Wednesday, February 20, 2008

CredDump: Extract Credentials from Windows Registry Hives

This is just a short post to talk about a new tool I've developed, called CredDump. CredDump is a pure-Python implementation of the bkhive/samdump2, lsadump2, and cachedump utilities commonly used to audit Windows password security.

Why re-implement these tools? Well, for one thing, I like Python, and wanted to learn the details of how they all worked. Much more importantly though, this tool is completely cross-platform and requires only the registry hives recovered from the system to operate. Most other tools currently available rely on some aspect of Windows to provide their functionality. For example:

  • lsadump2 calls advapi32.LsarQuerySecret to obtain the unencrypted LSA secrets.

  • cachedump searches through the address space of lsass.exe to obtain the unencrypted LSA key, and uses advapi32.SystemFunction005 to decrypt the value of NL$KM with it.

  • Cain & Abel is the closest to operating entirely offline, but still uses advapi32.SystemFunction005 to do the decryption. Also, it's closed source and Windows-only.

So the hope was to build something in the spirit of Nicola Cuomo's bkhive and samdump2, that could work without requiring Windows at all.

It turned out that almost all of the pieces were already publicly available in various forms. The only truly original work I ended up having to do was reverse engineering SystemFunction005 to re-implement it in Python (and even there, the Wine folks had already done most of the work, they just didn't account for keys longer than 7 bytes).

You can find the project's home page here, or download it directly here.

But wait, I hear you cry, how do I get these hives in the first place? You extract them from a Windows system. Unfortunately, it's not as easy as just copying them out of c:\windows\system32\config, because the files are always open. To get around this, you can either boot into Knoppix, or use the Volume Shadow Copy trick.

In the next few articles, I'll be discussing in detail how these programs work. The first article will cover Syskey encryption and how to dump the SAM database, the next will explore the extraction of LSA secrets, and the final one will talk about cached domain passwords. Of course, if you don't want to wait, there's always the code, which should be pretty readable Python. After that, it's back to memory analysis; now that we have a sense of some of the things in the registry, I'll show you how we can access large portions of the registry directly from Windows memory dumps.


Brav0Hax said...
This comment has been removed by the author.
Brav0Hax said...
This comment has been removed by the author.
Brav0Hax said...

You can grab the hives from a remote system using winexe and local admin creds.

winexe --system -U username%password // "CMD /C reg.exe save HKLM\SAM C:\Windows\Temp\sam && reg.exe save HKLM\SECURITY C:\Windows\Temp\sec && reg.exe save HKLM\SYSTEM C:\Windows\Temp\sys"

Then use a get command with smbclient to bring them to your local system.

Fire up creddump and you've got your hashes.