryptSAMHashAES decrypts a SAM hash using AES (revision 3)
func DecryptSAMHashAESWithSalt ¶
func DecryptSAMHashAESWithSalt(hashedBootKey []byte, rid uint32, salt, encData []byte, isNT bool) ([]byte, error)
DecryptSAMHashAESWithSalt decrypts a SAM hash using AES with separate salt
func DecryptSAMHashRC4 ¶
DecryptSAMHashRC4 decrypts a SAM hash using RC4 (revision 1/2)
func EditSAMPassword ¶
func EditSAMPassword(samHive *Hive, bootKey []byte, username string, newNTHash []byte, newLMHash []byte) error
EditSAMPassword edits a user's NT and LM hashes in an offline SAM hive. The hive is modified in-place. Use samHive.Data() to retrieve the modified bytes.
func EncryptSAMHashAES ¶
func EncryptSAMHashAES(hashedBootKey []byte, rid uint32, plainHash []byte, salt []byte, isNT bool) ([]byte, error)
EncryptSAMHashAES encrypts a plain hash using AES (revision 3) for writing back to SAM
func EncryptSAMHashRC4 ¶
func EncryptSAMHashRC4(hashedBootKey []byte, rid uint32, plainHash []byte, isNT bool) ([]byte, error)
EncryptSAMHashRC4 encrypts a plain hash using RC4 (revision 1/2) for writing back to SAM
func GetBootKey ¶
GetBootKey extracts the boot key from a SYSTEM hive The boot key is scrambled across the class names of JD, Skew1, GBG, Data keys
func GetComputerName ¶
GetComputerName retrieves the computer name from the SYSTEM hive
func GetCurrentControlSet ¶
GetCurrentControlSet determines which ControlSet is currently in use
func MD5With1000Rounds ¶
MD5With1000Rounds computes MD5(key || value*1000) Used for PEK decryption in older Windows versions
func PBKDF2SHA256 ¶
PBKDF2SHA256 derives a key using PBKDF2 with SHA256
func ParseMachineAccountSecret ¶
ParseMachineAccountSecret parses the $MACHINE.ACC secret to get the machine account hash
func SHA256With1000Rounds ¶
SHA256With1000Rounds computes SHA256(key || value*1000) Exported version of sha256With1000Rounds for NTDS.DIT parsing
func UTF16LEToString ¶
UTF16LEToString converts UTF-16LE bytes to string
Types ¶
type CachedCredential ¶
type CachedCredential struct {
Username string
Domain string
DNSDomainName string
UPN string
EncryptedHash []byte
DecryptedHash []byte
}
CachedCredential represents a cached domain credential
func DumpCachedCredentials ¶
func DumpCachedCredentials(securityHive *Hive, bootKey []byte) ([]CachedCredential, error)
DumpCachedCredentials extracts cached domain credentials
type DPAPIKeys ¶
DPAPIKeys holds the parsed DPAPI machine and user keys
func ParseDPAPISecret ¶
ParseDPAPISecret parses the DPAPI master key backup secret Structure: [0:4] Version, [4:24] Machine key (20 bytes), [24:44] User key (20 bytes)
type DomainInfo ¶
type DomainInfo struct {
DNSDomainName string // e.g., "corp.local"
NetBIOSName string // e.g., "CORP"
ComputerName string // e.g., "DC01"
}
DomainInfo contains domain information from the SECURITY hive
func GetDomainInfo ¶
func GetDomainInfo(securityHive *Hive) (*DomainInfo, error)
GetDomainInfo extracts domain information from the SECURITY hive
type Hive ¶
type Hive struct {
// contains filtered or unexported fields
}
Hive represents a parsed registry hive
func (*Hive) EnumSubKeys ¶
EnumSubKeys lists subkey names of a key
func (*Hive) EnumValues ¶
EnumValues lists value names of a key
func (*Hive) FindSubKey ¶
FindSubKey locates a direct child subkey by name and returns its offset
func (*Hive) GetClassName ¶
GetClassName retrieves the class name of a key
func (*Hive) GetClassNameRaw ¶
GetClassNameRaw retrieves the raw class name bytes of a key without UTF-16 decoding
func (*Hive) GetValueData ¶
GetValueData retrieves the data for a value record
type MachineAccountKeys ¶
type MachineAccountKeys struct {
PlainPassword []byte
NTHash []byte
AES256Key []byte
AES128Key []byte
DESKey []byte
}
MachineAccountKeys contains the derived keys for a machine account
func DeriveMachineAccountKeys ¶
func DeriveMachineAccountKeys(password []byte, realm, computerName string) *MachineAccountKeys
DeriveMachineAccountKeys derives all keys from the machine account password
type NKRecord ¶
type NKRecord struct {
Signature uint16
Flags uint16
LastModified uint64
Access uint32
ParentOffset int32
SubKeyCount uint32
SubKeyCountVol uint32
SubKeyListOffset int32
SubKeyListOffsetVol int32
ValueCount uint32
ValueListOffset int32
SecurityOffset int32
ClassOffset int32
MaxSubKeyNameLen uint32
MaxSubKeyClassLen uint32
MaxValueNameLen uint32
MaxValueDataLen uint32
WorkVar uint32
NameLen uint16
ClassLen uint16
Name string
}
NKRecord represents a key node
Source Files