Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Clean up unicode names

  • Loading branch information...
commit b3eb7b13585338889eae20f1250d1a756f4f2f8f 1 parent c887e0a
HD Moore hmoore-r7 authored
Showing with 10 additions and 10 deletions.
  1. +10 −10 modules/post/windows/gather/cachedump.rb
20 modules/post/windows/gather/cachedump.rb
View
@@ -231,7 +231,7 @@ def parse_decrypted_cache(dec_data, s)
hash = dec_data[i...i+0x10]
i+=72
- username = dec_data[i...i+(s.userNameLength)].split("\x00").first
+ username = dec_data[i...i+(s.userNameLength)].split("\x00\x00").first.gsub("\x00", '')
i+=s.userNameLength
i+=2 * ( ( s.userNameLength / 2 ) % 2 )
@@ -245,56 +245,56 @@ def parse_decrypted_cache(dec_data, s)
i+=s.domainNameLength
if( s.dnsDomainNameLength != 0)
- dnsDomainName = dec_data[i...i+s.dnsDomainNameLength+1].split("\x00").first
+ dnsDomainName = dec_data[i...i+s.dnsDomainNameLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.dnsDomainNameLength
i+=2 * ( ( s.dnsDomainNameLength / 2 ) % 2 )
vprint_good "DNS Domain Name\t: #{dnsDomainName}"
end
if( s.upnLength != 0)
- upn = dec_data[i...i+s.upnLength+1].split("\x00").first
+ upn = dec_data[i...i+s.upnLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.upnLength
i+=2 * ( ( s.upnLength / 2 ) % 2 )
vprint_good "UPN\t\t\t: #{upn}"
end
if( s.effectiveNameLength != 0 )
- effectiveName = dec_data[i...i+s.effectiveNameLength+1].split("\x00").first
+ effectiveName = dec_data[i...i+s.effectiveNameLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.effectiveNameLength
i+=2 * ( ( s.effectiveNameLength / 2 ) % 2 )
vprint_good "Effective Name\t: #{effectiveName}"
end
if( s.fullNameLength != 0 )
- fullName = dec_data[i...i+s.fullNameLength+1].split("\x00").first
+ fullName = dec_data[i...i+s.fullNameLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.fullNameLength
i+=2 * ( ( s.fullNameLength / 2 ) % 2 )
vprint_good "Full Name\t\t: #{fullName}"
end
if( s.logonScriptLength != 0 )
- logonScript = dec_data[i...i+s.logonScriptLength+1].split("\x00").first
+ logonScript = dec_data[i...i+s.logonScriptLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.logonScriptLength
i+=2 * ( ( s.logonScriptLength / 2 ) % 2 )
vprint_good "Logon Script\t\t: #{logonScript}"
end
if( s.profilePathLength != 0 )
- profilePath = dec_data[i...i+s.profilePathLength+1].split("\x00").first
+ profilePath = dec_data[i...i+s.profilePathLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.profilePathLength
i+=2 * ( ( s.profilePathLength / 2 ) % 2 )
vprint_good "Profile Path\t\t: #{profilePath}"
end
if( s.homeDirectoryLength != 0 )
- homeDirectory = dec_data[i...i+s.homeDirectoryLength+1].split("\x00").first
+ homeDirectory = dec_data[i...i+s.homeDirectoryLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.homeDirectoryLength
i+=2 * ( ( s.homeDirectoryLength / 2 ) % 2 )
vprint_good "Home Directory\t\t: #{homeDirectory}"
end
if( s.homeDirectoryDriveLength != 0 )
- homeDirectoryDrive = dec_data[i...i+s.homeDirectoryDriveLength+1].split("\x00").first
+ homeDirectoryDrive = dec_data[i...i+s.homeDirectoryDriveLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.homeDirectoryDriveLength
i+=2 * ( ( s.homeDirectoryDriveLength / 2 ) % 2 )
vprint_good "Home Directory Drive\t: #{homeDirectoryDrive}"
@@ -316,7 +316,7 @@ def parse_decrypted_cache(dec_data, s)
vprint_good "Additional groups\t: #{relativeId.join ' '}"
if( s.logonDomainNameLength != 0 )
- logonDomainName = dec_data[i...i+s.logonDomainNameLength+1].split("\x00").first
+ logonDomainName = dec_data[i...i+s.logonDomainNameLength+1].split("\x00\x00").first.gsub("\x00", '')
i+=s.logonDomainNameLength
i+=2 * ( ( s.logonDomainNameLength / 2 ) % 2 )
vprint_good "Logon domain name\t: #{logonDomainName}"
Please sign in to comment.
Something went wrong with that request. Please try again.