public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage\r\n"); arguments.Remove("triage"); if (!Helpers.IsHighIntegrity()) { Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!"); } else { Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys(); Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in mappings) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } Console.WriteLine(); Triage.TriageSystemCreds(mappings); Triage.TriageSystemVaults(mappings); Triage.TriageSystemCerts(mappings); } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: Machine DPAPI Certificate Triage\r\n"); if (!Helpers.IsHighIntegrity()) { Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!"); } else { Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys(); Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in mappings) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } Console.WriteLine(); if (arguments.ContainsKey("/target")) { string target = arguments["/target"].Trim('"').Trim('\''); Console.WriteLine("[*] Target Certificate File: {0}\r\n", target); Triage.TriageCertFile(target, mappings, true); } else { Triage.TriageSystemCerts(mappings); } Console.WriteLine("[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx"); } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: Machine DPAPI Credential and Vault Triage\r\n"); arguments.Remove("triage"); Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys(); Triage.TriageSystemCreds(mappings); Triage.TriageSystemVaults(mappings); }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: Machine DPAPI Masterkey File Triage\r\n"); Dictionary <string, string> mappings = Triage.TriageSystemMasterKeys(false); if (mappings.Count == 0) { Console.WriteLine("\r\n[!] No master keys decrypted!\r\n"); } else { Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in mappings) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } } }
public void Execute(Dictionary <string, string> arguments) { Console.WriteLine("\r\n[*] Action: Certificate Triage"); arguments.Remove("certificates"); string server = ""; // used for remote server specification bool cng = false; // used for CNG certs bool showall = false; // used for CNG certs bool machineStore = false; // use the machine store instead of the personal certificate store // {GUID}:SHA1 keys are the only ones that don't start with / Dictionary <string, string> masterkeys = new Dictionary <string, string>(); foreach (KeyValuePair <string, string> entry in arguments) { if (!entry.Key.StartsWith("/")) { masterkeys.Add(entry.Key, entry.Value); } } if (arguments.ContainsKey("/cng")) { cng = true; } if (arguments.ContainsKey("/showall")) { showall = true; } if (arguments.ContainsKey("/machine")) { // machine certificate triage machineStore = true; if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } if (arguments.ContainsKey("/target")) { string target = arguments["/target"].Trim('"').Trim('\''); if (masterkeys.Count == 0) { Console.WriteLine("\r\n[X] Either a '/mkfile:X' or {GUID}:key needs to be passed in order to use '/target' for machine masterkeys"); } else { if (File.Exists(target)) { Console.WriteLine("[*] Target Certificate File: {0}\r\n", target); Triage.TriageCertFile(target, masterkeys, cng, showall); } else if (Directory.Exists(target)) { Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target); Triage.TriageCertFolder(target, masterkeys, cng, showall); } else { Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target); } } } else { if (masterkeys.Count == 0) { // if no /target and no masterkeys, try to extract the SYSTEM DPAPI creds if (!Helpers.IsHighIntegrity()) { Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!"); } else { masterkeys = Triage.TriageSystemMasterKeys(); Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n"); foreach (KeyValuePair <string, string> kvp in masterkeys) { Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value); } Console.WriteLine(); Triage.TriageSystemCerts(masterkeys); } } else { // if we got machine masterkeys somehow else Console.WriteLine(masterkeys.Count); Triage.TriageSystemCerts(masterkeys); } } } else { // user triage if (arguments.ContainsKey("/pvk")) { // use a domain DPAPI backup key to triage masterkeys masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments); } else if (arguments.ContainsKey("/mkfile")) { masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]); } else if (arguments.ContainsKey("/password")) { string password = arguments["/password"]; Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password); if (arguments.ContainsKey("/server")) { masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password); } else { masterkeys = Triage.TriageUserMasterKeys(null, true, "", password); } } if (arguments.ContainsKey("/server")) { server = arguments["/server"]; Console.WriteLine("[*] Triaging Certificates from remote server: {0}\r\n", server); Triage.TriageUserCerts(masterkeys, server, showall); } if (arguments.ContainsKey("/target")) { string target = arguments["/target"].Trim('"').Trim('\''); if (File.Exists(target)) { Console.WriteLine("[*] Target Certificate File: {0}\r\n", target); Triage.TriageCertFile(target, masterkeys, cng, showall); } else if (Directory.Exists(target)) { Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target); Triage.TriageCertFolder(target, masterkeys, cng, showall); } else { Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target); } } else { Triage.TriageUserCerts(masterkeys, "", showall); } } Console.WriteLine("\r\n[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx"); }