Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Service account username when dumping LSA secrets offline #1861

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions examples/secretsdump.py
Original file line number Diff line number Diff line change
Expand Up @@ -291,8 +291,9 @@ def dump(self):
else:
SECURITYFileName = self.__securityHive

self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps,
isRemote=self.__isRemote, history=self.__history)
localOps = LocalOperations(self.__systemHive)
self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps, localOps, self.__remoteSSMethod,
isRemote=self.__isRemote, history=self.__history)
self.__LSASecrets.dumpCachedHashes()
if self.__outputFileName is not None:
self.__LSASecrets.exportCached(self.__outputFileName)
Expand Down
27 changes: 23 additions & 4 deletions impacket/examples/secretsdump.py
Original file line number Diff line number Diff line change
Expand Up @@ -1488,7 +1488,7 @@ class SECRET_TYPE:
LSA_RAW = 2
LSA_KERBEROS = 3

def __init__(self, securityFile, bootKey, remoteOps=None, isRemote=False, history=False,
def __init__(self, securityFile, bootKey, remoteOps=None, localOps=None, remoteSSMethod=False, isRemote=False, history=False,
perSecretCallback=lambda secretType, secret: _print_helper(secret)):
OfflineRegistry.__init__(self, securityFile, isRemote)
self.__hashedBootKey = b''
Expand All @@ -1499,6 +1499,8 @@ def __init__(self, securityFile, bootKey, remoteOps=None, isRemote=False, histor
self.__cryptoCommon = CryptoCommon()
self.__securityFile = securityFile
self.__remoteOps = remoteOps
self.__localOps = localOps
self.__remoteSSMethod = remoteSSMethod
self.__cachedItems = []
self.__secretItems = []
self.__perSecretCallback = perSecretCallback
Expand Down Expand Up @@ -1691,15 +1693,19 @@ def __printSecret(self, name, secretItem):
else:
# We have to get the account the service
# runs under
if hasattr(self.__remoteOps, 'getServiceAccount'):

if hasattr(self.__remoteOps, 'getServiceAccount') and not self.__remoteSSMethod:
account = self.__remoteOps.getServiceAccount(name[4:])
if account is None:
secret = self.UNKNOWN_USER + ':'
else:
secret = "%s:" % account
else:
# We don't support getting this info for local targets at the moment
secret = self.UNKNOWN_USER + ':'
account = self.__localOps.getServiceAccount(name[4:])
if account is None:
secret = self.UNKNOWN_USER + ':'
else:
secret = "%s:" % account
secret += strDecoded
elif upperName.startswith('DEFAULTPASSWORD'):
# defaults password for winlogon
Expand Down Expand Up @@ -2915,6 +2921,19 @@ def getBootKey(self):

return bootKey

def getServiceAccount(self, service_name):
LOG.debug('Retrieving account for %s service' % service_name)
try:
winreg = winregistry.Registry(self.__systemHive, False)
current_control_set = winreg.getValue('\\Select\\Current')[1]
current_control_set = "ControlSet%03d" % current_control_set
service_path = f'\\{current_control_set}\\Services\\{service_name}\\ObjectName'
object_name_value = winreg.getValue(service_path)
account_name = object_name_value[1].decode('utf-16le')
return account_name
except Exception as e:
LOG.error(e)
return None

def checkNoLMHashPolicy(self):
LOG.debug('Checking NoLMHash Policy')
Expand Down