secretsdump.py: Dumping credentials without touching disk

[antuache]

This PR allows to remotely extract hashes from the SAM and SECURITY (LSA Secrets and cached credentials) registry hives without touching disk. There is no need to save these registry hives to disk and parse them locally.

This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives. This work was already implemented by @jfjallid on the great tool https://github.com/jfjallid/go-secdump.

In order to use this technique, it is required to use the -inline flag. If a connection error occurs and the extraction is interrupted, the -restore flag can be used to restore the initial state of the registry.

Also, the -use-ntds flag has been added as I noticed it was trying to launch the NTDS extraction every time the script was launched.

[edermi]

Depending on the permissions to access the remote registry, you could also try to access the data with Backup privileges. I'm working on something similar and this avoids changing permissions on these objects.

[byinarie]

@antuache Please consider submitting this PR to theporgs fork here as well https://github.com/ThePorgs/impacket

This repo doesn't get the care it deserves while theporgs is very much maintained with bug fixes and PRs

[AkechiShiro]

@byinarie is the fortra/impacket repo unmaintained compared to theprogs fork? There is like ~300 commits vs ~50 "new" commits in fortra/impacket.

EDIT : I've read the description of theprogs fork and better understand its purpose.

[sagiol]

@antuache Got the following error: Modifying ACLs failed: 'RemoteOperations' object has no attribute 'prepareDumpInline'