CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/tools/exploit/reg.rb
Views: 1904
#!/usr/bin/env ruby12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67#8# This script acts as a small registry reader.9# You may easily automate a lot of registry forensics with a proper method.10#11begin12msfbase = __FILE__13while File.symlink?(msfbase)14msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))15end1617$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))18require 'msfenv'1920$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']2122require 'rex'23require 'rex/registry/hive'2425def print_all(nodekey)26print_all_keys(nodekey)27print_all_values(nodekey)28end2930def print_all_keys(nodekey)3132return if !nodekey33return if !nodekey.lf_record34return if !nodekey.lf_record.children35return if nodekey.lf_record.children.length == 03637table = Rex::Text::Table.new(38'Header' => "Child Keys for #{nodekey.full_path}",39'Indent' => ' '.length,40'Columns' => [ 'Name', 'Last Edited', 'Subkey Count', 'Value Count' ]41)4243if nodekey.lf_record && nodekey.lf_record.children && nodekey.lf_record.children.length > 044nodekey.lf_record.children.each do |key|45table << [key.name, key.readable_timestamp, key.subkeys_count, key.value_count]46end47end4849puts table.to_s50end5152def print_all_values(nodekey)5354return if !nodekey55return if !nodekey.lf_record56return if !nodekey.lf_record.children57return if nodekey.lf_record.children.length == 05859table = Rex::Text::Table.new(60'Header' => "Values in key #{nodekey.full_path}",61'Indent' => ' '.length,62'Columns' => ['Name','Value Type', 'Value']63)64if nodekey.value_list && nodekey.value_list.values.length > 065nodekey.value_list.values.each do |value|66table << [value.name, value.readable_value_type, value.value.data]67end68end6970puts table.to_s71end7273def get_system_information74if @hive.hive_name =~ /SYSTEM/75mounted_devices_info_key = @hive.relative_query("\\MountedDevices")7677current_control_set_key = @hive.value_query('\Select\Default')78current_control_set = "ControlSet00" + current_control_set_key.value.data.unpack('c').first.to_s if current_control_set_key7980computer_name_key = @hive.value_query("\\" + current_control_set + "\\Control\\ComputerName\\ComputerName") if current_control_set81computer_name = computer_name_key.value.data.to_s if computer_name_key8283event_log_info_key = @hive.relative_query("\\" + current_control_set + "\\Services\\EventLog") if current_control_set8485puts "Computer Name: " + computer_name if computer_name8687print_all_values(event_log_info_key) if event_log_info_key88puts "-----------------------------------------" if event_log_info_key8990print_all_values(mounted_devices_info_key) if mounted_devices_info_key91puts "-----------------------------------------" if mounted_devices_info_key9293elsif @hive.hive_name =~ /SOFTWARE/94current_version_info_key = @hive.relative_query("\\Microsoft\\Windows NT\\CurrentVersion")95login_info_key = @hive.relative_query("\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon")9697print_all_values(current_version_info_key)98puts "-----------------------------------------" if current_version_info_key99100print_all_values(login_info_key)101puts "-----------------------------------------" if login_info_key102end103end104105def get_user_information106107108local_groups_info_key = @hive.relative_query("\\SAM\\Domains\\Builtin\\Aliases\\Names")109local_users_info_key = @hive.relative_query("\\SAM\\Domains\\Account\\Users\\Names")110111print_all(local_groups_info_key)112puts "------------------------------------------------" if local_groups_info_key && local_groups_info_key.lf_record.children113114print_all(local_users_info_key)115puts "------------------------------------------------" if local_users_info_key && local_groups_info_key.lf_record.children116end117118def dump_creds119end120121def get_boot_key122123return if !@hive.root_key124return if !@hive.root_key.name125126puts "Getting boot key"127puts "Root key: " + @hive.root_key.name128129default_control_set = @hive.value_query('\Select\Default').value.data.unpack("c").first130131puts "Default ControlSet: ControlSet00#{default_control_set}"132133bootkey = ""134basekey = "\\ControlSet00#{default_control_set}\\Control\\Lsa"135136%W{JD Skew1 GBG Data}.each do |k|137ok = @hive.relative_query(basekey + "\\" + k)138return nil if not ok139140tmp = ""1410.upto(ok.class_name_length - 1) do |i|142next if i%2 == 1143144tmp << ok.class_name_data[i,1]145end146147bootkey << [tmp.to_i(16)].pack('V')148end149150151keybytes = bootkey.unpack("C*")152153descrambled = ""154# descrambler = [ 0x08, 0x05, 0x04, 0x02, 0x0b, 0x09, 0x0d, 0x03, 0x00, 0x06, 0x01, 0x0c, 0x0e, 0x0a, 0x0f, 0x07 ]155descrambler = [ 0x0b, 0x06, 0x07, 0x01, 0x08, 0x0a, 0x0e, 0x00, 0x03, 0x05, 0x02, 0x0f, 0x0d, 0x09, 0x0c, 0x04 ]1561570.upto(keybytes.length-1) do |x|158descrambled << [ keybytes[ descrambler[x] ] ].pack("C")159end160161puts descrambled.unpack("H*")162end163164def list_applications165end166167def list_drivers168end169170def get_aol_instant_messenger_information171172if @hive.hive_name != /NTUSER\.dat/i173users_list_key = @hive.relative_query('\Software\America Online\AOL Instant Messenger(TM)\CurrentVersion\Users')174last_logged_in_user_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Login - Screen Name")175176print_all_keys(users_list_key)177178users_list_key.lf_record.children.each do |screenname|179away_messages_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Users\\#{screenname.name}\\IAmGoneList")180file_xfer_settings_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Users\\#{screenname.name}\\Xfer")181profile_info_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Users\\#{screenname.name}\\DirEntry")182recent_contacts_key = @hive.relative_query("\\Software\\America Online\\AOL Instant Messenger(TM)\\CurrentVersion\\Users\\#{screenname.name}\\Recent IM ScreenNames")183184print_all(away_messages_key)185print_all(file_xfer_settings_key)186print_all(profile_info_key)187print_all(recent_contacts_key)188end189190end191end192193def get_msn_messenger_information194195if @hive.hive_name =~ /NTUSER\.dat/i196general_information_key = @hive.relative_query("\\Software\\Microsoft\\MessengerService\\ListCache\\.NETMessengerService\\")197file_sharing_information_key = @hive.relative_query("\\Software\\Microsoft\\MSNMessenger\\FileSharing - Autoshare")198file_transfers_information_key = @hive.relative_query("\\Software\\Microsoft\\MSNMessenger\\ - FTReceiveFolder")199200print_all(general_information_key)201print_all(file_sharing_information_key)202print_all(file_transfers_information_key)203end204end205206def get_windows_messenger_information207if @hive.hive_name =~ /NTUSER\.dat/i208contact_list_information_key = @hive.relative_query("\\Software\\Microsoft\\MessengerService\\ListCache\\.NET Messenger Service")209file_transfers_information_key = @hive.relative_query("\\Software\\Microsoft\\Messenger Service - FtReceiveFolder")210last_user_information_key = @hive.relative_query("\\Software\\Microsoft\\MessengerService\\ListCache\\.NET Messenger Service - IdentityName")211212print_all(contact_list_information_key)213print_all(file_transfers_information_key)214print_all(last_user_information_key)215end216end217218def get_icq_information219if @hive.hive_name =~ /NTUSER\.dat/i220general_information_key = @hive.relative_query("\\Software\\Mirabalis\\ICQ")221222print_all(general_information_key)223elsif @hive.hive_name =~ /SOFTWARE/224owner_number_key = @hive.relative_query("\\Software\\Mirabalis\\ICQ\\Owner")225print_all(owner_number_key)226end227end228229def get_ie_information230if @hive.hive_name =~ /NTUSER\.dat/i231stored_logon_information_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage System Provider\\SID\\Internet Explorer\\Internet Explorer - URL:StringData")232stored_search_terms_information_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage SystemProvider\\SID\\Internet Explorer\\Internet Explorer - q:SearchIndex")233ie_setting_information_key = @hive.relative_query("\\Software\\Microsoft\\Internet Explorer\\Main")234history_length_value_key = @hive.value_query("\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\URL History - DaysToKeep")235typed_urls_information_key = @hive.relative_query("\\Software\\Microsoft\\Internet Explorer\\Typed URLs")236intelliforms_information_key = @hive.relative_query("\\Software\\Microsoft\\Internet Explorer\\Intelliforms")237autocomplete_web_addresses_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage System Provider")238default_download_dir = @hive.relative_query("\\Software\\Microsoft\\Internet Explorer")239240print_all(stored_logon_information_key)241print_all(stored_search_terms_information_key)242print_all(ie_setting_information_key)243print_all(typed_urls_information_key)244print_all(intelliforms_information_key)245print_all(autocomplete_web_addresses_key)246print_all(default_download_dir)247248puts "Days saved in history: " + history_length_value_key.value.data.to_s if !history_length_value_key.kind_of? Array249end250end251252def get_outlook_information253if @hive.hive_name =~ /NTUSER\.dat/i254account_information_key = @hive.relative_query("\\Software\\Microsoft\\Protected Storage System Provider\\SID\\Identification\\INETCOMM Server Passwords")255256print_all(account_information_key)257end258end259260def get_yahoo_messenger_information261if @hive.hive_name =~ /NTUSER\.dat/i262profiles_key = @hive.relative_query("\\Software\\Yahoo\\Pager\\profiles")263264print_all(profiles_key)265266profiles_key.lf_record.children.each do |child|267file_transfers_information_key = @hive.relative_query("\\Software\\Yahoo\\Pager\\profiles\\#{child.name}\\FileTransfer")268message_archiving_information_key = @hive.relative_query("\\Software\\Yahoo\\Pager\\profiles\\#{child.name}\\Archive")269270print_all(file_transfers_information_key)271print_all(message_archiving_information_key)272end273end274end275276def get_networking_information277278end279280def get_user_application_information281end282283if ARGV.length == 0 || ARGV[0] == "help"284no_args = %Q{285Usage: reg.rb <command> <opts> <hivepath>286287Available commands:288query_key Query for more information about a specific node key289query_value Query for the value of a specific value key290get_boot_key Extract the boot key from the SYSTEM hive291dump_creds Dump the usernames and password hashes of the users from the SAM hive292list_applications List all the applications installed via the SOFTWARE hive293list_drivers List all the devices and their respective drivers and driver versions from SYSTEM hive294get_everything When pointed to a directory with hives, it will run all commands on all available hives295get_aol_instant_messenger_information Get credentials and general information on AOL Instant Messenger users from NTUSER.dat296get_msn_messenger_information Get credentials and general information on MSN Messenger users from NTUSER.dat297get_windows_messenger_information Get credentials and general information on Windows Messenger users from NTUSER.dat298get_icq_information Get credentials and general information on ICQ users from NTUSER.dat299get_ie_information Get stored credentials, typed history, search terms, and general settings from NTUSER.dat300get_outlook_information Gets outlook and outlook express stored credentials and general information from NTUSER.dat301get_yahoo_messenger_information Gets credentials and general information on Yahoo! Messenger users from NTUSER.dat302get_system_information Gets general system administration from both SOFTWARE and SYSTEM hives303get_networking_information Gets networing information from the SAM, SYSTEM, and NTUSER.dat hives304get_user_information Gets general user information from the SYSTEM, SECURITY, SAM, and NTUSER.dat hives305get_user_application_information Gets user-specific application information from the NTUSER.DAT and SOFTWARE hives306}307308puts no_args309exit310end311312313case ARGV[0]314315when "query_key"316@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])317puts "Hive name: #{@hive.hive_name}"3183191.upto(ARGV.length - 2) do |arg|320selected = @hive.relative_query(ARGV[arg])321print_all(selected)322end323324when "query_value"325@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])326puts "Hive name: #{@hive.hive_name}"3273281.upto(ARGV.length - 2) do |i|329selected = @hive.value_query(ARGV[i])330331if !selected332puts "Value not found."333return334end335336puts "Value Name: #{selected.name}"337puts "Value Data: #{selected.value.data.inspect}"338end339340when "get_boot_key"341@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])342343if @hive.hive_name !~ /SYSTEM/344puts "I need a SYSTEM hive to grab the boot key, not a #{@hive.hive_name}."345else346get_boot_key347end348349when "dump_creds"350@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])351352if @hive.hive_name !~ /SAM/353puts "I need a SAM hive, not a #{@hive.hive_name}"354else355dump_creds356end357358when "list_applications"359@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])360361if @hive.hive_name !~ /SOFTWARE/362puts "I need a SOFTWARE hive, not a #{@hive.hive_name}."363else364list_applications365end366367when "list_drivers"368@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])369370if @hive.hive_name !~ /SYSTEM/371puts "I need a SYSTEM hive, not a #{@hive.hive_name}."372else373list_drivers374end375376when "get_everything"377Dir.foreach(ARGV[1]) do |file|378next if file =~ /^\./379next if ::File.directory?(ARGV[1] + "/" + file)380381@hive = Rex::Registry::Hive.new(ARGV[1] + "/" + file)382383next if !@hive.hive_regf384next if !@hive.hive_name385386case @hive.hive_name387388when /SYSTEM/389390puts "Found a SYSTEM hive..."391392list_drivers393get_boot_key394get_system_information395get_networking_information396get_user_information397398when /SOFTWARE/399400puts "Found a SOFTWARE hive..."401402list_applications403get_icq_information404get_system_information405get_networking_information406get_user_information407get_user_application_information408409when /SAM/410411puts "Found a SAM hive..."412413get_networking_information414get_user_information415416when /SECURITY/417418puts "Found a SECURITY hive..."419420get_user_information421422when /NTUSER\.dat/i423424puts "Found a NTUSER.dat hive..."425426get_aol_instant_messenger_information427get_icq_information428get_ie_information429get_msn_messenger_information430get_outlook_information431get_windows_messenger_information432get_yahoo_messenger_information433get_networking_information434get_user_information435get_user_application_information436437end438end439440when "get_aol_instant_messenger_information"441@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])442443if @hive.hive_name !~ /NTUSER\.DAT/i444puts "I need the NTUSER.dat hive, not #{@hive.hive_name}."445else446get_aol_instant_messenger_information447end448449when "get_icq_information"450@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])451452if @hive.hive_name !~ /NTUSER\.dat/i && @hive.hive_name !~ /SOFTWARE/453puts "I need either a SOFTWARE or NTUSER.dat hive, not #{@hive.hive_name}."454else455get_icq_information456end457458when "get_ie_information"459@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])460461if @hive.hive_name !~ /NTUSER\.dat/i462puts "I need an NTUSER.dat hive, not #{@hive.hive_name}."463else464get_ie_information465end466467when "get_msn_messenger_information"468@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])469470if @hive.hive_name !~ /NTUSER\.dat/i471puts "I need an NTUSER.dat hive, not #{@hive.hive_name}."472else473get_msn_messenger_information474end475476when "get_outlook_information"477@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])478479if @hive.hive_name !~ /NTUSER\.dat/i480puts "I need an NTUSER.dat hive, not #{@hive.hive_name}."481else482get_outlook_information483end484485when "get_windows_messenger_information"486@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])487488if @hive.hive_name !~ /NTUSER\.dat/i489puts "I need an NTUSER.dat hive, not a #{@hive.hive_name}."490else491get_windows_messenger_information492end493494when "get_yahoo_messenger_information"495@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])496497if @hive.hive_name !~ /NTUSER\.dat/i498puts "I need an NTUSER.dat hive, not a #{@hive.hive_name}."499else500get_yahoo_messenger_information501end502503when "get_system_information"504@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])505506if @hive.hive_name !~ /SYSTEM/ && @hive.hive_name !~ /SOFTWARE/507puts "I need the SYSTEM or SOFTWARE hive, not #{@hive.hive_name}."508else509get_system_information510end511512when "get_networking_information"513@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])514515if @hive.hive_name !~ /SAM/ && @hive.hive_name !~ /SYSTEM/ && @hive.hive_name !~ /NTUSER\.dat/i516puts "I need either a SAM, SYSTEM, or NTUSER.dat hive, not a #{@hive.hive_name}."517else518get_networking_information519end520521when "get_user_information"522@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])523524if @hive.hive_name !~ /SAM/525puts "I need a SAM hive. Not a #{@hive.hive_name}."526else527get_user_information528end529530when "get_user_application_information"531@hive = Rex::Registry::Hive.new(ARGV[ARGV.length - 1])532533if @hive.hive_name !~ /NTUSER\.dat/i && @hive.hive_name !~ /SOFTWARE/534puts "I need either an NTUSER.dat or SOFTWARE hive, not a #{@hive.hive_name}."535else536get_user_application_information537end538539else540puts "Sorry invalid command, try with \"help\""541end542rescue SignalException => e543puts("Aborted! #{e}")544end545546547