public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Credential Triage\r\n");
arguments.Remove("credentials");
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"];
arguments.Remove("/target");
if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
if (mappings.Count == 0)
{
Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("\r\n[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
}
Console.WriteLine("\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n");
arguments = mappings;
}
if (File.Exists(target))
{
Console.WriteLine("[*] Target Credential File: {0}\r\n", target);
Triage.TriageCredFile(target, arguments);
}
else if (Directory.Exists(target))
{
Console.WriteLine("[*] Target Credential Folder: {0}\r\n", target);
Triage.TriageCredFolder(target, arguments);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
}
}
else if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
string server = "";
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = new Dictionary <string, string>();
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
}
else
{
Console.WriteLine("");
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
}
if (mappings.Count == 0)
{
Console.WriteLine("[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
}
Triage.TriageUserCreds(mappings, server);
}
else
{
if (arguments.ContainsKey("/server"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
}
else
{
Triage.TriageUserCreds(arguments);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Credential Triage\r\n");
arguments.Remove("credentials");
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
string server = ""; // used for remote server specification
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
}
// {GUID}:SHA1 keys are the only ones that don't start with /
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
if (File.Exists(target))
{
Console.WriteLine("[*] Target Credential File: {0}\r\n", target);
Triage.TriageCredFile(target, masterkeys);
}
else if (Directory.Exists(target))
{
Console.WriteLine("[*] Target Credential Folder: {0}\r\n", target);
Triage.TriageCredFolder(target, masterkeys);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
}
}
else
{
if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
}
else
{
Triage.TriageUserCreds(masterkeys, server);
}
}
}
