public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n"); arguments.Remove("triage"); string server = ""; // used for remote server specification if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging remote server: {0}\r\n", server); } // {GUID}:SHA1 keys are the only ones that don't start with / Dictionary <string, string> masterkeys = new Dictionary <string, string>(); foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); masterkeys = Triage.TriageUserMasterKeysWithPass(password); } if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk")) { Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !"); } else { Triage.TriageUserCreds(masterkeys, server); Triage.TriageUserVaults(masterkeys, server); Console.WriteLine(); if (masterkeys.Count == 0) { // try to use CryptUnprotectData if no GUID lookups supplied Triage.TriageRDCMan(masterkeys, server, true); } else { Triage.TriageRDCMan(masterkeys, server, false); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: User DPAPI Masterkey File Triage\r\n"); byte[] backupKeyBytes; string password; Dictionary <string, string> mappings = new Dictionary <string, string>(); if (arguments.ContainsKey("/pvk")) { string pvk64 = arguments["/pvk"]; if (File.Exists(pvk64)) { backupKeyBytes = File.ReadAllBytes(pvk64); } else { backupKeyBytes = Convert.FromBase64String(pvk64); } if (arguments.ContainsKey("/server")) { Console.WriteLine("[*] Triaging remote server: {0}\r\n", arguments["/server"]); mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true, arguments["/server"]); } else { Console.WriteLine(); mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true); } } else if (arguments.ContainsKey("/password")) { password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); mappings = Triage.TriageUserMasterKeysWithPass(password); } else { Console.WriteLine("[X] A /pvk:BASE64 domain DPAPI backup key or /password must be supplied!"); return; } if (mappings.Count == 0) { Console.WriteLine("\r\n[!] No master keys decrypted!\r\n"); } else { Console.WriteLine("\r\n[*] User master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in mappings) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: Describe PSCredential .xml"); string target = ""; bool unprotect = false; // whether to force CryptUnprotectData() if (arguments.ContainsKey("/unprotect")) { Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption."); unprotect = true; } Console.WriteLine(); if (arguments.ContainsKey("/target")) { target = arguments["/target"]; } else { Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!"); return; } // {GUID}:SHA1 keys are the only ones that don't start with / Dictionary <string, string> masterkeys = new Dictionary <string, string>(); foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); masterkeys = Triage.TriageUserMasterKeysWithPass(password); } Triage.TriagePSCredFile(masterkeys, target, unprotect); }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: User DPAPI Vault Triage\r\n"); arguments.Remove("vaults"); string server = ""; // used for remote server specification if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging remote server: {0}\r\n", server); } // {GUID}:SHA1 keys are the only ones that don't start with / Dictionary <string, string> masterkeys = new Dictionary <string, string>(); foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); masterkeys = Triage.TriageUserMasterKeysWithPass(password); } if (arguments.ContainsKey("/target")) { string target = arguments["/target"].Trim('"').Trim('\''); if (Directory.Exists(target)) { Triage.TriageVaultFolder(target, masterkeys); } else { Console.WriteLine("\r\n[X] '{0}' is not a valid Vault directory.", target); } } else { if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk")) { Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !"); } else { Triage.TriageUserVaults(masterkeys, server); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: RDG Triage"); arguments.Remove("rdg"); string server = ""; // used for remote server specification bool unprotect = false; // whether to force CryptUnprotectData() if (arguments.ContainsKey("/unprotect")) { Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption."); unprotect = true; } Console.WriteLine(""); if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging remote server: {0}\r\n", server); } // {GUID}:SHA1 keys are the only ones that don't start with / Dictionary <string, string> masterkeys = new Dictionary <string, string>(); foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); masterkeys = Triage.TriageUserMasterKeysWithPass(password); } if (arguments.ContainsKey("/target")) { string target = arguments["/target"].Trim('"').Trim('\''); if (target.EndsWith(".rdg")) { Console.WriteLine("[*] Target .RDG File: {0}\r\n", target); Triage.TriageRDGFile(masterkeys, target, unprotect); } else if (target.EndsWith(".settings")) { Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target); Triage.TriageRDCManFile(masterkeys, target, unprotect); } else { Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target); } } else { if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk")) { Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !"); } else { Triage.TriageRDCMan(masterkeys, server, unprotect); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: Describe DPAPI blob"); byte[] blobBytes; bool unprotect = false; // whether to force CryptUnprotectData() if (arguments.ContainsKey("/unprotect")) { Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption."); unprotect = true; } Console.WriteLine(); if (arguments.ContainsKey("/target")) { string blob = arguments["/target"].Trim('"').Trim('\''); if (File.Exists(blob)) { blobBytes = File.ReadAllBytes(blob); } else { blobBytes = Convert.FromBase64String(blob); } } else { Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!"); return; } // {GUID}:SHA1 keys are the only ones that don't start with / Dictionary <string, string> masterkeys = new Dictionary <string, string>(); foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); masterkeys = Triage.TriageUserMasterKeysWithPass(password); } //byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect); if (blobBytes.Length > 0) { byte[] decBytesRaw = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect); if ((decBytesRaw != null) && (decBytesRaw.Length != 0)) { if (Helpers.IsUnicode(decBytesRaw)) { string data = ""; int finalIndex = Array.LastIndexOf(decBytesRaw, (byte)0); if (finalIndex > 1) { byte[] decBytes = new byte[finalIndex + 1]; Array.Copy(decBytesRaw, 0, decBytes, 0, finalIndex); data = Encoding.Unicode.GetString(decBytes); } else { data = Encoding.ASCII.GetString(decBytesRaw); } Console.WriteLine(" dec(blob) : {0}", data); } else { string hexData = BitConverter.ToString(decBytesRaw).Replace("-", " "); Console.WriteLine(" dec(blob) : {0}", hexData); } } } }