public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n");
arguments.Remove("triage");
string server = ""; // used for remote server specification
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
masterkeys = Triage.TriageUserMasterKeysWithPass(password);
}
if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
}
else
{
Triage.TriageUserCreds(masterkeys, server);
Triage.TriageUserVaults(masterkeys, server);
Console.WriteLine();
if (masterkeys.Count == 0)
{
// try to use CryptUnprotectData if no GUID lookups supplied
Triage.TriageRDCMan(masterkeys, server, true);
}
else
{
Triage.TriageRDCMan(masterkeys, server, false);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Masterkey File Triage\r\n");
byte[] backupKeyBytes;
string password;
Dictionary <string, string> mappings = new Dictionary <string, string>();
if (arguments.ContainsKey("/pvk"))
{
string pvk64 = arguments["/pvk"];
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
if (arguments.ContainsKey("/server"))
{
Console.WriteLine("[*] Triaging remote server: {0}\r\n", arguments["/server"]);
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true, arguments["/server"]);
}
else
{
Console.WriteLine();
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true);
}
}
else if (arguments.ContainsKey("/password"))
{
password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
mappings = Triage.TriageUserMasterKeysWithPass(password);
}
else
{
Console.WriteLine("[X] A /pvk:BASE64 domain DPAPI backup key or /password must be supplied!");
return;
}
if (mappings.Count == 0)
{
Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("\r\n[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe PSCredential .xml");
string target = "";
bool unprotect = false; // whether to force CryptUnprotectData()
if (arguments.ContainsKey("/unprotect"))
{
Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
unprotect = true;
}
Console.WriteLine();
if (arguments.ContainsKey("/target"))
{
target = arguments["/target"];
}
else
{
Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
return;
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
masterkeys = Triage.TriageUserMasterKeysWithPass(password);
}
Triage.TriagePSCredFile(masterkeys, target, unprotect);
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Vault Triage\r\n");
arguments.Remove("vaults");
string server = ""; // used for remote server specification
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
masterkeys = Triage.TriageUserMasterKeysWithPass(password);
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
if (Directory.Exists(target))
{
Triage.TriageVaultFolder(target, masterkeys);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid Vault directory.", target);
}
}
else
{
if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
}
else
{
Triage.TriageUserVaults(masterkeys, server);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: RDG Triage");
arguments.Remove("rdg");
string server = ""; // used for remote server specification
bool unprotect = false; // whether to force CryptUnprotectData()
if (arguments.ContainsKey("/unprotect"))
{
Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
unprotect = true;
}
Console.WriteLine("");
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
masterkeys = Triage.TriageUserMasterKeysWithPass(password);
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
if (target.EndsWith(".rdg"))
{
Console.WriteLine("[*] Target .RDG File: {0}\r\n", target);
Triage.TriageRDGFile(masterkeys, target, unprotect);
}
else if (target.EndsWith(".settings"))
{
Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target);
Triage.TriageRDCManFile(masterkeys, target, unprotect);
}
else
{
Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target);
}
}
else
{
if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
}
else
{
Triage.TriageRDCMan(masterkeys, server, unprotect);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe DPAPI blob");
byte[] blobBytes;
bool unprotect = false; // whether to force CryptUnprotectData()
if (arguments.ContainsKey("/unprotect"))
{
Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
unprotect = true;
}
Console.WriteLine();
if (arguments.ContainsKey("/target"))
{
string blob = arguments["/target"].Trim('"').Trim('\'');
if (File.Exists(blob))
{
blobBytes = File.ReadAllBytes(blob);
}
else
{
blobBytes = Convert.FromBase64String(blob);
}
}
else
{
Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
return;
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
masterkeys = Triage.TriageUserMasterKeysWithPass(password);
}
//byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect);
if (blobBytes.Length > 0)
{
byte[] decBytesRaw = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect);
if ((decBytesRaw != null) && (decBytesRaw.Length != 0))
{
if (Helpers.IsUnicode(decBytesRaw))
{
string data = "";
int finalIndex = Array.LastIndexOf(decBytesRaw, (byte)0);
if (finalIndex > 1)
{
byte[] decBytes = new byte[finalIndex + 1];
Array.Copy(decBytesRaw, 0, decBytes, 0, finalIndex);
data = Encoding.Unicode.GetString(decBytes);
}
else
{
data = Encoding.ASCII.GetString(decBytesRaw);
}
Console.WriteLine(" dec(blob) : {0}", data);
}
else
{
string hexData = BitConverter.ToString(decBytesRaw).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", hexData);
}
}
}
}
