public DPAPIBackupKey(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, "dsObject");
Validator.AssertNotNull(pek, "pek");
// TODO: Test Object type
// Decrypt the secret value
byte[] encryptedSecret;
dsObject.ReadAttribute(CommonDirectoryAttributes.CurrentValue, out encryptedSecret);
this.RawKeyData = pek.DecryptSecret(encryptedSecret);
// Parse DN to get key ID or pointer type:
this.DistinguishedName = dsObject.DistinguishedName;
var keyName = GetSecretNameFromDN(this.DistinguishedName);
switch (keyName)
{
case null:
// We could not parse the DN, so exit with Unknown as the key type
this.Type = DPAPIBackupKeyType.Unknown;
break;
case PreferredRSAKeyPointerName:
this.Type = DPAPIBackupKeyType.PreferredRSAKeyPointer;
// Interpret the raw data as Guid
this.KeyId = new Guid(this.RawKeyData);
break;
case PreferredLegacyKeyPointerName:
this.Type = DPAPIBackupKeyType.PreferredLegacyKeyPointer;
// Interpret the raw data as Guid
this.KeyId = new Guid(this.RawKeyData);
break;
default:
// Actual Key, so we parse its Guid and version
this.KeyId = Guid.Parse(keyName);
int version = BitConverter.ToInt32(this.RawKeyData, KeyVersionOffset);
switch (version)
{
case 1:
this.Type = DPAPIBackupKeyType.LegacyKey;
// Cut the version out of the data
this.RawKeyData = this.RawKeyData.Cut(KeyVersionSize);
break;
case 2:
this.Type = DPAPIBackupKeyType.RSAKey;
// Combine the certificate and key into PFX and replace the original decrypted data
this.RawKeyData = ConvertRSASecretToPFX(this.RawKeyData);
break;
}
break;
}
}
private const uint PVKHeaderKeySpec = 1; // = AT_KEYEXCHANGE
public DPAPIBackupKey(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, "dsObject");
Validator.AssertNotNull(pek, "pek");
// TODO: Test Object type
// Decrypt the secret value
byte[] encryptedSecret;
dsObject.ReadAttribute(CommonDirectoryAttributes.CurrentValue, out encryptedSecret);
byte[] decryptedBlob = pek.DecryptSecret(encryptedSecret);
// Initialize properties
this.Initialize(dsObject.DistinguishedName, decryptedBlob);
}
protected void LoadHashes(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
if (pek == null)
{
// Do not continue if we do not have a decryption key
return;
}
// NTHash:
byte[] encryptedNtHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash);
if (encryptedNtHash != null)
{
this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid());
}
// LMHash
byte[] encryptedLmHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash);
if (encryptedLmHash != null)
{
this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid());
}
// NTHashHistory:
byte[] encryptedNtHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory);
if (encryptedNtHashHistory != null)
{
this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid());
}
// LMHashHistory:
byte[] encryptedLmHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory);
if (encryptedLmHashHistory != null)
{
this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid());
}
// SupplementalCredentials:
byte[] encryptedSupplementalCredentials;
dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials);
if (encryptedSupplementalCredentials != null)
{
byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials);
this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials);
}
}
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, "dsObject");
if (!dsObject.IsAccount)
{
// TODO: Exteption type
throw new Exception("Not an account.");
}
// Common properties
this.LoadAccountInfo(dsObject);
// Credential Roaming
this.LoadRoamedCredentials(dsObject);
// Hashes and Supplemental Credentials
this.LoadHashes(dsObject, pek);
}
public DSAccount(DirectoryObject dsObject, string netBIOSDomainName, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, nameof(dsObject));
Validator.AssertNotNull(netBIOSDomainName, nameof(netBIOSDomainName));
if (!dsObject.IsAccount && !dsObject.IsContact)
{
throw new ArgumentException(Resources.ObjectNotAccountMessage);
}
// Common properties
this.LoadAccountInfo(dsObject, netBIOSDomainName);
// Credential Roaming
this.LoadRoamedCredentials(dsObject);
// Windows Hello for Business
this.LoadKeyCredentials(dsObject);
// Hashes and Supplemental Credentials
this.LoadHashes(dsObject, pek);
}
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, "dsObject");
if (!dsObject.IsAccount)
{
// TODO: Exteption type
throw new Exception("Not an account.");
}
// Guid:
this.Guid = dsObject.Guid;
// DN:
this.DistinguishedName = dsObject.DistinguishedName;
// Sid:
this.Sid = dsObject.Sid;
// SidHistory:
dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory);
// DisplayName:
dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName);
// Description
dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description);
// GivenName:
dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName);
// Surname:
dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname);
// Security Descriptor:
dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out this.securityDescriptor);
// AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool)
dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out this.adminCount);
// Enabled:
// TODO: Move to DirectoryObject?
int?numericUac;
dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac);
UserAccountControl uac = (UserAccountControl)numericUac.Value;
this.Enabled = !uac.HasFlag(UserAccountControl.Disabled);
// Deleted:
dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted);
// LastLogon:
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon);
// UPN:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn);
// SamAccountName:
dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName);
// SamAccountType:
// TODO: Move to DirectoryObject?
int?numericAccountType;
dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType);
this.SamAccountType = (SamAccountType)numericAccountType.Value;
// PrimaryGroupId
int?groupId;
dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId);
this.PrimaryGroupId = groupId.Value;
if (pek == null)
{
// Do not continue if we do not have a decryption key
return;
}
// NTHash:
byte[] encryptedNtHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash);
if (encryptedNtHash != null)
{
this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid());
}
// LMHash
byte[] encryptedLmHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash);
if (encryptedLmHash != null)
{
this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid());
}
// NTHashHistory:
byte[] encryptedNtHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory);
if (encryptedNtHashHistory != null)
{
this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid());
}
// LMHashHistory:
byte[] encryptedLmHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory);
if (encryptedLmHashHistory != null)
{
this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid());
}
// SupplementalCredentials:
byte[] encryptedSupplementalCredentials;
dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials);
if (encryptedSupplementalCredentials != null)
{
byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials);
this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials);
}
}
