In order to support parsing LSASS dumps acquired from XP and 2003 the decryption function implementation is currently incorrect, basically the current version contains my latest (failed)approach of porting the algorithm found here
Detailed description of the problem
The main LSA secret key in the LSASS memory is stored in a DES_EXPANDED_KEY structure ( definition is here . This strutct holds the original DES key in an already scheduled form (inner struct here). BUT it is not the usual pre-scheduled key in a "textbook" format, rather it's a modified version per microsoft (original expansion process here)
Other info: the algorithm used for encryption and decryption is actually DESX, however implementing DESX is a relatively easy task, as it uses
Possible solutions
Implement the decryption algo as-is, basically porting the code from mimikatz
Find a way to de-schedule the expanded DES key and get the original key, it would be used in an existing crypto implementation (pypykatz already has a pure-python DES implementation, that can be used)
Convert the expanded key to a K-table used by the existing DES implementation (be careful I just think this might work, but never actually done it)
Expected input for solution 1
Provide a python function that performs the exact same decryption as this function.
The definition should look like the following: def desx_decrypt(expanded_des_key, input_whitening_key, output_whitening_key, blob):
where expanded_des_key : 4-byte long unsinged integers in a [16][2] matrix (list) - OR - the expanded key bytes in bytearray format (size is 16*2*4 bytes) input_whitening_key : 8 byte long bytearrayoutput_whitening_key : 8 byte long bytearrayblob : data to be decrypted in bytearray format. the blob size is always %8
Summary
In order to support parsing LSASS dumps acquired from XP and 2003 the decryption function implementation is currently incorrect, basically the current version contains my latest (failed)approach of porting the algorithm found here
Detailed description of the problem
The main LSA secret key in the LSASS memory is stored in a DES_EXPANDED_KEY structure ( definition is here . This strutct holds the original DES key in an already scheduled form (inner struct here). BUT it is not the usual pre-scheduled key in a "textbook" format, rather it's a modified version per microsoft (original expansion process here) Other info: the algorithm used for encryption and decryption is actually DESX, however implementing DESX is a relatively easy task, as it uses
Possible solutions
Expected input for solution 1
Provide a python function that performs the exact same decryption as this function.
The definition should look like the following:
def desx_decrypt(expanded_des_key, input_whitening_key, output_whitening_key, blob):
where
expanded_des_key
:4-byte long unsinged integers in a [16][2] matrix (list) - OR - the expanded key bytes in bytearray format (size is 16*2*4 bytes)
input_whitening_key
:8 byte long bytearray
output_whitening_key
:8 byte long bytearray
blob
:data to be decrypted in bytearray format. the blob size is always %8