lsadump

[GoogleCodeExporter]

1. ./lsadump.py <system hive> <security hive>

ERR: Couldn't find subkey PolSecretEncryptionKey of Policy
Traceback (most recent call last):
  File "./lsadump.py", line 46, in <module>
    secrets = get_file_secrets(sys.argv[1], sys.argv[2])
  File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 135, in get_file_secrets
    return get_secrets(sysaddr, secaddr)
  File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 126, in get_secrets
    secret = decrypt_secret(enc_secret[0xC:], lsakey)
  File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 66, in decrypt_secret
    block_key = key[j:j+7]
TypeError: 'NoneType' object is unsubscriptable

Version: 0.3 Date: 8/1/2012     on backtrack5r3 liveUSB 
If I try on the netbook with XP SP3 it works!!!
But when I try on the notebook with Win7 Home Premium 64bit it doesn't work!!!!

Original issue reported on code.google.com by giow...@gmail.com on 31 Aug 2012 at 9:43

[GoogleCodeExporter]

I was able to get it working on windows 7 by using some of the changes found on 
the diff file here http://code.google.com/p/volatility/issues/detail?id=92

Original comment by AndrewCo...@gmail.com on 29 Oct 2012 at 8:26

Attachments:

• creddump_updatedfor7.tar

[GoogleCodeExporter]

If you get the error ValueError: IV must be 16 bytes long
Then you just need to provide an IV of NUL bytes.

Here's the one line diff for andrew's patch:

$ diff creddump_updatedfor7/creddump/framework/win32/lsasecrets.py 
creddump_updatedfor7_ivfix/creddump/framework/win32/lsasecrets.py
97c97
<         aes = AES.new(aeskey, AES.MODE_CBC)
---
>         aes = AES.new(aeskey, AES.MODE_CBC, '\x00'*16)

and attached is the combined diff against svn r2 version.

cheers

Original comment by lanjelot@gmail.com on 20 Nov 2013 at 6:01

Attachments:

• creddump_updatedfor7_ivfix.diff