public static Dictionary <string, string> TriageSystemMasterKeys(bool show = false)
{
// retrieve the DPAPI_SYSTEM key and use it to decrypt any SYSTEM DPAPI masterkeys
Dictionary <string, string> mappings = new Dictionary <string, string>();
if (Helpers.IsHighIntegrity())
{
// get the system and user DPAPI backup keys, showing the machine DPAPI keys
// { machine , user }
List <byte[]> keys = LSADump.GetDPAPIKeys(true);
string systemFolder = String.Format("{0}\\Windows\\System32\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] systemDirs = Directory.GetDirectories(systemFolder);
foreach (string directory in systemDirs)
{
string[] machineFiles = Directory.GetFiles(directory);
string[] userFiles = new string[0];
if (Directory.Exists(String.Format("{0}\\User\\", directory)))
{
userFiles = Directory.GetFiles(String.Format("{0}\\User\\", directory));
}
foreach (string file in machineFiles)
{
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
string fileName = System.IO.Path.GetFileName(file);
if (show)
{
Console.WriteLine("[*] Found SYSTEM system MasterKey : {0}", file);
}
byte[] masteyKeyBytes = File.ReadAllBytes(file);
try
{
// use the "machine" DPAPI key
Dictionary <string, string> mapping = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[0]);
mapping.ToList().ForEach(x => mappings.Add(x.Key, x.Value));
}
catch (Exception e)
{
Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message);
}
}
}
foreach (string file in userFiles)
{
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
string fileName = System.IO.Path.GetFileName(file);
if (show)
{
Console.WriteLine("[*] Found SYSTEM user MasterKey : {0}", file);
}
byte[] masteyKeyBytes = File.ReadAllBytes(file);
try
{
// use the "user" DPAPI key
Dictionary <string, string> mapping = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[1]);
mapping.ToList().ForEach(x => mappings.Add(x.Key, x.Value));
}
catch (Exception e)
{
Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message);
}
}
}
}
}
else
{
Console.WriteLine("\r\n[X] Must be elevated to triage SYSTEM masterkeys!\r\n");
}
return(mappings);
}
public static Dictionary <string, string> TriageSystemMasterKeys(bool show = false)
{
// retrieve the DPAPI_SYSTEM key and use it to decrypt any SYSTEM DPAPI masterkeys
var mappings = new Dictionary <string, string>();
if (Helpers.IsHighIntegrity())
{
// get the system and user DPAPI backup keys, showing the machine DPAPI keys
// { machine , user }
var keys = LSADump.GetDPAPIKeys(true);
Helpers.GetSystem();
var systemFolder =
$"{Environment.GetEnvironmentVariable("SystemDrive")}\\Windows\\System32\\Microsoft\\Protect\\";
var systemDirs = Directory.GetDirectories(systemFolder);
foreach (var directory in systemDirs)
{
var machineFiles = Directory.GetFiles(directory);
var userFiles = new string[0];
if (Directory.Exists($"{directory}\\User\\"))
{
userFiles = Directory.GetFiles($"{directory}\\User\\");
}
foreach (var file in machineFiles)
{
if (!Regex.IsMatch(file, @".*\\[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
continue;
}
var fileName = Path.GetFileName(file);
if (show)
{
Console.WriteLine("[*] Found SYSTEM system MasterKey : {0}", file);
}
var masteyKeyBytes = File.ReadAllBytes(file);
try
{
// use the "machine" DPAPI key
var plaintextMasterkey = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[0]);
mappings.Add(plaintextMasterkey.Key, plaintextMasterkey.Value);
}
catch (Exception e)
{
Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message);
}
}
foreach (var file in userFiles)
{
if (!Regex.IsMatch(file, @".*\\[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
continue;
}
var fileName = Path.GetFileName(file);
if (show)
{
Console.WriteLine("[*] Found SYSTEM user MasterKey : {0}", file);
}
var masteyKeyBytes = File.ReadAllBytes(file);
try
{
// use the "user" DPAPI key
var plaintextMasterKey = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[1]);
mappings.Add(plaintextMasterKey.Key, plaintextMasterKey.Value);
}
catch (Exception e)
{
Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message);
}
}
}
}
else
{
Console.WriteLine("\r\n[X] Must be elevated to triage SYSTEM masterkeys!\r\n");
}
return(mappings);
}
