mobiusft-list
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mobiusft-list] Subject: Hive Report extension - registry secrets

From: Eduardo Aguiar
Subject: Re: [Mobiusft-list] Subject: Hive Report extension - registry secrets
Date: Sun, 28 Aug 2011 15:14:43 -0300
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110616 SUSE/3.1.11 Thunderbird/3.1.11
Hi Vladimir,

great job!

The changes were incorporated into the upcoming 0.5.9 release.

Thank you for your contribution,
Eduardo Aguiar


On 08/28/2011 01:57 AM, Vladimir Santos wrote:
Hi Eduardo,

I've made some enhancements to Hive Report extension and I'd like to share
them with the Mobius Forensic Toolkit project.

Based upon Brendan Dolan-Gavitt's code in the 'creddump'
<http://code.google.com/p/creddump/>, functions related to user password
LM/NT hashes, LSA Secrets and Cached Domain Credentials are now available
to Hive Report extension. Moreover, it has been implemented a decoder for
reading Protected Storage System Provider data in offline mode, allowing
the creation of new reports based upon data stored there.

Using those function, new reports were implemented and new features were
added to existing ones. Some small bug fixes were also made, avoiding
exceptions in code.

Changes made to the extension version in attachment are:
  * new registry secrets functions as explained above;
  * updated cryptography algorithms, including DES-CBC mode, for use in
    protected storage system provider decryption;
  * new function 'candidate_passwords', which generates passwords based
    upon lsa secrets and protected storage contents;
  * updated function 'get_username_from_sid', checking if the user SID is
    from the same machine registry;
  * updated function 'get_product_key', checking if the function parameter
    is 'None' before trying to read it (this happens in Windows NT 4);
  * updated report 'UserPasswordReport', now using the new functions cited
    above. It also tries to find user passwords using 'candidate_passwords'
    function and can export the found ones to John The Ripper .pot files;
  * new report 'OSLSASecretReport', which shows decrypted lsa secrets
    data. Currently, it only works with Windows 2k/XP registry.
  * new report 'UserCachedCredentialReport', which shows cached domain
    credentials stored in the registry and tries to find user passwords
    using 'candidate_passwords' function. As long as lsa secrets functions
    don't work with Windows NT 4 and Vista/7, cached user hashes can't be
    read in NT 4 and cached credentials can't be read at all in Vista/7;
  * new report 'UserProtectedStorageReport', which shows decrypted
    protected storage data.
  * updated report 'OSInfoReport', including a field for the maximum
    activation date of the Windows copy, read from the lsa secrets, and
    fixing a exception that was raised after removing all registry files
    from the Hive;
  * updated report 'OSFoldersReport', fixing a exception that was raised
    after removing all registry files from the Hive;
  * updated report 'EmailAccountsReport', retrieving passwords from
    protected storage for Outlook Express/98/2000 e-mail accounts.

Best regards,

Vladimir Santos

reply via email to
[Prev in Thread] Current Thread [Next in Thread]