private static void PrintVaultCreds() { try { Beaprint.MainPrint("Checking Windows Vault"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault"); var vaultCreds = VaultCli.DumpVault(); var colorsC = new Dictionary <string, string>() { { "Identity.*|Credential.*|Resource.*", Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(vaultCreds, colorsC, true, true); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
public override IEnumerable <CommandDTOBase?> Execute(string[] args) { // pulled directly from @djhohnstein's SharpWeb project: https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs var OSVersion = Environment.OSVersion.Version; Type VAULT_ITEM; //if (OSMajor >= 6 && OSMinor >= 2) if (OSVersion > new Version("6.2")) { VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8); } else { VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7); } var vaultCount = 0; var vaultGuidPtr = IntPtr.Zero; var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr); //var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr); if (result != 0) { WriteError("Unable to enumerate vaults. Error (0x" + result + ")"); yield break; } // Create dictionary to translate Guids to human readable elements var guidAddress = vaultGuidPtr; var vaultSchema = new Dictionary <Guid, string> { { new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note" }, { new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential" }, { new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector" }, { new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials" }, { new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials" }, { new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential" }, { new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential" }, { new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential" }, { new Guid("00000000-0000-0000-0000-000000000000"), null } }; for (var i = 0; i < vaultCount; i++) { // Open vault block var vaultGuidString = Marshal.PtrToStructure(guidAddress, typeof(Guid)); var vaultGuid = new Guid(vaultGuidString.ToString()); guidAddress = (IntPtr)(guidAddress.ToInt64() + Marshal.SizeOf(typeof(Guid))); var vaultHandle = IntPtr.Zero; string vaultType; vaultType = vaultSchema.ContainsKey(vaultGuid) ? vaultSchema[vaultGuid] : vaultGuid.ToString(); result = VaultCli.VaultOpenVault(ref vaultGuid, (uint)0, ref vaultHandle); if (result != 0) { WriteError("Unable to open the following vault: " + vaultType + ". Error: 0x" + result); continue; } // Vault opened successfully! Continue. var entries = new List <VaultEntry>(); // Fetch all items within Vault var vaultItemCount = 0; var vaultItemPtr = IntPtr.Zero; result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr); if (result != 0) { WriteError("Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result); continue; } var structAddress = vaultItemPtr; if (vaultItemCount > 0) { // For each vault item... for (var j = 1; j <= vaultItemCount; j++) { // Begin fetching vault item... var currentItem = Marshal.PtrToStructure(structAddress, VAULT_ITEM); structAddress = (IntPtr)(structAddress.ToInt64() + Marshal.SizeOf(VAULT_ITEM)); var passwordVaultItem = IntPtr.Zero; // Field Info retrieval var schemaIdInfo = currentItem.GetType().GetField("SchemaId"); var schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString()); var pResourceElementInfo = currentItem.GetType().GetField("pResourceElement"); var pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem); var pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement"); var pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem); var dateTimeInfo = currentItem.GetType().GetField("LastModified"); var lastModified = (ulong)dateTimeInfo.GetValue(currentItem); var pPackageSid = IntPtr.Zero; if (OSVersion > new Version("6.2")) { // Newer versions have package sid var pPackageSidInfo = currentItem.GetType().GetField("pPackageSid"); pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem); result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem); } else { result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem); } if (result != 0) { WriteError("Could not retrieve vault vault item. Error: 0x" + result); continue; } var passwordItem = Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM); var pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement"); var pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem); try { // Fetch the credential from the authenticator element var cred = GetVaultElementValue(pAuthenticatorElement); object packageSid = null; if (pPackageSid != IntPtr.Zero && pPackageSid != null) { packageSid = GetVaultElementValue(pPackageSid); } if (cred != null) // Indicates successful fetch { if (Runtime.FilterResults) { if (String.IsNullOrEmpty(cred.ToString().TrimEnd())) { continue; } } var entry = new VaultEntry(); var resource = GetVaultElementValue(pResourceElement); if (resource != null) { entry.Resource = $"{resource}"; } var identity = GetVaultElementValue(pIdentityElement); if (identity != null) { entry.Identity = $"{identity}"; } if (packageSid != null) { entry.PackageSid = $"{packageSid}"; } entry.Credential = $"{cred}"; entry.LastModified = DateTime.FromFileTimeUtc((long)lastModified); entries.Add(entry); } } catch (Exception e) { WriteError("Exception: " + e.Message); continue; } } } yield return(new WindowsVaultDTO() { VaultGUID = vaultGuid, VaultType = vaultType, VaultEntries = entries }); } }