Last active
July 25, 2024 06:33
-
-
Save annibuliful/003d30bc7d5b43c04b4278e74c146259 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ensure the script is run with administrative privileges | |
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
Write-Host "You need to run this script as an Administrator." | |
exit | |
} | |
# Validate file paths | |
$samFilePath = "C:\sam" | |
$systemFilePath = "C:\system" | |
if (-not $samFilePath -or -not (Test-Path $samFilePath)) { | |
throw "SAM file path '$samFilePath' is empty or does not exist." | |
} | |
if (-not $systemFilePath -or -not (Test-Path $systemFilePath)) { | |
throw "SYSTEM file path '$systemFilePath' is empty or does not exist." | |
} | |
# Load necessary assemblies | |
Add-Type -TypeDefinition @" | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Security.Cryptography; | |
using System.Text; | |
public class LSA { | |
[DllImport("advapi32.dll", SetLastError=true, PreserveSig=true, CharSet=CharSet.Auto)] | |
public static extern int LsaOpenPolicy( | |
ref LSA_UNICODE_STRING SystemName, | |
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, | |
int AccessMask, | |
out IntPtr PolicyHandle | |
); | |
[DllImport("advapi32.dll")] | |
public static extern int LsaNtStatusToWinError(int status); | |
[DllImport("advapi32.dll", SetLastError=true)] | |
public static extern int LsaRetrievePrivateData( | |
IntPtr PolicyHandle, | |
ref LSA_UNICODE_STRING KeyName, | |
out IntPtr PrivateData | |
); | |
[DllImport("advapi32.dll", SetLastError=true)] | |
public static extern int LsaFreeMemory(IntPtr Buffer); | |
[StructLayout(LayoutKind.Sequential)] | |
public struct LSA_UNICODE_STRING { | |
public ushort Length; | |
public ushort MaximumLength; | |
public IntPtr Buffer; | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
public struct LSA_OBJECT_ATTRIBUTES { | |
public int Length; | |
public IntPtr RootDirectory; | |
public LSA_UNICODE_STRING ObjectName; | |
public int Attributes; | |
public IntPtr SecurityDescriptor; | |
public IntPtr SecurityQualityOfService; | |
} | |
} | |
"@ | |
# Function to convert bytes to hex string | |
function ConvertTo-HexString { | |
param ( | |
[byte[]]$Bytes | |
) | |
return ($Bytes | ForEach-Object { $_.ToString("x2") }) -join '' | |
} | |
# Debugging: Output the paths | |
Write-Host "SAM Path: $samFilePath" | |
Write-Host "SYSTEM Path: $systemFilePath" | |
# Read the SAM and SYSTEM files | |
$samBytes = [System.IO.File]::ReadAllBytes($samFilePath) | |
$systemBytes = [System.IO.File]::ReadAllBytes($systemFilePath) | |
# Placeholder for actual hash extraction logic | |
# This would involve parsing the SAM and SYSTEM files and decrypting the hashes | |
# For now, just return the lengths of the byte arrays as a placeholder | |
$extractedHashes = @{ | |
SAMFileSize = $samBytes.Length | |
SystemFileSize = $systemBytes.Length | |
} | |
# Output the extracted password hashes | |
Write-Host "Extracted Password Hashes:" | |
$extractedHashes | ForEach-Object { Write-Host "$($_.Key): $($_.Value)" } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment