Friday, January 6, 2012

Reading offline registry hives in pure ruby

If you have ever wanted to peruse a registry hive on Linux, you know that options are really lacking. Most people wonder why you would even want to read a registry hive on Linux, but it is fairly straightforward when you think of the kind of people who will be traversing through registry hives in the first place. Forensics and reverse engineers will often run Linux.

Last night, I checked in my offline registry hive library written in Ruby. I had written a really crappy one in C# based on key signatures, rather than parsing the actual tree. This library does it correctly, by parsing the tree. It is still in its infancy, but it works well enough. You may view the code here. One day, I hope this gets merged in to the Metasploit trunk in some form or fashion. Tested on Ubuntu 11.10 on ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux].

root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby# ruby ntreg.rb '\Select' ../SYSTEM
Hive name: "SYSTEM"
Found root key: CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}
The values and data of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\Select are:
"Current: \x01\x00\x00\x00"
"Default: \x01\x00\x00\x00"
"Failed: \x00\x00\x00\x00"
"LastKnownGood: \x02\x00\x00\x00"
root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby# ruby ntreg.rb '\ControlSet001\Control\Lsa' ../SYSTEM
Hive name: "SYSTEM"
Found root key: CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}
The children of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\ControlSet001\Control\Lsa are:
"AccessProviders"
"Audit"
"Credssp"
"Data"
"FipsAlgorithmPolicy"
"GBG"
"JD"
"Kerberos"
"MSV1_0"
"Skew1"
"SSO"
"SspiCache"
The values and data of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\ControlSet001\Control\Lsa are:
"auditbaseobjects: \x00\x00\x00\x00"
"auditbasedirectories: \x00\x00\x00\x00"
"crashonauditfail: \x00\x00\x00\x00"
"fullprivilegeauditing: \x00\x00\x00\x00"
"Bounds: \x000\x00\x00\x00 \x00\x00"
"LimitBlankPasswordUse: \x01\x00\x00\x00"
"NoLmHash: \x01\x00\x00\x00"
"Notification Packages: s\x00c\x00e\x00c\x00l\x00i\x00\x00\x00\x00\x00"
"Security Packages: k\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x00\x00\x00m\x00s\x00v\x001\x00_\x000\x00\x00\x00s\x00c\x00h\x00a\x00n\x00n\x00e\x00l\x00\x00\x00w\x00d\x00i\x00g\x00e\x00s\x00t\x00\x00\x00t\x00s\x00p\x00k\x00g\x00\x00\x00p\x00k\x00u\x002\x00u\x00\x00\x00\x00\x00"
"Authentication Packages: m\x00s\x00v\x001\x00_\x000\x00\x00\x00\x00\x00"
"LsaPid: \xEC\x01\x00\x00"
"SecureBoot: \x01\x00\x00\x00"
"ProductType: \x02\x00\x00\x00"
"disabledomaincreds: \x00\x00\x00\x00"
"everyoneincludesanonymous: \x00\x00\x00\x00"
"forceguest: \x00\x00\x00\x00"
"restrictanonymous: \x00\x00\x00\x00"
"restrictanonymoussam: \x01\x00\x00\x00"
root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby#
Posted by Brandon Perry at 12:31 PM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)