public void Execute(Dictionary<string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe DPAPI blob\r\n");
byte[] blobBytes;
if (arguments.ContainsKey("/target"))
{
string blob = arguments["/target"].Trim('"').Trim('\'');
if (File.Exists(blob))
{
blobBytes = File.ReadAllBytes(blob);
}
else
{
blobBytes = Convert.FromBase64String(blob);
}
}
else
{
Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
return;
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary<string, string> masterkeys = new Dictionary<string, string>();
foreach (KeyValuePair<string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob");
if (decBytes.Length != 0)
{
if (Helpers.IsUnicode(decBytes))
{
Console.WriteLine(" dec(blob) : {0}", System.Text.Encoding.Unicode.GetString(decBytes));
}
else
{
string b64DecBytesString = BitConverter.ToString(decBytes).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", b64DecBytesString);
}
}
}
public static Result ExtractEncryptedKey(string key, out byte[] encryptedKey)
{
byte[] src = Convert.FromBase64String(key);
byte[] dpapiKey = new byte[5];
byte[] protectedKey = new byte[src.Length - dpapiKey.Length];
Array.Copy(src, 0, dpapiKey, 0, dpapiKey.Length);
Array.Copy(src, dpapiKey.Length, protectedKey, 0, protectedKey.Length);
return(Dpapi.Decrypt(protectedKey, out encryptedKey));
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe DPAPI blob");
byte[] blobBytes;
bool unprotect = false; // whether to force CryptUnprotectData()
if (arguments.ContainsKey("/unprotect"))
{
Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
unprotect = true;
}
Console.WriteLine();
if (arguments.ContainsKey("/target"))
{
string blob = arguments["/target"].Trim('"').Trim('\'');
if (File.Exists(blob))
{
blobBytes = File.ReadAllBytes(blob);
}
else
{
blobBytes = Convert.FromBase64String(blob);
}
}
else
{
Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
return;
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
//byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect);
if (blobBytes.Length > 0)
{
byte[] decBytesRaw = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect);
if ((decBytesRaw != null) && (decBytesRaw.Length != 0))
{
if (Helpers.IsUnicode(decBytesRaw))
{
string data = "";
int finalIndex = Array.LastIndexOf(decBytesRaw, (byte)0);
if (finalIndex > 1)
{
byte[] decBytes = new byte[finalIndex + 1];
Array.Copy(decBytesRaw, 0, decBytes, 0, finalIndex);
data = Encoding.Unicode.GetString(decBytes);
}
else
{
data = Encoding.ASCII.GetString(decBytesRaw);
}
Console.WriteLine(" dec(blob) : {0}", data);
}
else
{
string hexData = BitConverter.ToString(decBytesRaw).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", hexData);
}
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe DPAPI blob\r\n");
byte[] blobBytes;
if (arguments.ContainsKey("/in"))
{
string blob = arguments["/in"];
if (File.Exists(blob))
{
blobBytes = File.ReadAllBytes(blob);
}
else
{
blobBytes = Convert.FromBase64String(blob);
}
arguments.Remove("in");
}
else
{
Console.WriteLine("[X] An /in:<BASE64 | file> must be supplied!");
return;
}
if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = new Dictionary <string, string>();
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
if (mappings.Count == 0)
{
Console.WriteLine("[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
}
byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, mappings, "blob");
if (decBytes.Length != 0)
{
if (Helpers.IsUnicode(decBytes))
{
Console.WriteLine(" dec(blob) : {0}", System.Text.Encoding.Unicode.GetString(decBytes));
}
else
{
string b64DecBytesString = BitConverter.ToString(decBytes).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", b64DecBytesString);
}
}
}
else
{
byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, arguments, "blob");
if (decBytes.Length != 0)
{
if (Helpers.IsUnicode(decBytes))
{
Console.WriteLine(" dec(blob) : {0}", System.Text.Encoding.Unicode.GetString(decBytes));
}
else
{
string b64DecBytesString = BitConverter.ToString(decBytes).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", b64DecBytesString);
}
}
}
}
