diff --git a/examples/secretsdump.py b/examples/secretsdump.py index 1ab5616ed..bc335ecb7 100755 --- a/examples/secretsdump.py +++ b/examples/secretsdump.py @@ -291,8 +291,9 @@ def dump(self): else: SECURITYFileName = self.__securityHive - self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps, - isRemote=self.__isRemote, history=self.__history) + localOps = LocalOperations(self.__systemHive) + self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps, localOps, self.__remoteSSMethod, + isRemote=self.__isRemote, history=self.__history) self.__LSASecrets.dumpCachedHashes() if self.__outputFileName is not None: self.__LSASecrets.exportCached(self.__outputFileName) diff --git a/impacket/examples/secretsdump.py b/impacket/examples/secretsdump.py index 537c45dab..ad29e9032 100644 --- a/impacket/examples/secretsdump.py +++ b/impacket/examples/secretsdump.py @@ -1488,7 +1488,7 @@ class SECRET_TYPE: LSA_RAW = 2 LSA_KERBEROS = 3 - def __init__(self, securityFile, bootKey, remoteOps=None, isRemote=False, history=False, + def __init__(self, securityFile, bootKey, remoteOps=None, localOps=None, remoteSSMethod=False, isRemote=False, history=False, perSecretCallback=lambda secretType, secret: _print_helper(secret)): OfflineRegistry.__init__(self, securityFile, isRemote) self.__hashedBootKey = b'' @@ -1499,6 +1499,8 @@ def __init__(self, securityFile, bootKey, remoteOps=None, isRemote=False, histor self.__cryptoCommon = CryptoCommon() self.__securityFile = securityFile self.__remoteOps = remoteOps + self.__localOps = localOps + self.__remoteSSMethod = remoteSSMethod self.__cachedItems = [] self.__secretItems = [] self.__perSecretCallback = perSecretCallback @@ -1691,15 +1693,19 @@ def __printSecret(self, name, secretItem): else: # We have to get the account the service # runs under - if hasattr(self.__remoteOps, 'getServiceAccount'): + + if hasattr(self.__remoteOps, 'getServiceAccount') and not self.__remoteSSMethod: account = self.__remoteOps.getServiceAccount(name[4:]) if account is None: secret = self.UNKNOWN_USER + ':' else: secret = "%s:" % account else: - # We don't support getting this info for local targets at the moment - secret = self.UNKNOWN_USER + ':' + account = self.__localOps.getServiceAccount(name[4:]) + if account is None: + secret = self.UNKNOWN_USER + ':' + else: + secret = "%s:" % account secret += strDecoded elif upperName.startswith('DEFAULTPASSWORD'): # defaults password for winlogon @@ -2915,6 +2921,19 @@ def getBootKey(self): return bootKey + def getServiceAccount(self, service_name): + LOG.debug('Retrieving account for %s service' % service_name) + try: + winreg = winregistry.Registry(self.__systemHive, False) + current_control_set = winreg.getValue('\\Select\\Current')[1] + current_control_set = "ControlSet%03d" % current_control_set + service_path = f'\\{current_control_set}\\Services\\{service_name}\\ObjectName' + object_name_value = winreg.getValue(service_path) + account_name = object_name_value[1].decode('utf-16le') + return account_name + except Exception as e: + LOG.error(e) + return None def checkNoLMHashPolicy(self): LOG.debug('Checking NoLMHash Policy')