public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Cert Triage");
arguments.Remove("cert");
string server = ""; // used for remote server specification
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging Certificates from remote server: {0}\r\n", server);
Triage.TriageUserCerts(masterkeys, server);
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
Triage.TriageCertFile(target, masterkeys);
}
else
{
Triage.TriageUserCerts(masterkeys);
}
Console.WriteLine("[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx");
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe PSCredential .xml");
string target = "";
bool unprotect = false; // whether to force CryptUnprotectData()
if (arguments.ContainsKey("/unprotect"))
{
Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
unprotect = true;
}
Console.WriteLine();
if (arguments.ContainsKey("/target"))
{
target = arguments["/target"];
}
else
{
Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
return;
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
Triage.TriagePSCredFile(masterkeys, target, unprotect);
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Masterkey File Triage\r\n");
byte[] backupKeyBytes;
string password;
Dictionary <string, string> mappings = new Dictionary <string, string>();
if (arguments.ContainsKey("/pvk"))
{
string pvk64 = arguments["/pvk"];
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
if (arguments.ContainsKey("/server"))
{
Console.WriteLine("[*] Triaging remote server: {0}\r\n", arguments["/server"]);
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true, arguments["/server"]);
}
else
{
Console.WriteLine();
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, true);
}
}
else if (arguments.ContainsKey("/password"))
{
password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
mappings = Triage.TriageUserMasterKeysWithPass(password);
}
else
{
Console.WriteLine("[X] A /pvk:BASE64 domain DPAPI backup key or /password must be supplied!");
return;
}
if (mappings.Count == 0)
{
Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("\r\n[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: RDG Triage");
arguments.Remove("rdg");
string server = ""; // used for remote server specification
bool unprotect = false; // whether to force CryptUnprotectData()
if (arguments.ContainsKey("/unprotect"))
{
Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
unprotect = true;
}
Console.WriteLine("");
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
if (target.EndsWith(".rdg"))
{
Console.WriteLine("[*] Target .RDG File: {0}\r\n", target);
Triage.TriageRDGFile(masterkeys, target, unprotect);
}
else if (target.EndsWith(".settings"))
{
Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target);
Triage.TriageRDCManFile(masterkeys, target, unprotect);
}
else
{
Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target);
}
}
else
{
if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
}
else
{
Triage.TriageRDCMan(masterkeys, server, unprotect);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Vault Triage\r\n");
arguments.Remove("vaults");
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"];
arguments.Remove("/target");
if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n");
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
if (mappings.Count == 0)
{
Console.WriteLine("[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
}
arguments = mappings;
}
if (Directory.Exists(target))
{
Console.WriteLine("[*] Target Vault Folder: {0}\r\n", target);
Triage.TriageVaultFolder(target, arguments);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid Vault directory.", target);
}
}
else if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
string server = "";
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = new Dictionary <string, string>();
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
}
else
{
Console.WriteLine("");
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
}
if (mappings.Count == 0)
{
Console.WriteLine("[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
}
Triage.TriageUserVaults(mappings, server);
}
else
{
if (arguments.ContainsKey("/server"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
}
else
{
Triage.TriageUserVaults(arguments);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n");
arguments.Remove("triage");
string server = "";
if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
byte[] backupKeyBytes = Convert.FromBase64String(pvk64);
Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = new Dictionary <string, string>();
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
}
else
{
Console.WriteLine("");
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
}
if (mappings.Count == 0)
{
Console.WriteLine("[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("[*] Master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
}
Triage.TriageUserCreds(mappings, server);
Triage.TriageUserVaults(mappings);
return;
}
else
{
if (arguments.ContainsKey("/server"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
return;
}
else
{
Triage.TriageUserCreds(arguments);
Triage.TriageUserVaults(arguments);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Credential Triage\r\n");
arguments.Remove("credentials");
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
string server = ""; // used for remote server specification
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
}
// {GUID}:SHA1 keys are the only ones that don't start with /
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
if (File.Exists(target))
{
Console.WriteLine("[*] Target Credential File: {0}\r\n", target);
Triage.TriageCredFile(target, masterkeys);
}
else if (Directory.Exists(target))
{
Console.WriteLine("[*] Target Credential Folder: {0}\r\n", target);
Triage.TriageCredFolder(target, masterkeys);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
}
}
else
{
if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
}
else
{
Triage.TriageUserCreds(masterkeys, server);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: RDG Triage\r\n");
arguments.Remove("rdg");
// whether to use CryptUnprotectData() instead of masterkeys
bool unprotect = false;
if (arguments.ContainsKey("/unprotect"))
{
unprotect = true;
arguments.Remove("/unprotect");
Console.WriteLine("[*] Using CryptUnprotectData() to decrypt RDG passwords\r\n");
if (arguments.ContainsKey("/server"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
return;
}
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"];
arguments.Remove("/target");
if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
if (mappings.Count == 0)
{
Console.WriteLine("\r\n[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("\r\n[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
}
Console.WriteLine("\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n");
arguments = mappings;
}
if (File.Exists(target))
{
if (target.EndsWith(".rdg"))
{
Console.WriteLine("[*] Target .RDG File: {0}\r\n", target);
Triage.TriageRDGFile(arguments, target, unprotect);
}
else if (target.EndsWith(".settings"))
{
Console.WriteLine("[*] Target RDCMan.settings File: {0}\r\n", target);
Triage.TriageRDCManFile(arguments, target, unprotect);
}
else
{
Console.WriteLine("[X] Target must be .RDG or RDCMan.settings file: {0}\r\n", target);
}
}
else if (Directory.Exists(target))
{
Console.WriteLine("[*] Target RDG Folder: {0}\r\n", target);
Triage.TriageRDGFolder(arguments, target, unprotect);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
}
}
else if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
string server = "";
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = new Dictionary <string, string>();
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false, server);
}
else
{
Console.WriteLine("");
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
}
if (mappings.Count == 0)
{
Console.WriteLine("[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
}
Triage.TriageRDCMan(mappings, server, unprotect);
}
else
{
if (arguments.ContainsKey("/server"))
{
//Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' !");
Console.WriteLine("[X] /server:X option not currently supported for this function!");
}
else
{
Triage.TriageRDCMan(arguments, "", unprotect);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe DPAPI blob");
byte[] blobBytes;
bool unprotect = false; // whether to force CryptUnprotectData()
byte[] entropy = null;
if (arguments.ContainsKey("/unprotect"))
{
Console.WriteLine("\r\n[*] Using CryptUnprotectData() for decryption.");
unprotect = true;
}
Console.WriteLine();
if (arguments.ContainsKey("/target"))
{
string blob = arguments["/target"].Trim('"').Trim('\'');
if (File.Exists(blob))
{
blobBytes = File.ReadAllBytes(blob);
}
else
{
blobBytes = Convert.FromBase64String(blob);
}
}
else
{
Console.WriteLine("[X] A /target:<BASE64 | file.bin> must be supplied!");
return;
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
if (arguments.ContainsKey("/entropy"))
{
entropy = Helpers.ConvertHexStringToByteArray(arguments["/entropy"]);
}
if (blobBytes.Length > 0)
{
byte[] decBytesRaw = Dpapi.DescribeDPAPIBlob(blobBytes, masterkeys, "blob", unprotect, entropy);
if ((decBytesRaw != null) && (decBytesRaw.Length != 0))
{
if (Helpers.IsUnicode(decBytesRaw))
{
string data = "";
int finalIndex = Array.LastIndexOf(decBytesRaw, (byte)0);
if (finalIndex > 1)
{
byte[] decBytes = new byte[finalIndex + 1];
Array.Copy(decBytesRaw, 0, decBytes, 0, finalIndex);
data = Encoding.Unicode.GetString(decBytes);
}
else
{
data = Encoding.ASCII.GetString(decBytesRaw);
}
Console.WriteLine(" dec(blob) : {0}", data);
}
else
{
string hexData = BitConverter.ToString(decBytesRaw).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", hexData);
}
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Certificate Triage");
arguments.Remove("certificates");
string server = ""; // used for remote server specification
bool cng = false; // used for CNG certs
bool showall = false; // used for CNG certs
bool machineStore = false; // use the machine store instead of the personal certificate store
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/cng"))
{
cng = true;
}
if (arguments.ContainsKey("/showall"))
{
showall = true;
}
if (arguments.ContainsKey("/machine"))
{
// machine certificate triage
machineStore = true;
if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
if (masterkeys.Count == 0)
{
Console.WriteLine("\r\n[X] Either a '/mkfile:X' or {GUID}:key needs to be passed in order to use '/target' for machine masterkeys");
}
else
{
if (File.Exists(target))
{
Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
Triage.TriageCertFile(target, masterkeys, cng, showall);
}
else if (Directory.Exists(target))
{
Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target);
Triage.TriageCertFolder(target, masterkeys, cng, showall);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
}
}
}
else
{
if (masterkeys.Count == 0)
{
// if no /target and no masterkeys, try to extract the SYSTEM DPAPI creds
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("[X] Must be elevated to triage SYSTEM DPAPI Credentials!");
}
else
{
masterkeys = Triage.TriageSystemMasterKeys();
Console.WriteLine("\r\n[*] SYSTEM master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in masterkeys)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
Triage.TriageSystemCerts(masterkeys);
}
}
else
{
// if we got machine masterkeys somehow else
Console.WriteLine(masterkeys.Count);
Triage.TriageSystemCerts(masterkeys);
}
}
}
else
{
// user triage
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging Certificates from remote server: {0}\r\n", server);
Triage.TriageUserCerts(masterkeys, server, showall);
}
if (arguments.ContainsKey("/target"))
{
string target = arguments["/target"].Trim('"').Trim('\'');
if (File.Exists(target))
{
Console.WriteLine("[*] Target Certificate File: {0}\r\n", target);
Triage.TriageCertFile(target, masterkeys, cng, showall);
}
else if (Directory.Exists(target))
{
Console.WriteLine("[*] Target Certificate Folder: {0}\r\n", target);
Triage.TriageCertFolder(target, masterkeys, cng, showall);
}
else
{
Console.WriteLine("\r\n[X] '{0}' is not a valid file or directory.", target);
}
}
else
{
Triage.TriageUserCerts(masterkeys, "", showall);
}
}
Console.WriteLine("\r\n[*] Hint: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx");
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: Describe DPAPI blob\r\n");
byte[] blobBytes;
if (arguments.ContainsKey("/in"))
{
string blob = arguments["/in"];
if (File.Exists(blob))
{
blobBytes = File.ReadAllBytes(blob);
}
else
{
blobBytes = Convert.FromBase64String(blob);
}
arguments.Remove("in");
}
else
{
Console.WriteLine("[X] An /in:<BASE64 | file> must be supplied!");
return;
}
if (arguments.ContainsKey("/pvk"))
{
// using a domain backup key to decrypt everything
string pvk64 = arguments["/pvk"];
byte[] backupKeyBytes;
if (File.Exists(pvk64))
{
backupKeyBytes = File.ReadAllBytes(pvk64);
}
else
{
backupKeyBytes = Convert.FromBase64String(pvk64);
}
Console.WriteLine("[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!");
// build a {GUID}:SHA1 masterkey mappings
Dictionary <string, string> mappings = new Dictionary <string, string>();
mappings = Triage.TriageUserMasterKeys(backupKeyBytes, false);
if (mappings.Count == 0)
{
Console.WriteLine("[!] No master keys decrypted!\r\n");
}
else
{
Console.WriteLine("[*] User master key cache:\r\n");
foreach (KeyValuePair <string, string> kvp in mappings)
{
Console.WriteLine("{0}:{1}", kvp.Key, kvp.Value);
}
Console.WriteLine();
}
byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, mappings, "blob");
if (decBytes.Length != 0)
{
if (Helpers.IsUnicode(decBytes))
{
Console.WriteLine(" dec(blob) : {0}", System.Text.Encoding.Unicode.GetString(decBytes));
}
else
{
string b64DecBytesString = BitConverter.ToString(decBytes).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", b64DecBytesString);
}
}
}
else
{
byte[] decBytes = Dpapi.DescribeDPAPIBlob(blobBytes, arguments, "blob");
if (decBytes.Length != 0)
{
if (Helpers.IsUnicode(decBytes))
{
Console.WriteLine(" dec(blob) : {0}", System.Text.Encoding.Unicode.GetString(decBytes));
}
else
{
string b64DecBytesString = BitConverter.ToString(decBytes).Replace("-", " ");
Console.WriteLine(" dec(blob) : {0}", b64DecBytesString);
}
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
Console.WriteLine("\r\n[*] Action: User DPAPI Credential and Vault Triage\r\n");
arguments.Remove("triage");
string server = ""; // used for remote server specification
if (arguments.ContainsKey("/server"))
{
server = arguments["/server"];
Console.WriteLine("[*] Triaging remote server: {0}\r\n", server);
}
// {GUID}:SHA1 keys are the only ones that don't start with /
Dictionary <string, string> masterkeys = new Dictionary <string, string>();
foreach (KeyValuePair <string, string> entry in arguments)
{
if (!entry.Key.StartsWith("/"))
{
masterkeys.Add(entry.Key, entry.Value);
}
}
if (arguments.ContainsKey("/pvk"))
{
// use a domain DPAPI backup key to triage masterkeys
masterkeys = SharpDPAPI.Dpapi.PVKTriage(arguments);
}
else if (arguments.ContainsKey("/mkfile"))
{
masterkeys = SharpDPAPI.Helpers.ParseMasterKeyFile(arguments["/mkfile"]);
}
else if (arguments.ContainsKey("/password"))
{
string password = arguments["/password"];
Console.WriteLine("[*] Will decrypt user masterkeys with password: {0}\r\n", password);
if (arguments.ContainsKey("/server"))
{
masterkeys = Triage.TriageUserMasterKeys(null, true, arguments["/server"], password);
}
else
{
masterkeys = Triage.TriageUserMasterKeys(null, true, "", password);
}
}
if (arguments.ContainsKey("/server") && !arguments.ContainsKey("/pvk") && !arguments.ContainsKey("/password"))
{
Console.WriteLine("[X] The '/server:X' argument must be used with '/pvk:BASE64...' or '/password:X' !");
}
else
{
Triage.TriageUserCreds(masterkeys, server);
Triage.TriageUserVaults(masterkeys, server);
Console.WriteLine();
if (masterkeys.Count == 0)
{
// try to use CryptUnprotectData if no GUID lookups supplied
Triage.TriageRDCMan(masterkeys, server, true);
Triage.TriageKeePass(masterkeys, server, true);
}
else
{
Triage.TriageRDCMan(masterkeys, server, false);
Triage.TriageKeePass(masterkeys, server, false);
}
Triage.TriageUserCerts(masterkeys, server, false);
}
}
