Esempio n. 1
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Cert Triage");
            arguments.Remove("cert");

            string server = "";             // used for remote server specification

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }
            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                if (arguments.ContainsKey("/server"))
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                }
                else
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                }
            }
            if (arguments.ContainsKey("/server"))
            {
                server = arguments["/server"];
                Console.WriteLine("[*] Triaging Certificates from remote server: {0}\r\n", server);
                Triage.TriageUserCerts(masterkeys, server);
            }

            if (arguments.ContainsKey("/target"))
            {
                string target = arguments["/target"].Trim('"').Trim('\'');

                Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
                Triage.TriageCertFile(target, masterkeys);
            }
            else
            {
                Triage.TriageUserCerts(masterkeys);
            }

            Console.WriteLine("[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx");
        }
Esempio n. 2
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Describe PSCredential .xml");

            string target    = "";
            bool   unprotect = false;       // whether to force CryptUnprotectData()

            if (arguments.ContainsKey("/unprotect"))
            {
                Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
                unprotect = true;
            }
            Console.WriteLine();

            if (arguments.ContainsKey("/target"))
            {
                target = arguments["/target"];
            }
            else
            {
                Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
                return;
            }

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }
            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                if (arguments.ContainsKey("/server"))
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                }
                else
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                }
            }

            Triage.TriagePSCredFile(masterkeys, target, unprotect);
        }
Esempio n. 3
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: User DPAPI Masterkey File Triage\r\n");

            byte[] backupKeyBytes;
            string password;
            Dictionary <string, string> mappings = new Dictionary <string, string>();

            if (arguments.ContainsKey("/pvk"))
            {
                string pvk64 = arguments["/pvk"];
                if (File.Exists(pvk64))
                {
                    backupKeyBytes = File.ReadAllBytes(pvk64);
                }
                else
                {
                    backupKeyBytes = Convert.FromBase64String(pvk64);
                }
                if (arguments.ContainsKey("/server"))
                {
                    Console.WriteLine("[*] Triaging remote server: {0}\r\n", arguments["/server"]);
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true, arguments["/server"]);
                }
                else
                {
                    Console.WriteLine();
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true);
                }
            }
            else if (arguments.ContainsKey("/password"))
            {
                password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                mappings = Triage.TriageUserMasterKeysWithPass(password);
            }
            else
            {
                Console.WriteLine("[X] A /pvk:BASE64 domain DPAPI backup key or /password must be supplied!");
                return;
            }


            if (mappings.Count == 0)
            {
                Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
            }
            else
            {
                Console.WriteLine("\r\n[*] User master key cache:\r\n");
                foreach (KeyValuePair <string, string> kvp in mappings)
                {
                    Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                }
            }
        }
Esempio n. 4
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: RDG Triage");
            arguments.Remove("rdg");

            string server    = "";          // used for remote server specification
            bool   unprotect = false;       // whether to force CryptUnprotectData()

            if (arguments.ContainsKey("/unprotect"))
            {
                Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
                unprotect = true;
            }
            Console.WriteLine("");

            if (arguments.ContainsKey("/server"))
            {
                server = arguments["/server"];
                Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
            }

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }
            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                if (arguments.ContainsKey("/server"))
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                }
                else
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                }
            }

            if (arguments.ContainsKey("/target"))
            {
                string target = arguments["/target"].Trim('"').Trim('\'');

                if (target.EndsWith(".rdg"))
                {
                    Console.WriteLine("[*] Target .RDG File: {0}\r\n", target);
                    Triage.TriageRDGFile(masterkeys, target, unprotect);
                }
                else if (target.EndsWith(".settings"))
                {
                    Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target);
                    Triage.TriageRDCManFile(masterkeys, target, unprotect);
                }
                else
                {
                    Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target);
                }
            }
            else
            {
                if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
                }
                else
                {
                    Triage.TriageRDCMan(masterkeys, server, unprotect);
                }
            }
        }
Esempio n. 5
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: User DPAPI Vault Triage\r\n");
            arguments.Remove("vaults");

            if (arguments.ContainsKey("/target"))
            {
                string target = arguments["/target"];
                arguments.Remove("/target");

                if (arguments.ContainsKey("/pvk"))
                {
                    // using a domain backup key to decrypt everything
                    string pvk64 = arguments["/pvk"];
                    byte[] backupKeyBytes;

                    if (File.Exists(pvk64))
                    {
                        backupKeyBytes = File.ReadAllBytes(pvk64);
                    }
                    else
                    {
                        backupKeyBytes = Convert.FromBase64String(pvk64);
                    }

                    Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n");

                    // build a {GUID}:SHA1 masterkey mappings
                    Dictionary <string, string> mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);

                    if (mappings.Count == 0)
                    {
                        Console.WriteLine("[!] No master keys decrypted!\r\n");
                    }
                    else
                    {
                        Console.WriteLine("[*] User master key cache:\r\n");
                        foreach (KeyValuePair <string, string> kvp in mappings)
                        {
                            Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                        }
                        Console.WriteLine();
                    }

                    arguments = mappings;
                }

                if (Directory.Exists(target))
                {
                    Console.WriteLine("[*] Target Vault Folder: {0}\r\n", target);
                    Triage.TriageVaultFolder(target, arguments);
                }
                else
                {
                    Console.WriteLine("\r\n[X] '{0}' is not a valid Vault directory.", target);
                }
            }
            else if (arguments.ContainsKey("/pvk"))
            {
                // using a domain backup key to decrypt everything
                string pvk64  = arguments["/pvk"];
                string server = "";

                byte[] backupKeyBytes;

                if (File.Exists(pvk64))
                {
                    backupKeyBytes = File.ReadAllBytes(pvk64);
                }
                else
                {
                    backupKeyBytes = Convert.FromBase64String(pvk64);
                }

                Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");

                // build a {GUID}:SHA1 masterkey mappings
                Dictionary <string, string> mappings = new Dictionary <string, string>();

                if (arguments.ContainsKey("/server"))
                {
                    server = arguments["/server"];
                    Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
                }
                else
                {
                    Console.WriteLine("");
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
                }

                if (mappings.Count == 0)
                {
                    Console.WriteLine("[!] No master keys decrypted!\r\n");
                }
                else
                {
                    Console.WriteLine("[*] User master key cache:\r\n");
                    foreach (KeyValuePair <string, string> kvp in mappings)
                    {
                        Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                    }
                    Console.WriteLine();
                }

                Triage.TriageUserVaults(mappings, server);
            }
            else
            {
                if (arguments.ContainsKey("/server"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
                }
                else
                {
                    Triage.TriageUserVaults(arguments);
                }
            }
        }
Esempio n. 6
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n");
            arguments.Remove("triage");

            string server = "";

            if (arguments.ContainsKey("/pvk"))
            {
                // using a domain backup key to decrypt everything
                string pvk64          = arguments["/pvk"];
                byte[] backupKeyBytes = Convert.FromBase64String(pvk64);

                Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");

                // build a {GUID}:SHA1 masterkey mappings
                Dictionary <string, string> mappings = new Dictionary <string, string>();

                if (arguments.ContainsKey("/server"))
                {
                    server = arguments["/server"];
                    Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
                }
                else
                {
                    Console.WriteLine("");
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
                }

                if (mappings.Count == 0)
                {
                    Console.WriteLine("[!] No master keys decrypted!\r\n");
                }
                else
                {
                    Console.WriteLine("[*] Master key cache:\r\n");
                    foreach (KeyValuePair <string, string> kvp in mappings)
                    {
                        Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                    }
                    Console.WriteLine();
                }

                Triage.TriageUserCreds(mappings, server);
                Triage.TriageUserVaults(mappings);
                return;
            }
            else
            {
                if (arguments.ContainsKey("/server"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
                    return;
                }
                else
                {
                    Triage.TriageUserCreds(arguments);
                    Triage.TriageUserVaults(arguments);
                }
            }
        }
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: User DPAPI Credential Triage\r\n");
            arguments.Remove("credentials");

            Dictionary <string, string> masterkeys = new Dictionary <string, string>();
            string server = "";             // used for remote server specification

            if (arguments.ContainsKey("/server"))
            {
                server = arguments["/server"];
                Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
            }

            // {GUID}:SHA1 keys are the only ones that don't start with /

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }

            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                if (arguments.ContainsKey("/server"))
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                }
                else
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                }
            }

            if (arguments.ContainsKey("/target"))
            {
                string target = arguments["/target"].Trim('"').Trim('\'');

                if (File.Exists(target))
                {
                    Console.WriteLine("[*] Target Credential File: {0}\r\n", target);
                    Triage.TriageCredFile(target, masterkeys);
                }
                else if (Directory.Exists(target))
                {
                    Console.WriteLine("[*] Target Credential Folder: {0}\r\n", target);
                    Triage.TriageCredFolder(target, masterkeys);
                }
                else
                {
                    Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
                }
            }
            else
            {
                if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
                }
                else
                {
                    Triage.TriageUserCreds(masterkeys, server);
                }
            }
        }
Esempio n. 8
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: RDG Triage\r\n");
            arguments.Remove("rdg");

            // whether to use CryptUnprotectData() instead of masterkeys
            bool unprotect = false;

            if (arguments.ContainsKey("/unprotect"))
            {
                unprotect = true;
                arguments.Remove("/unprotect");

                Console.WriteLine("[*] Using CryptUnprotectData() to decrypt RDG passwords\r\n");

                if (arguments.ContainsKey("/server"))
                {
                    Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
                    return;
                }
            }

            if (arguments.ContainsKey("/target"))
            {
                string target = arguments["/target"];
                arguments.Remove("/target");

                if (arguments.ContainsKey("/pvk"))
                {
                    // using a domain backup key to decrypt everything
                    string pvk64 = arguments["/pvk"];
                    byte[] backupKeyBytes;

                    if (File.Exists(pvk64))
                    {
                        backupKeyBytes = File.ReadAllBytes(pvk64);
                    }
                    else
                    {
                        backupKeyBytes = Convert.FromBase64String(pvk64);
                    }

                    // build a {GUID}:SHA1 masterkey mappings
                    Dictionary <string, string> mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);

                    if (mappings.Count == 0)
                    {
                        Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
                    }
                    else
                    {
                        Console.WriteLine("\r\n[*] User master key cache:\r\n");
                        foreach (KeyValuePair <string, string> kvp in mappings)
                        {
                            Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                        }
                    }

                    Console.WriteLine("\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n");
                    arguments = mappings;
                }

                if (File.Exists(target))
                {
                    if (target.EndsWith(".rdg"))
                    {
                        Console.WriteLine("[*] Target .RDG File: {0}\r\n", target);
                        Triage.TriageRDGFile(arguments, target, unprotect);
                    }
                    else if (target.EndsWith(".settings"))
                    {
                        Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target);
                        Triage.TriageRDCManFile(arguments, target, unprotect);
                    }
                    else
                    {
                        Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target);
                    }
                }
                else if (Directory.Exists(target))
                {
                    Console.WriteLine("[*] Target RDG Folder: {0}\r\n", target);
                    Triage.TriageRDGFolder(arguments, target, unprotect);
                }
                else
                {
                    Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
                }
            }

            else if (arguments.ContainsKey("/pvk"))
            {
                // using a domain backup key to decrypt everything

                string pvk64  = arguments["/pvk"];
                string server = "";

                byte[] backupKeyBytes;

                if (File.Exists(pvk64))
                {
                    backupKeyBytes = File.ReadAllBytes(pvk64);
                }
                else
                {
                    backupKeyBytes = Convert.FromBase64String(pvk64);
                }

                Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");

                // build a {GUID}:SHA1 masterkey mappings
                Dictionary <string, string> mappings = new Dictionary <string, string>();

                if (arguments.ContainsKey("/server"))
                {
                    server = arguments["/server"];
                    Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
                }
                else
                {
                    Console.WriteLine("");
                    mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
                }

                if (mappings.Count == 0)
                {
                    Console.WriteLine("[!] No master keys decrypted!\r\n");
                }
                else
                {
                    Console.WriteLine("[*] User master key cache:\r\n");
                    foreach (KeyValuePair <string, string> kvp in mappings)
                    {
                        Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                    }
                    Console.WriteLine();
                }

                Triage.TriageRDCMan(mappings, server, unprotect);
            }
            else
            {
                if (arguments.ContainsKey("/server"))
                {
                    //Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
                    Console.WriteLine("[X] /server:X option not currently supported for this function!");
                }
                else
                {
                    Triage.TriageRDCMan(arguments, "", unprotect);
                }
            }
        }
Esempio n. 9
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Describe DPAPI blob");

            byte[] blobBytes;
            bool   unprotect = false;       // whether to force CryptUnprotectData()

            byte[] entropy = null;

            if (arguments.ContainsKey("/unprotect"))
            {
                Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
                unprotect = true;
            }
            Console.WriteLine();

            if (arguments.ContainsKey("/target"))
            {
                string blob = arguments["/target"].Trim('"').Trim('\'');
                if (File.Exists(blob))
                {
                    blobBytes = File.ReadAllBytes(blob);
                }
                else
                {
                    blobBytes = Convert.FromBase64String(blob);
                }
            }
            else
            {
                Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
                return;
            }

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }
            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                if (arguments.ContainsKey("/server"))
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                }
                else
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                }
            }

            if (arguments.ContainsKey("/entropy"))
            {
                entropy = Helpers.ConvertHexStringToByteArray(arguments["/entropy"]);
            }

            if (blobBytes.Length > 0)
            {
                byte[] decBytesRaw = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect, entropy);

                if ((decBytesRaw != null) && (decBytesRaw.Length != 0))
                {
                    if (Helpers.IsUnicode(decBytesRaw))
                    {
                        string data       = "";
                        int    finalIndex = Array.LastIndexOf(decBytesRaw, (byte)0);
                        if (finalIndex > 1)
                        {
                            byte[] decBytes = new byte[finalIndex + 1];
                            Array.Copy(decBytesRaw, 0, decBytes, 0, finalIndex);
                            data = Encoding.Unicode.GetString(decBytes);
                        }
                        else
                        {
                            data = Encoding.ASCII.GetString(decBytesRaw);
                        }
                        Console.WriteLine("    dec(blob)        : {0}", data);
                    }
                    else
                    {
                        string hexData = BitConverter.ToString(decBytesRaw).Replace("-", " ");
                        Console.WriteLine("    dec(blob)        : {0}", hexData);
                    }
                }
            }
        }
Esempio n. 10
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Certificate Triage");
            arguments.Remove("certificates");

            string server       = "";    // used for remote server specification
            bool   cng          = false; // used for CNG certs
            bool   showall      = false; // used for CNG certs
            bool   machineStore = false; // use the machine store instead of the personal certificate store

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }

            if (arguments.ContainsKey("/cng"))
            {
                cng = true;
            }

            if (arguments.ContainsKey("/showall"))
            {
                showall = true;
            }

            if (arguments.ContainsKey("/machine"))
            {
                // machine certificate triage

                machineStore = true;

                if (arguments.ContainsKey("/mkfile"))
                {
                    masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
                }

                if (arguments.ContainsKey("/target"))
                {
                    string target = arguments["/target"].Trim('"').Trim('\'');

                    if (masterkeys.Count == 0)
                    {
                        Console.WriteLine("\r\n[X] Either a '/mkfile:X' or {GUID}:key needs to be passed in order to use '/target' for machine masterkeys");
                    }
                    else
                    {
                        if (File.Exists(target))
                        {
                            Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
                            Triage.TriageCertFile(target, masterkeys, cng, showall);
                        }
                        else if (Directory.Exists(target))
                        {
                            Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target);
                            Triage.TriageCertFolder(target, masterkeys, cng, showall);
                        }
                        else
                        {
                            Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
                        }
                    }
                }
                else
                {
                    if (masterkeys.Count == 0)
                    {
                        // if no /target and no masterkeys, try to extract the SYSTEM DPAPI creds
                        if (!Helpers.IsHighIntegrity())
                        {
                            Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!");
                        }
                        else
                        {
                            masterkeys = Triage.TriageSystemMasterKeys();

                            Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n");
                            foreach (KeyValuePair <string, string> kvp in masterkeys)
                            {
                                Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                            }
                            Console.WriteLine();

                            Triage.TriageSystemCerts(masterkeys);
                        }
                    }
                    else
                    {
                        // if we got machine masterkeys somehow else
                        Console.WriteLine(masterkeys.Count);
                        Triage.TriageSystemCerts(masterkeys);
                    }
                }
            }
            else
            {
                // user triage

                if (arguments.ContainsKey("/pvk"))
                {
                    // use a domain DPAPI backup key to triage masterkeys
                    masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
                }
                else if (arguments.ContainsKey("/mkfile"))
                {
                    masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
                }
                else if (arguments.ContainsKey("/password"))
                {
                    string password = arguments["/password"];
                    Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                    if (arguments.ContainsKey("/server"))
                    {
                        masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                    }
                    else
                    {
                        masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                    }
                }
                if (arguments.ContainsKey("/server"))
                {
                    server = arguments["/server"];
                    Console.WriteLine("[*] Triaging Certificates from remote server: {0}\r\n", server);
                    Triage.TriageUserCerts(masterkeys, server, showall);
                }

                if (arguments.ContainsKey("/target"))
                {
                    string target = arguments["/target"].Trim('"').Trim('\'');

                    if (File.Exists(target))
                    {
                        Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
                        Triage.TriageCertFile(target, masterkeys, cng, showall);
                    }
                    else if (Directory.Exists(target))
                    {
                        Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target);
                        Triage.TriageCertFolder(target, masterkeys, cng, showall);
                    }
                    else
                    {
                        Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
                    }
                }
                else
                {
                    Triage.TriageUserCerts(masterkeys, "", showall);
                }
            }

            Console.WriteLine("\r\n[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx");
        }
Esempio n. 11
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*]  Action: Describe DPAPI blob\r\n");

            byte[] blobBytes;

            if (arguments.ContainsKey("/in"))
            {
                string blob = arguments["/in"];
                if (File.Exists(blob))
                {
                    blobBytes = File.ReadAllBytes(blob);
                }
                else
                {
                    blobBytes = Convert.FromBase64String(blob);
                }
                arguments.Remove("in");
            }
            else
            {
                Console.WriteLine("[X] An /in:<BASE64 | file> must be supplied!");
                return;
            }

            if (arguments.ContainsKey("/pvk"))
            {
                // using a domain backup key to decrypt everything

                string pvk64 = arguments["/pvk"];

                byte[] backupKeyBytes;

                if (File.Exists(pvk64))
                {
                    backupKeyBytes = File.ReadAllBytes(pvk64);
                }
                else
                {
                    backupKeyBytes = Convert.FromBase64String(pvk64);
                }

                Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");

                // build a {GUID}:SHA1 masterkey mappings
                Dictionary <string, string> mappings = new Dictionary <string, string>();

                mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);

                if (mappings.Count == 0)
                {
                    Console.WriteLine("[!] No master keys decrypted!\r\n");
                }
                else
                {
                    Console.WriteLine("[*] User master key cache:\r\n");
                    foreach (KeyValuePair <string, string> kvp in mappings)
                    {
                        Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                    }
                    Console.WriteLine();
                }

                byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, mappings, "blob");

                if (decBytes.Length != 0)
                {
                    if (Helpers.IsUnicode(decBytes))
                    {
                        Console.WriteLine("    dec(blob)        : {0}", System.Text.Encoding.Unicode.GetString(decBytes));
                    }
                    else
                    {
                        string b64DecBytesString = BitConverter.ToString(decBytes).Replace("-", " ");
                        Console.WriteLine("    dec(blob)        : {0}", b64DecBytesString);
                    }
                }
            }
            else
            {
                byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, arguments, "blob");

                if (decBytes.Length != 0)
                {
                    if (Helpers.IsUnicode(decBytes))
                    {
                        Console.WriteLine("    dec(blob)        : {0}", System.Text.Encoding.Unicode.GetString(decBytes));
                    }
                    else
                    {
                        string b64DecBytesString = BitConverter.ToString(decBytes).Replace("-", " ");
                        Console.WriteLine("    dec(blob)        : {0}", b64DecBytesString);
                    }
                }
            }
        }
Esempio n. 12
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n");
            arguments.Remove("triage");

            string server = "";             // used for remote server specification

            if (arguments.ContainsKey("/server"))
            {
                server = arguments["/server"];
                Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
            }

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }
            if (arguments.ContainsKey("/pvk"))
            {
                // use a domain DPAPI backup key to triage masterkeys
                masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
            }
            else if (arguments.ContainsKey("/mkfile"))
            {
                masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
            }
            else if (arguments.ContainsKey("/password"))
            {
                string password = arguments["/password"];
                Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                if (arguments.ContainsKey("/server"))
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                }
                else
                {
                    masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                }
            }

            if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
            {
                Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
            }
            else
            {
                Triage.TriageUserCreds(masterkeys, server);
                Triage.TriageUserVaults(masterkeys, server);

                Console.WriteLine();
                if (masterkeys.Count == 0)
                {
                    // try to use CryptUnprotectData if no GUID lookups supplied
                    Triage.TriageRDCMan(masterkeys, server, true);
                    Triage.TriageKeePass(masterkeys, server, true);
                }
                else
                {
                    Triage.TriageRDCMan(masterkeys, server, false);
                    Triage.TriageKeePass(masterkeys, server, false);
                }

                Triage.TriageUserCerts(masterkeys, server, false);
            }
        }