Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2
require 'spec_helper'
3

4

5
RSpec.describe Msf::Util::WindowsCryptoHelpers do
6

7
  subject do
8
    context_described_class = described_class
9

10
    klass = Class.new(Msf::Post) do
11
      include context_described_class
12
    end
13

14
    klass.new
15
  end
16

17
  let(:boot_key_vista) do
18
    "\x50\xfb\xae\x5f\x5c\xd7\x70\x39\x54\xe5\x50\x48\x32\x1b\x81\x8d"
19
  end
20
  let(:boot_key_xp) do
21
    "\x27\x18\x0a\x2e\xe0\xfb\x98\x52\x77\x06\x24\x8e\x21\x80\xf4\x56"
22
  end
23

24
  # For Vista and newer
25
  describe "#decrypt_lsa_data" do
26
    let(:ciphertext) do
27
      # From "HKLM\\Security\\Policy\\Secrets\\"
28
      "\x00\x00\x00\x01\x68\x6e\x97\x93\xdb\xdb\xde\xc8\xf7\x40\x08\x79"+
29
      "\x9d\x91\x64\x1c\x03\x00\x00\x00\x00\x00\x00\x00\x68\x38\x3f\xc5"+
30
      "\x94\x10\xac\xcf\xbe\xf7\x8d\x12\xc0\xd5\xa2\x9d\x3d\x30\x30\xa8"+
31
      "\x6d\xbd\xc6\x48\xd3\xe4\x36\x33\x86\x91\x0d\x8d\x8f\xfc\xd4\x8a"+
32
      "\x87\x0c\x83\xde\xb4\x73\x9e\x21\x1b\x39\xef\x04\x36\x67\x97\x8a"+
33
      "\x43\x40\x79\xcf\xdb\x3d\xcc\xfe\x10\x0c\x78\x11\x00\x00\x00\x00"+
34
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
35
    end
36
    let(:lsa_key) do
37
      "\x93\x19\xb7\xb3\x93\x5b\xcb\x53\x5c\xb0\x54\xce\x0f\x5e\x27\xfd"+
38
      "\x4f\xd1\xe3\xd3\x5b\x8c\x90\x4c\x13\xda\xb8\x39\xcc\x4e\x28\x43"
39
    end
40
    let(:plaintext) do
41
      # Length of actual data?
42
      "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
43
      # Unicode msfadmin
44
      "\x6d\x00\x73\x00\x66\x00\x61\x00\x64\x00\x6d\x00\x69\x00\x6e\x00"+
45
      # As far as I can tell, the rest of the data is gibberish?
46
      # Possibly random padding, since plaintext seems to always be a
47
      # multiple of 16 bytes.
48
      "\xc3\x5f\x85\xc2\x62\x55\x25\x6c\x42\x89\x88\xc1\xe0\xe8\x17\x5e"
49
    end
50

51
    it "should produce expected plaintext" do
52
      decrypted = subject.decrypt_lsa_data(ciphertext, lsa_key)
53
      expect(decrypted).to eq plaintext
54
    end
55
  end
56

57
  # For XP and older
58
  describe "#decrypt_secret_data" do
59
    let(:ciphertext) do
60
      # From "HKLM\\Security\\Policy\\Secrets\\"
61
      "\x22\xea\xc4\xd8\xfc\x5d\x36\xf4\x2e\x8b\xd3\x0f\x5d\xbc\xc4\x3a" +
62
      "\x37\x4b\x84\xea\xa0\xc0\x96\x61"
63
    end
64
    let(:boot_key) { boot_key_xp }
65
    let(:plaintext) do
66
      # Unicode "msfadmin"
67
      "\x6d\x00\x73\x00\x66\x00\x61\x00\x64\x00\x6d\x00\x69\x00\x6e\x00"
68
    end
69

70
    it "should produce expected plaintext" do
71
      expect(subject.decrypt_secret_data(ciphertext, boot_key)).to eq plaintext
72
    end
73

74
    context 'with a large secret' do
75
      let(:ciphertext) do
76
        ['d3c5991ffd49b7b072f00f3f8f1cae9d64c9300938f80ef9c0d01e1e3ec126c2127c5b27fe'\
77
         '2f2191a6da1b4bf0dd6aef3f04484df22babd994b18428069979de669b935b85c8d7cdb470'\
78
         '4e998752aedfd8a34c34ef38b8cf38f9a436d309e4c9100c46c2661652635e8cbb68990f9f'\
79
         'd878ae201f56979cd298b1fd0ebfe893f6f9a3e174ba3daf07e97967d5561ce3041815d523'\
80
         '2889ae6a17a600b2660aea0371e0e5bd6495772acec7b3954652a0172f72a0e5c8e2d5899b'\
81
         '12132ade0a2f5ac47c0ffd957d51769247673943200ac9652c2f68e7b71c4a5b338cd62462'\
82
         'd6384a502b15cb5e02dbbbf53b18f3ddc2bb7317c65422b067f27073d2fbb6ae98c8d75d44'\
83
         'dda34cd2b9e429fe58a75771c7fe8b9c73c3a88a1b00d80af28d644e8e1a760280b9a5cd71'\
84
         '319c1bfbf5ad04e9869d17ec392b0f00e7fac04affbf0825080df833d533f75e126af7c073'\
85
         '893ad1c3fe09af99b935b7ac8500b10f2c8383cfc30201aed4b721d71b080816739b42a0ae'\
86
         '0a167caf6f67ac8500b10f2c8383cfc30201aed4b721'].pack('H*')
87
      end
88
      let(:lsa_key) { ['5cd51b7d70c1814f0b37ada38babcd06'].pack('H*') }
89
      let(:plaintext) do
90
        ['5253413248000000000200003f00000001000100e7bbffa5f31998062c6cbab92863d2b9cf'\
91
         '0dd3a323d0dd2506ecf46febf44b517ba7475f8e470bfee47343c5eda72b039318ff76fede'\
92
         '3b593d758f09d96d53c900000000000000007f0c0af6c84c675435170e3ba03122610ae55c'\
93
         'd5f0d11dc19ca025af5680bef80000000099bcaf52b6aaa97bca0d1aa295011ce5bb372a8c'\
94
         '31fd4adcf93758a8e6d432cf0000000097521ad69479c5cf129b8ee43c5b98f85a1b47b40e'\
95
         'a06415026af9843067d18d00000000999201ae1bdbfd187d924430e9d8e7cbd306b65c49fd'\
96
         '805609244ae33de2785c00000000a5139bbb9733b1a6395bdf4c233e0d653a9c0526d4007b'\
97
         '4f54330b50ca41f861000000003160edfc16a22a6a0201f30f9a850db2272f6688bb849763'\
98
         'cbc61ec39cf4566b77da7989000ff520a7a4bb94f88edf52a9d3b32f8edc5fd3ea238cacef'\
99
         '60d21200000000000000000000000000000000000000000000000000000000000000000000'\
100
         '00000000000000000000'].pack('H*')
101
      end
102
      it "should produce expected plaintext" do
103
        expect(subject.decrypt_secret_data(ciphertext, lsa_key)).to eq plaintext
104
      end
105
    end
106
  end
107

108
end
109

110