Ejemplo n.º 1
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n");
            arguments.Remove("triage");

            string server = "";             // used for remote server specification

            if (arguments.ContainsKey("/server"))
            {
                server = arguments["/server"];
                Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
            }

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }
            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                masterkeys = Triage.TriageUserMasterKeysWithPass(password);
            }

            if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk"))
            {
                Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
            }
            else
            {
                Triage.TriageUserCreds(masterkeys, server);
                Triage.TriageUserVaults(masterkeys, server);
                Console.WriteLine();
                if (masterkeys.Count == 0)
                {
                    // try to use CryptUnprotectData if no GUID lookups supplied
                    Triage.TriageRDCMan(masterkeys, server, true);
                }
                else
                {
                    Triage.TriageRDCMan(masterkeys, server, false);
                }
            }
        }
Ejemplo n.º 2
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: RDG Triage\r\n");
            arguments.Remove("rdg");

            // whether to use CryptUnprotectData() instead of masterkeys
            bool unprotect = false;

            if (arguments.ContainsKey("/unprotect"))
            {
                unprotect = true;
                arguments.Remove("/unprotect");

                Console.WriteLine("[*] Using CryptUnprotectData() to decrypt RDG passwords\r\n");

                if (arguments.ContainsKey("/server"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
                    return;
                }
            }

            if (arguments.ContainsKey("/target"))
            {
                string target = arguments["/target"];
                arguments.Remove("/target");

                if (arguments.ContainsKey("/pvk"))
                {
                    // using a domain backup key to decrypt everything
                    string pvk64 = arguments["/pvk"];
                    byte[] backupKeyBytes;

                    if (File.Exists(pvk64))
                    {
                        backupKeyBytes = File.ReadAllBytes(pvk64);
                    }
                    else
                    {
                        backupKeyBytes = Convert.FromBase64String(pvk64);
                    }

                    // build a {GUID}:SHA1 masterkey mappings
                    Dictionary <string, string> mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);

                    if (mappings.Count == 0)
                    {
                        Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
                    }
                    else
                    {
                        Console.WriteLine("\r\n[*] User master key cache:\r\n");
                        foreach (KeyValuePair <string, string> kvp in mappings)
                        {
                            Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                        }
                    }

                    Console.WriteLine("\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n");
                    arguments = mappings;
                }

                if (File.Exists(target))
                {
                    if (target.EndsWith(".rdg"))
                    {
                        Console.WriteLine("[*] Target .RDG File: {0}\r\n", target);
                        Triage.TriageRDGFile(arguments, target, unprotect);
                    }
                    else if (target.EndsWith(".settings"))
                    {
                        Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target);
                        Triage.TriageRDCManFile(arguments, target, unprotect);
                    }
                    else
                    {
                        Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target);
                    }
                }
                else if (Directory.Exists(target))
                {
                    Console.WriteLine("[*] Target RDG Folder: {0}\r\n", target);
                    Triage.TriageRDGFolder(arguments, target, unprotect);
                }
                else
                {
                    Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
                }
            }

            else if (arguments.ContainsKey("/pvk"))
            {
                // using a domain backup key to decrypt everything

                string pvk64  = arguments["/pvk"];
                string server = "";

                byte[] backupKeyBytes;

                if (File.Exists(pvk64))
                {
                    backupKeyBytes = File.ReadAllBytes(pvk64);
                }
                else
                {
                    backupKeyBytes = Convert.FromBase64String(pvk64);
                }

                Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");

                // build a {GUID}:SHA1 masterkey mappings
                Dictionary <string, string> mappings = new Dictionary <string, string>();

                if (arguments.ContainsKey("/server"))
                {
                    server = arguments["/server"];
                    Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
                }
                else
                {
                    Console.WriteLine("");
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
                }

                if (mappings.Count == 0)
                {
                    Console.WriteLine("[!] No master keys decrypted!\r\n");
                }
                else
                {
                    Console.WriteLine("[*] User master key cache:\r\n");
                    foreach (KeyValuePair <string, string> kvp in mappings)
                    {
                        Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                    }
                    Console.WriteLine();
                }

                Triage.TriageRDCMan(mappings, server, unprotect);
            }
            else
            {
                if (arguments.ContainsKey("/server"))
                {
                    //Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
                    Console.WriteLine("[X] /server:X option not currently supported for this function!");
                }
                else
                {
                    Triage.TriageRDCMan(arguments, "", unprotect);
                }
            }
        }
Ejemplo n.º 3
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: RDG Triage");
            arguments.Remove("rdg");

            string server    = "";          // used for remote server specification
            bool   unprotect = false;       // whether to force CryptUnprotectData()

            if (arguments.ContainsKey("/unprotect"))
            {
                Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
                unprotect = true;
            }
            Console.WriteLine("");

            if (arguments.ContainsKey("/server"))
            {
                server = arguments["/server"];
                Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
            }

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }
            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                if (arguments.ContainsKey("/server"))
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                }
                else
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                }
            }

            if (arguments.ContainsKey("/target"))
            {
                string target = arguments["/target"].Trim('"').Trim('\'');

                if (target.EndsWith(".rdg"))
                {
                    Console.WriteLine("[*] Target .RDG File: {0}\r\n", target);
                    Triage.TriageRDGFile(masterkeys, target, unprotect);
                }
                else if (target.EndsWith(".settings"))
                {
                    Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target);
                    Triage.TriageRDCManFile(masterkeys, target, unprotect);
                }
                else
                {
                    Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target);
                }
            }
            else
            {
                if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
                }
                else
                {
                    Triage.TriageRDCMan(masterkeys, server, unprotect);
                }
            }
        }
Ejemplo n.º 4
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n");
            arguments.Remove("triage");

            string server = "";

            if (arguments.ContainsKey("/pvk"))
            {
                // using a domain backup key to decrypt everything
                string pvk64          = arguments["/pvk"];
                byte[] backupKeyBytes = Convert.FromBase64String(pvk64);

                Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");

                // build a {GUID}:SHA1 masterkey mappings
                Dictionary <string, string> mappings = new Dictionary <string, string>();

                if (arguments.ContainsKey("/server"))
                {
                    // triage a remote server for masterkeys using the /pvk dpapi backup key
                    server = arguments["/server"];
                    Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
                }
                else
                {
                    // triage a local server for masterkeys using the /pvk dpapi backup key
                    Console.WriteLine("");
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
                }

                if (mappings.Count == 0)
                {
                    Console.WriteLine("[!] No master keys decrypted!\r\n");
                }
                else
                {
                    Console.WriteLine("[*] Master key cache:\r\n");
                    foreach (KeyValuePair <string, string> kvp in mappings)
                    {
                        Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                    }
                    Console.WriteLine();
                }

                Triage.TriageUserCreds(mappings, server);
                Triage.TriageUserVaults(mappings, server);
                Console.WriteLine();
                Triage.TriageRDCMan(mappings, server, false);

                return;
            }
            else
            {
                if (arguments.ContainsKey("/server"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
                    return;
                }
                else
                {
                    Triage.TriageUserCreds(arguments);
                    Triage.TriageUserVaults(arguments);
                    Console.WriteLine();
                    if (arguments.Count == 0)
                    {
                        // try to use CryptUnprotectData if no GUID lookups supplied
                        Triage.TriageRDCMan(arguments, "", true);
                    }
                    else
                    {
                        Triage.TriageRDCMan(arguments, "", false);
                    }
                }
            }
        }