Skip to content

Commit

Permalink
Service Account Name with LOCAL
Browse files Browse the repository at this point in the history
  • Loading branch information
brettgus committed Dec 12, 2024
1 parent 0fd9f28 commit e9188ad
Show file tree
Hide file tree
Showing 4 changed files with 3,226 additions and 6 deletions.
5 changes: 3 additions & 2 deletions examples/secretsdump.py
Original file line number Diff line number Diff line change
Expand Up @@ -291,8 +291,9 @@ def dump(self):
else:
SECURITYFileName = self.__securityHive

self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps,
isRemote=self.__isRemote, history=self.__history)
localOps = LocalOperations(self.__systemHive)
self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps, localOps, self.__remoteSSMethod,
isRemote=self.__isRemote, history=self.__history)
self.__LSASecrets.dumpCachedHashes()
if self.__outputFileName is not None:
self.__LSASecrets.exportCached(self.__outputFileName)
Expand Down
Binary file added impacket/examples/.secretsdump.py.un~
Binary file not shown.
27 changes: 23 additions & 4 deletions impacket/examples/secretsdump.py
Original file line number Diff line number Diff line change
Expand Up @@ -1488,7 +1488,7 @@ class SECRET_TYPE:
LSA_RAW = 2
LSA_KERBEROS = 3

def __init__(self, securityFile, bootKey, remoteOps=None, isRemote=False, history=False,
def __init__(self, securityFile, bootKey, remoteOps=None, localOps=None, remoteSSMethod=False, isRemote=False, history=False,
perSecretCallback=lambda secretType, secret: _print_helper(secret)):
OfflineRegistry.__init__(self, securityFile, isRemote)
self.__hashedBootKey = b''
Expand All @@ -1499,6 +1499,8 @@ def __init__(self, securityFile, bootKey, remoteOps=None, isRemote=False, histor
self.__cryptoCommon = CryptoCommon()
self.__securityFile = securityFile
self.__remoteOps = remoteOps
self.__localOps = localOps
self.__remoteSSMethod = remoteSSMethod
self.__cachedItems = []
self.__secretItems = []
self.__perSecretCallback = perSecretCallback
Expand Down Expand Up @@ -1691,15 +1693,19 @@ def __printSecret(self, name, secretItem):
else:
# We have to get the account the service
# runs under
if hasattr(self.__remoteOps, 'getServiceAccount'):

if hasattr(self.__remoteOps, 'getServiceAccount') and not self.__remoteSSMethod:
account = self.__remoteOps.getServiceAccount(name[4:])
if account is None:
secret = self.UNKNOWN_USER + ':'
else:
secret = "%s:" % account
else:
# We don't support getting this info for local targets at the moment
secret = self.UNKNOWN_USER + ':'
account = self.__localOps.getServiceAccount(name[4:])
if account is None:
secret = self.UNKNOWN_USER + ':'
else:
secret = "%s:" % account
secret += strDecoded
elif upperName.startswith('DEFAULTPASSWORD'):
# defaults password for winlogon
Expand Down Expand Up @@ -2915,6 +2921,19 @@ def getBootKey(self):

return bootKey

def getServiceAccount(self, service_name):
LOG.debug('Retrieving account for %s service' % service_name)
try:
winreg = winregistry.Registry(self.__systemHive, False)
current_control_set = winreg.getValue('\\Select\\Current')[1]
current_control_set = "ControlSet%03d" % current_control_set
service_path = f'\\{current_control_set}\\Services\\{service_name}\\ObjectName'
object_name_value = winreg.getValue(service_path)
account_name = object_name_value[1].decode('utf-16le')
return account_name
except Exception as e:
LOG.error(e)
return None

def checkNoLMHashPolicy(self):
LOG.debug('Checking NoLMHash Policy')
Expand Down
Loading

0 comments on commit e9188ad

Please sign in to comment.