Hi Eduardo,
I've made some enhancements to Hive Report extension and I'd
like to share
them with the Mobius Forensic Toolkit project.
Based upon Brendan Dolan-Gavitt's code in the 'creddump'
<http://code.google.com/p/creddump/>, functions related to
user password
LM/NT hashes, LSA Secrets and Cached Domain Credentials are now
available
to Hive Report extension. Moreover, it has been implemented a
decoder for
reading Protected Storage System Provider data in offline mode,
allowing
the creation of new reports based upon data stored there.
Using those function, new reports were implemented and new
features were
added to existing ones. Some small bug fixes were also made,
avoiding
exceptions in code.
Changes made to the extension version in attachment are:
* new registry secrets functions as explained above;
* updated cryptography algorithms, including DES-CBC mode, for
use in
protected storage system provider decryption;
* new function 'candidate_passwords', which generates
passwords based
upon lsa secrets and protected storage contents;
* updated function 'get_username_from_sid', checking if the
user SID is
from the same machine registry;
* updated function 'get_product_key', checking if the function
parameter
is 'None' before trying to read it (this happens in Windows
NT 4);
* updated report 'UserPasswordReport', now using the new
functions cited
above. It also tries to find user passwords using
'candidate_passwords'
function and can export the found ones to John The Ripper
.pot files;
* new report 'OSLSASecretReport', which shows decrypted lsa
secrets
data. Currently, it only works with Windows 2k/XP registry.
* new report 'UserCachedCredentialReport', which shows cached
domain
credentials stored in the registry and tries to find user
passwords
using 'candidate_passwords' function. As long as lsa secrets
functions
don't work with Windows NT 4 and Vista/7, cached user hashes
can't be
read in NT 4 and cached credentials can't be read at all in
Vista/7;
* new report 'UserProtectedStorageReport', which shows
decrypted
protected storage data.
* updated report 'OSInfoReport', including a field for the
maximum
activation date of the Windows copy, read from the lsa
secrets, and
fixing a exception that was raised after removing all
registry files
from the Hive;
* updated report 'OSFoldersReport', fixing a exception that
was raised
after removing all registry files from the Hive;
* updated report 'EmailAccountsReport', retrieving passwords
from
protected storage for Outlook Express/98/2000 e-mail
accounts.
Best regards,
Vladimir Santos