public void BootKeyRetriever_Hive1()
{
// HACK: Use relative path.
string path = @"C:\Users\michael\Source\Workspaces\Workspace\DSInternals\TestData\IFM\registry\SYSTEM";
string bootKey = BootKeyRetriever.GetBootKey(path).ToHex();
string expected = "41e34661faa0d182182f6ddf0f0ca0d1";
Assert.AreEqual(expected, bootKey);
}
public void BootKeyRetriever_LDS()
{
// AD LDS/ADAM
byte[] rootObjectPekList = "e2b95102f97b7528a7e2477a2406438f97974fabd412be91aca18a2c241d513482a51553d3f28b26".HexToBinary();
byte[] schemaNCPekList = "cb6ef0da6e2069f735b8211ee6071fb206ba4ade0d048e4b279decdc174747bb55ee46a321796c8a".HexToBinary();
byte[] bootKey = BootKeyRetriever.GetBootKey(rootObjectPekList, schemaNCPekList);
string expected = "51f9a1e2282c7b7a79f0ba210d1e8ef7";
Assert.AreEqual(expected, bootKey.ToHex(false));
}
public void PasswordEncryptionKey_DataStorePEK_LDS_W2019_Decrypt()
{
byte[] rootObjectPekList = "6d94991d9c0fe72837db099c28aa12f81ea1fc285c893f51fdd9e062d8d2a3ed6eb4ac1457e1fdd3".HexToBinary();
byte[] schemaObjectPekList = "e657f7626023770ce6a0bc7e9a1e8468c34abf61abea225824c9e100a3e789aab2814796a5cb8b07".HexToBinary();
byte[] configNCPekList = "0300000001000000f25b8e6b334557b94514ade0bc4c36d706b7fc0250897ce8a87f0c4edb47280303f18e4cfc4caf56fdce7eadcdae0becef361f92d7db50c69745c82604a0f52b767410638342fb66b638cd965edc90d300000000000000000000000000000000".HexToBinary();
// Combine the fake pekLists
byte[] bootKey = BootKeyRetriever.GetBootKey(rootObjectPekList, schemaObjectPekList);
// Decrypt the actual pekList
var pek = new DataStoreSecretDecryptor(configNCPekList, bootKey);
// Perform some sanity checks
Assert.AreEqual(PekListVersion.W2016, pek.Version);
Assert.AreEqual(16, pek.CurrentKey.Length);
}
public void PasswordEncryptionKey_DataStoreSupplementalCredentials_LDS2016_Decrypt()
{
// Input
byte[] rootObjectPekList = "D3433ED00F5CBA529A2CC7CC53403803F331B0CEA913E8DE16A87379BC27635363A52C79CA54D5B0".HexToBinary();
byte[] schemaObjectPekList = "0A1B334917DC2815D149D2BE5C3D653C22DC91FB03608E4AE0F5EA79CCD098D989C2146BFF7BD66D".HexToBinary();
byte[] configNCPekList = "0300000001000000A0F0A0BB2BF94ED078F440941FEEF85C586E776F6D292254DEDC31DF47DC3026D3D7F7C6AB80FDB24D54CF50C89B3185892E85C70DEC9B3A89690938E827F4442C674AC548524CBEE75A881CBBD23ACB00000000000000000000000000000000".HexToBinary();
byte[] supplementalCredentials = "13000000000000009D99B54F6E92238AB0C53044C28725F7F8010000631BDFB8CAA411E58A6CFCB760165A2B0733DE6E4FDC288DB7262B8AF416EF1A6F2206BF7224FD6DF021DF0FC4A9E1693AA5161B02ED433D7DD8A265BE6A647CB79D4D6E0C79C9BD282B2FC7F33F47405A97909EC02E3A879216DF613EA88678D72199B31887484AAF2FBFC2275A0B90B1B24B03222867EBB8AF8DC2C490C799B0ED1C65B11E5487E48ACC4B684C60EFF8219596C7D91042DCB7DC27450E23891676EFB5F4A2FF930358625665331893854E7F19B41E01E5FEC24A895625990BD05CDF53D5B6940888819FE74B0F3364AC117A72758C191B9F94D213EA87206E4E0F5D88B778DEF1B2D3B501F12D441DD35415F71B4768F1D9B79A3D3769CEB215CE672E318FEEBE67C6888A868DDEAD665F509EEFA3826D7ED3C08FB2F10B1744821FB3F0F63DBB514337857C5D1106CC05E33B9D4B55F2492CE68F3F73B7DF52E86763DB0C183F9976EA8339B3791EA3A0598B0C02980B397955B76233FCB2ECDFCC3D6AB8EE559B7B90C21904A5736C72598EE79F1551BC6862EB24154CC4E3E2732486C6AF1746361D2D59EF0F55E16E03EEDAD26E3C60E910D1D0B835C73818BC5C187666BE269DFC85A1E8D2CB1BF5F0871AB740FB203E4CE4F92D339EAE2706D1AA82FBE27648A95CEA342E8C758CCCDA82DEEDF5336940C4BF001339DC517BD5B7B5F115DDF76F2CFD0E6E836499AC6C779F8F5F8784EF6BB343315F".HexToBinary();
// User: CN=john,DC=dsinternals,DC=com, SID: S-1-368974073-1255603998-1555295481-1167413779-2898941572-359884799, Password: Pa$$w0rd
// Decrypt
byte[] bootKey = BootKeyRetriever.GetBootKey(rootObjectPekList, schemaObjectPekList);
var pek = new DataStoreSecretDecryptor(configNCPekList, bootKey);
byte[] decryptedSupplementalCredentials = pek.DecryptSecret(supplementalCredentials);
throw new AssertInconclusiveException("Supplemental credentials decryption needs to be implemented.");
// Sample: 0100000001000000e80100000600000001000000e00100003100011d000000000000000000000000af4156909297baece4e553b731d9d552da58c12e5880cad54a3f909c07b0792eec9d262783c811ad9cc7aeb1ab019fe0af4156909297baece4e553b731d9d552af4156909297baece4e553b731d9d552ec9d262783c811ad9cc7aeb1ab019fe0da58c12e5880cad54a3f909c07b0792e95e11e920c7405ca6639d932888cc11c53d9e953141b322f29eb1a02798c299042eea90067734b2a81abbc79618cc1519d9aac28e63107a495266e755f7a2babac6b5dfb3bfa3b7039058310d5b36ccc7c97824dd59b9a6a053b5fae3d8603f20a5e2bc3111c759efb3a91e3740633e83b12daad09e83cb92477ac59993c5a843b12daad09e83cb92477ac59993c5a843b12daad09e83cb92477ac59993c5a8471e7228faba51df979beef06b34f791820aa1475f40540f0db59f9d2d93fc3da5f88f6d82d185741a82c7fa79e801c6d8eae592a0ce55271a17de0b39cf1e5e9923354fb99887724cf2b10e88108776b427804b8a6d6ed92c11ecb94e40da72c0c997bc1906b1f0092d61bd0efee428b0c997bc1906b1f0092d61bd0efee428b0c997bc1906b1f0092d61bd0efee428bd93e9a9a7452dff036a67a5d5d333d7c4effe21b0afc142382943ef26024649aaa6a6a95c237f2b8efa2f13ecb0cb220
}
public void PasswordEncryptionKey_DataStoreNTHashHistory_LDS_W2019_Decrypt()
{
// Input
byte[] rootObjectPekList = "6d94991d9c0fe72837db099c28aa12f81ea1fc285c893f51fdd9e062d8d2a3ed6eb4ac1457e1fdd3".HexToBinary();
byte[] schemaObjectPekList = "e657f7626023770ce6a0bc7e9a1e8468c34abf61abea225824c9e100a3e789aab2814796a5cb8b07".HexToBinary();
byte[] configNCPekList = "0300000001000000f25b8e6b334557b94514ade0bc4c36d706b7fc0250897ce8a87f0c4edb47280303f18e4cfc4caf56fdce7eadcdae0becef361f92d7db50c69745c82604a0f52b767410638342fb66b638cd965edc90d300000000000000000000000000000000".HexToBinary();
byte[] ntPwdHistory = "130000000000000023E9D52A9EBA23C2F2A0705F58334F05400000001335D99AA6A65ACDE2E94F152D84665F2E29555606B48F5065070000972900582C5F83C01E9144434A2A00A0D27225C2590F8EEFA6ACC820EF885B0CCD4A18699AE57C7C6101FF299AFDA4CF0F92C5B0".HexToBinary();
// Decrypt
byte[] bootKey = BootKeyRetriever.GetBootKey(rootObjectPekList, schemaObjectPekList);
var pek = new DataStoreSecretDecryptor(configNCPekList, bootKey);
byte[] decryptedNTPwdHistory = pek.DecryptSecret(ntPwdHistory);
// Validate
throw new AssertInconclusiveException("NT hash decryption needs to be implemented.");
// Sample: 0300000010000000e24106942bf38bcf57a6a4b29016eff6100000009d978dda95e5185bbeda9b3ae00f84b41000000092937945b518814341de3f726500d4ff
}
public void PasswordEncryptionKey_DataStoreNTHashHistory_LDS_W2019_Decrypt()
{
// Input
byte[] rootObjectPekList = "6d94991d9c0fe72837db099c28aa12f81ea1fc285c893f51fdd9e062d8d2a3ed6eb4ac1457e1fdd3".HexToBinary();
byte[] schemaObjectPekList = "e657f7626023770ce6a0bc7e9a1e8468c34abf61abea225824c9e100a3e789aab2814796a5cb8b07".HexToBinary();
byte[] configNCPekList = "0300000001000000f25b8e6b334557b94514ade0bc4c36d706b7fc0250897ce8a87f0c4edb47280303f18e4cfc4caf56fdce7eadcdae0becef361f92d7db50c69745c82604a0f52b767410638342fb66b638cd965edc90d300000000000000000000000000000000".HexToBinary();
byte[] ntPwdHistory = "130000000000000023E9D52A9EBA23C2F2A0705F58334F05400000001335D99AA6A65ACDE2E94F152D84665F2E29555606B48F5065070000972900582C5F83C01E9144434A2A00A0D27225C2590F8EEFA6ACC820EF885B0CCD4A18699AE57C7C6101FF299AFDA4CF0F92C5B0".HexToBinary();
byte[] supplementalCredentials = "130000000000000006B86D54B0917E6645995FC38C311335F8010000778DE4911A7E5E359EF018AFE3862E20874C1CFDDCF71C9C6C19FC7D953BEEF96FE017E75DF74F40F3C3AB7F765B179C9D07B74E3E9F375E6DCDDE1FEC2280902403D4959025AC80D151B681A1F25993AB1BF786FA7CB17FD5850D20D4B65E739E3B780E4F5921A297BD3D37C3893554D0B5B5077F815E70A45D8BCD25A2727ED01245EBD884DD0728AC6CE77DAFE29687A5B5A4AFBBD017B7170DE0FC04988FB7F7CFDC916F86BD0368F132287DF4600B181B046B2BCEF58ECE0BC2E94BA8C126B2364FFE83D76C6F5B80995FFC357B25635C56A70019821E17D9ECA319A7D120141703EF4F94A9A75D0E6E597F53988A8520A668972CBC5D5692976A9D508AF8E892C4FBB1C0C72005E3A330B8BC98169FC7C76F1B002BFC0228FD8721706DD862EE7BD6A66758036DEAADCA9BAC62DB5ABD8AB3762A08CE2FD9DCC7107DCBCB5E31AE5068E3525A5ED3405A6DFB1DFB9A2FFD3944638ADB17CAE5688003ED617E384C1C8EA39FC56EEE01731A95E807BB288E8E9072844382E522E491F6C3042289181E8C776E8509EC610DFAE1BCA2906797AF8FACC1B45B34FFDC57A33F0E4EEB06DD3B83A9A341FB7DA6AF1082F959AE83533B9D806B75D191AB66FE95C3E37756B8478B40B1BA8FF5A20AB0FB4ADED58C2CF9D00256CC8066B64B80A702337A2D3292D0C3159F9E9786B78C6576E00659BA24BE0CA3CF7FA6327539D8".HexToBinary();
// Decrypt
byte[] bootKey = BootKeyRetriever.GetBootKey(rootObjectPekList, schemaObjectPekList);
var pek = new DataStoreSecretDecryptor(configNCPekList, bootKey);
byte[] decryptedNTPwdHistory = pek.DecryptSecret(ntPwdHistory);
// Validate
throw new AssertInconclusiveException("NT hash decryption needs to be implemented.");
// Sample: 0300000010000000e24106942bf38bcf57a6a4b29016eff6100000009d978dda95e5185bbeda9b3ae00f84b41000000092937945b518814341de3f726500d4ff
}
public void PasswordEncryptionKey_DataStoreNTHash_LDS_W2012_Decrypt()
{
// Input
byte[] rootObjectPekList = "9BB87C8DBF9FA23A75D59E9B8F2F993C2BF966B31F097BB9FB0C9478F00F83B1F3797B8D7D35C0B5".HexToBinary();
byte[] schemaObjectPekList = "22EEA8E5F33566076049AF604B4930108FB3FF08FDC3348F02BAB3CE84BBB045ED42D2DD580893CA".HexToBinary();
byte[] configNCPekList = "02000000010000006124C9825F761BCAF07C2B65161CBC1B3240F1C9169BB1478CEB3B38C47FB6FC7BDB8B206DB6AD31A3DF20F35A9DEF6A49312EE7D6A4B80963A0FA2D75F3F7CB239F8E61".HexToBinary();
byte[] unicodePwd = "1100000000000000BC0BF58E1B2238CDC5005612D1EE97E50699858A2CC8A46C1F0A47F99AB477D3".HexToBinary();
byte[] ntPwdHistory = "1100000000000000F87413526E2F737110ACC36C7A82E7459B4C130C62D70A00C47659931A5EE26D10DD85F55AEDF165".HexToBinary();
byte[] supplementalCredentials = "11000000000000003D51AE44B7F7450101DBD1398FF5A068F0013803B8DD11DF9E2E96731CDFDE462F14F685536104D42E4533FC00F8867419F1BFC179FFCCB2EA7FA7F152944341BB1BABD18DA0C6231B2AC68002B10A5BC2306814F5F8ADEB42BB7C13EC2C8082DF7886FBB61D86457D3F30AFB447AE69B6E96D849CE087A1E3EDF0D1C2625884C1B3E022EEF667FAE104B2E5A8752810E65260BBB60AD8D349DB1BF676760D588EE5C3A06862F2375A0B186764A1E08002A724842BE2108575836B1B752D453E8E55352EC69875BD92B77D79EE60D2C86EE5393A07E8E4F027E9F41F432134B6931685CC42FA8D5ABEAA05937342029659A52F60775EF8B042087CF8AD01567D06AEC228971D24F4D884445B972BE6AB9553E4023D22E002A3B88A117075253F24EC1750FDDAB092190B28C6CC4A3CBC52F3C1DF9AD330A7B8B87D7ED86EE01FDC5A7C5A3A9437205855FFAC40D93474E8B1D70C1F84FFC2E4FE6B6E0386DEADD5EC27EE8975FD6BD7578AB10690D11474AA147CCC603CAF2F5B7EE1A2513422D3F02DB1F51843D8079BD52CDC70B7494183DA2DFAF3ED4A3D8A4416D85900303A4208449C2D8DD483174F0E83C852FE75B54C0B4F7E2EC3AB297AAF8F4F7A78BCD88B2416F7B992E6D87C2437E971582EDD747C4FDA7A92D89BF10524327C505D910CC99EFD68A3CFDE37EB8BDECA70F7216AE51D5FC3F7B0038F315C6ECC11CA4FDA86546F78E2".HexToBinary();
string expectedHash = "92937945B518814341DE3F726500D4FF";
// Perform decryption
byte[] bootKey = BootKeyRetriever.GetBootKey(rootObjectPekList, schemaObjectPekList);
var pek = new DataStoreSecretDecryptor(configNCPekList, bootKey);
string decryptedNTHash = pek.DecryptSecret(unicodePwd).ToHex(true);
// Validate
Assert.AreEqual(expectedHash, decryptedNTHash);
throw new AssertInconclusiveException("Checks for NT history have to be added.");
}
protected override void BeginProcessing()
{
try
{
byte[] bootKey;
if (Online.IsPresent)
{
// Online
bootKey = BootKeyRetriever.GetBootKey();
}
else
{
// Offline
string hivePathResolved = this.ResolveFilePath(this.SystemHiveFilePath);
bootKey = BootKeyRetriever.GetBootKey(hivePathResolved);
}
this.WriteObject(bootKey.ToHex());
}
catch (SessionStateException ex)
{
// This may be DriveNotFoundException, ItemNotFoundException, ProviderNotFoundException, etc.
// Terminate on this error:
this.ThrowTerminatingError(new ErrorRecord(ex.ErrorRecord, ex));
}
catch (Win32Exception ex)
{
ErrorCategory category = ((Win32ErrorCode)ex.NativeErrorCode).ToPSCategory();
ErrorRecord error = new ErrorRecord(ex, "GetBootKey_Win32Error", category, this.SystemHiveFilePath);
this.ThrowTerminatingError(error);
}
catch (Exception ex)
{
ErrorRecord error = new ErrorRecord(ex, "GetBootKey_OtherError", ErrorCategory.OpenError, null);
// Terminate on this error:
this.ThrowTerminatingError(error);
}
}
protected override void ProcessRecord()
{
if (this.BootKey == null)
{
// No boot key has been provided so we need to get one from registry.
// Presume that the database is part of an IFM backup:
string registryPath = Path.Combine(this.DirectoryContext.DSAWorkingDirectory, DefaultRegistryPath);
string resolvedRegistryPath = this.ResolveFilePath(registryPath);
this.BootKey = BootKeyRetriever.GetBootKey(resolvedRegistryPath);
}
using (var dsa = new DirectoryAgent(this.DirectoryContext))
{
bool bootKeyIsValid = dsa.CheckBootKey(this.BootKey);
if (!bootKeyIsValid)
{
throw new ArgumentException("The boot key provided cannot be used to decrypt the database.", "BootKey");
}
}
var dc = this.DirectoryContext.DomainController;
if (this.SysvolPath == null)
{
// Presume that the database is part of an IFM backup:
this.SysvolPath = Path.Combine(this.DirectoryContext.DSAWorkingDirectory, DefaultSysvolPath, dc.DomainName);
}
// TODO: Check that the DC is a GC
// TODO: Check that the DC is not a RODC
// TODO: Check DNS partition presence
// TODO: Check backup expiration time
// Load the RFM script template and replace placeholders with values from the DB:
string template = LoadScriptTemplate();
var script = new StringBuilder(template).
Replace("{DCName}", dc.Name).
Replace("{DCGuid}", dc.Guid.ToString()).
Replace("{DomainName}", dc.DomainName).
Replace("{NetBIOSDomainName}", dc.NetBIOSDomainName).
Replace("{ForestName}", dc.ForestName).
Replace("{DomainGuid}", dc.DomainGuid.ToString()).
Replace("{DomainSid}", dc.DomainSid.ToString()).
Replace("{DomainMode}", ((int)dc.DomainMode).ToString()).
Replace("{ForestMode}", ((int)dc.ForestMode).ToString()).
Replace("{OSName}", dc.OSName).
Replace("{OldBootKey}", this.BootKey.ToHex()).
Replace("{SourceDBPath}", this.DirectoryContext.DSADatabaseFile).
Replace("{SourceDBDirPath}", this.DirectoryContext.DSAWorkingDirectory).
Replace("{SourceLogDirPath}", this.DirectoryContext.DatabaseLogFilesPath).
Replace("{TargetDBDirPath}", @"$env:SYSTEMROOT\NTDS").
Replace("{TargetLogDirPath}", @"$env:SYSTEMROOT\NTDS").
Replace("{SourceSysvolPath}", this.ResolveDirectoryPath(this.SysvolPath)).
Replace("{TargetSysvolPath}", @"$env:SYSTEMROOT\SYSVOL");
// We need to inject cleartext version of the password into the script for dcpromo. The SecureString will therefore have to appear in managed memory, which is against best practices.
using (var dsrmPassword = new SafeUnicodeSecureStringPointer(this.SafeModeAdministratorPassword))
{
script.Replace("{DSRMPassword}", dsrmPassword.ToString());
}
// The script is now ready so write it to standard output
this.WriteObject(script.ToString());
script.Clear();
}
public void BootKeyRetriever_Online()
{
byte[] bootKey = BootKeyRetriever.GetBootKey();
// Just test that the key has 16B.
Assert.AreEqual(BootKeyRetriever.BootKeyLength, bootKey.Length);
}
public void BootKeyRetriever_NullFile()
{
BootKeyRetriever.GetBootKey(null);
}
public void BootKeyRetriever_NonExistingFile()
{
BootKeyRetriever.GetBootKey(@"C:\xxxxxx");
}
