def setUp(self): self.raw = ("01000000d08c9ddf0115d1118c7a00c0" "4fc297eb010000003fb376ba974b974e" "96037865fb972cec0000000044000000" "7000770064003a006600750066006600" "61003b00200065006e00740072006f00" "70007900280061007300630069006900" "29003d005500700054006f0041007000" "70000000106600000001000020000000" "600ed99a7cba8250b56e6571a852a435" "ba30522905fc6f297c2f5a31d6b7fa45" "000000000e8000000002000020000000" "dc2539884092c76194a57bbf090e94dc" "ec850a23f03afcef723de96b6b1a4638" "10000000d747986bfd422553f30c8fb1" "265e1365400000003c4236133cc43d41" "6ed650106e0f980de4c58e5db4513ea0" "605207b0835ac69c2c95f3b5b26511c4" "4543a996b390952689843a20dbbaa209" "e6440b74ff02c49c").decode("hex") self.mkey = ("c942b584a88a36f3ce8abe61a62d4036" "49dfdd8fd9b256a4a7ff64bfe2b60df8" "cb563be71d0d65f8be03ebdd76b4dba1" "68a9e3883fee758d2c4aeef040571cc2").decode("hex") self.blob = blob.DPAPIBlob(self.raw) self.entropy = "UpToApp\x00"
def preprocess(self, **k): self.login = k.get("login", None) entrop = [0x69f31ea3, 0x1fd96207, 0x7d35e91e, 0x487dd24f] seed = 0xba0da71d maxint = 0xffffffff # Compute entropy arr = array.array('B') arr.fromstring(k["username"] + k["computername"]) for i, v in enumerate(arr): entrop[i & 3] ^= (seed * v) & maxint seed = (seed * 0xbc8f) & maxint self.entropy = "".join( map(lambda y: struct.pack("<L", y & maxint), entrop)) # Decode & extract blob v = entrop[0] | 1 arr = array.array('B') for i in range(4, len(self.raw), 2): a = (((ord(self.raw[i]) - 0x21) << 4) & 0xf0) | ( (ord(self.raw[i + 1]) - 0x21) & 0x0f) arr.append((a - (v & 0xff)) % 256) v = (v * 0x0ff5) & maxint self.dpapiblob = blob.DPAPIBlob(arr.tostring())
def decrypt_credential_block(mkp, credential_block): """Helper to decrypt credential block.""" sblob_raw = ''.join( b.raw_data for b in credential_block.CREDENTIAL_DEC_BLOCK_ENC) sblob = blob.DPAPIBlob(sblob_raw) return decrypt_blob(mkp, sblob)
def parse(self, data): """Parses raw data into structured data. Automatically called by __init__. You should not call it manually. data is a DataStruct object. """ self.dpapiblob = blob.DPAPIBlob(data.remain())
def preprocess(self, **k): self.entropy = self.APPLE_ENTROPY with open(k["aoskit"], "rb") as f: plist = CFPropertyList.CFPropertyList(f) plist.load() plist_values = CFPropertyList.native_types(plist.value) self.account = plist_values.keys()[0] plist_data_dict = plist_values[self.account] self.dpapiblob = blob.DPAPIBlob(plist_data_dict['data'])
def parse(self, data): self.crc_ok = False self.user_key = None self.dbx_key = None data.pop('B') self.crc = data.pop_string(self.V0_CRC_LEN) self.raw = data.remain() self.version, dpapi_len = data.eat('LL') self.dpapiblob = blob.DPAPIBlob(data.eat_string(dpapi_len))
def parse(self, data): tmp = data.read("L") d = data if tmp == 0: ## Windows 7 data.read("L") self.credtype = data.eat("L") data.eat("L") else: ## Windows XP d = data.eat_sub(tmp) d.eat("2L") self.credtype = d.eat("L") self.timestamp = d.eat("Q") #timestamp 64bits if self.timestamp > 0: self.timestamp /= 10000000 self.timestamp -= 11644473600 d.eat("L") self.persist = d.eat("L") d.eat("3L") #NULL self.name = d.eat_length_and_string("L").decode("UTF-16LE") self.comment = d.eat_length_and_string("L").decode("UTF-16LE") self.alias = d.eat_length_and_string("L").decode("UTF-16LE") if tmp == 0: ## windows 7 d.eat_length_and_string("L") self.username = d.eat_length_and_string("L").decode("UTF-16LE") self.password = None if self.credtype == 1 or self.credtype == 4: self.dpapiblob = blob.DPAPIBlob(d.eat_length_and_string("L")) elif self.credtype == 2: # domain password self.password = d.eat_length_and_string("L") self.password = self.password.decode('UTF-16LE') self.dpapiblob = None elif self.credtype == 3: # domain certificate self.password = d.eat_length_and_string("L") self.dpapiblob = None self.entropy = self._entropy.get(self.credtype) if self.entropy is not None: s = "" for c in self.entropy: s += struct.pack("<h", ord(c) << 2) self.entropy = s
def getwifipassword(self, systemhive, securityhive, masterkeydir, profiledirectory): """ getwifipassword returns all wifi passwords located at X:/ProgramData/Microsoft/Wlansvc """ reg = registry.Regedit() secrets = reg.get_lsa_secrets(securityhive, systemhive) dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal'] mkp = masterkey.MasterKeyPool() mkp.loadDirectory(masterkeydir) mkp.addSystemCredential(dpapi_system) mkp.try_credential_hash(None, None) finalpass = dict() for root, _, files in os.walk(profiledirectory): for file in files: filepath = os.path.join(root, file) with open(filepath, 'r') as f: file_data = f.read().replace('\x0a', '').replace('\x0d', '') wifi_name = re.search('<name>([^<]+)</name>', file_data) wifi_name = wifi_name.group(1) key_material_re = re.search( '<keyMaterial>([0-9A-F]+)</keyMaterial>', file_data) if not key_material_re: continue key_material = key_material_re.group(1) wblob = blob.DPAPIBlob(key_material.decode('hex')) wifi_pwd = '<not decrypted>' mks = mkp.getMasterKeys(wblob.mkguid) for mk in mks: if mk.decrypted: wblob.decrypt(mk.get_key()) if wblob.decrypted: wifi_pwd = wblob.cleartext break print 'Wifi:{} Password:{}'.format(wifi_name, wifi_pwd) finalpass[wifi_name] = wifi_pwd print finalpass return finalpass
def setUp(self): self.raw = ("01000000d08c9ddf0115d1118c7a00c0" "4fc297eb010000002f44b69f6a628049" "9c85d238be955b3c000000003c000000" "4400500041005000490063006b002000" "730069006d0070006c00650020006200" "6c006f0062002000670065006e006500" "7200610074006f007200000003660000" "a80000001000000055d9d46709e463db" "53c783ec1edd69dc0000000004800000" "a00000001000000038d39c66910558b6" "a4e961b5de40e84918000000eae8acdd" "f984a8efae7701754baf9f844c9f1cbd" "df818a9f14000000be5c65c109be3c7f" "d4787df81e923b596f635d0f").decode("hex") self.mkey = ("f1cd9c3915428d12c0e9bf5ac0c44dda" "647e6e387118c09eb00a294e485a3f6e" "fe47f16686ad5f60fbd740164de87711" "6eb70d35445b22ddebdb02b0d55ee613").decode("hex") self.blob = blob.DPAPIBlob(self.raw)
def setUp(self): self.raw = ("01000000d08c9ddf0115d1118c7a00c0" "4fc297eb010000003fb376ba974b974e" "96037865fb972cec0000000002000000" "00001066000000010000200000009798" "683005ff678f507036b44bcbbcfe1501" "15346bf67bd75ad73b42ce6331bf0000" "00000e800000000200002000000040da" "71bec41e2cf971d270977099e1d34030" "f0875de802967769f7b4906cbc951000" "00005ccee1467028df028177bda3c9c3" "40574000000045fb9275a0e852ed4b9f" "2e34ec6100bb2d3bd5225da37bccb73b" "fb89b4073dc215840c8beeb728201ab6" "9a41945c944cf6ae645d2e69d00b752c" "a1552b42ed3d").decode("hex") self.mkey = ("c942b584a88a36f3ce8abe61a62d4036" "49dfdd8fd9b256a4a7ff64bfe2b60df8" "cb563be71d0d65f8be03ebdd76b4dba1" "68a9e3883fee758d2c4aeef040571cc2").decode("hex") self.blob = blob.DPAPIBlob(self.raw)
def setUp(self): self.raw = ("01000000d08c9ddf0115d1118c7a00c0" "4fc297eb0100000018fa1d263223e549" "93d9388d2f271486000000003c000000" "4400500041005000490063006b002000" "730069006d0070006c00650020006200" "6c006f0062002000670065006e006500" "7200610074006f007200000003660000" "a8000000100000000c1e54f10d3ac713" "ef4c19dbc440e4a70000000004800000" "a000000010000000bde7c0f3b1d5def7" "cbb6669c2c2b361c2000000062658248" "66ed719fe25046d193bf6fd8252be099" "ac10609b50677b57ea61bbbf14000000" "5906ca660b04e0c1bce743ebe5b21aa9" "e79acc1f").decode("hex") self.mkey = ("d0c624a61e4080ac28ec07f33466581ec" "04980f26953aa940258dc4ced7fd5452" "51208d88d6bac5c64b5cd69b4e214009" "3174f51ab07f0f5fb7a45462a2c00e4").decode("hex") self.blob = blob.DPAPIBlob(self.raw) self.entropy = "toto123"
def preprocess(self, **k): s = [] if k.get('file'): f = open(k['file'], "r") s = f.read().split("\n") f.close() elif k.get('content'): s = k['content'].split("\n") for l in s: (n, t, v) = l.split(":", 3) v = v.rstrip() if t == 'i': v = int(v) elif t == 'b': if len(v) & 1 == 1: # if odd length, strip the last quartet which should be a # useless "0" v = v[:-1] v = v.decode('hex') self.values[n] = v if self.values['password 51']: self.dpapiblob = blob.DPAPIBlob(self.values['password 51'])
def parse(self, data): self.dpapiblob = blob.DPAPIBlob(data.remain())
def getOutlookPassword(self, mkpDir, sid, credHist, ntUser, userPassword): dic = {} ''' OutlokkMasterkey = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/S-1-5-21-3173276068-3308429807-3105269238-1000" OutlookSID = "S-1-5-21-3173276068-3308429807-3105269238-1000" OutlookCredhist = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/CREDHIST" Ntuser = "******" Userpassword = "******"''' mkp = masterkey.MasterKeyPool() mkp.loadDirectory(mkpDir) mkp.addCredhistFile(sid, credHist) mkp.try_credential(sid, userPassword) # Credential of the USER email = [] password = [] # Open the registry with open(ntUser, 'rb') as f: r = registry.Registry.Registry(f) # Path of the Outlook file in Registry directory = r.open( 'Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676' ) for reg in directory.subkeys(): auxreg = [] for regnumber in reg.values(): # 000001 000002 000003..... auxreg.append(regnumber.name()) # For IMAP if "IMAP Password" in auxreg: username = reg.value('Email').value() password = reg.value('IMAP Password').value() break # For IMAP if "POP3 Password" in auxreg: username = reg.value('Email').value() password = reg.value('POP3 Password').value() break # Function de hacer cosas for char in username: if char.encode("hex") != "00": email.append(char) finalusername = ''.join(email) dic['user'] = finalusername # File to create the blob fi = open("blob", 'w') notruncate = password # This password is not truncated, need to delete the first byte passwordhex = password.encode("hex") # Convert the hex to hexadecimal binstr = binascii.unhexlify( passwordhex[2:]) # The blop does not need the first byte. fi.write(binstr) # Write the blop in a file fi.close() blob1 = blob.DPAPIBlob(open( 'blob', 'rb').read()) # Load the blop from the file finalpass = [] mks = mkp.getMasterKeys(blob1.mkguid) for mk in mks: if mk.decrypted: blob1.decrypt(mk.get_key()) if blob1.decrypted: password = blob1.cleartext for char in password: if char.encode("hex") != "00": finalpass.append(char) finalpassword = ''.join(finalpass) dic['password'] = finalpassword try: os.remove("blob") except: pass return {self.__class__.__name__: dic}
def parse(self, data): self.dpapiblob = blob.DPAPIBlob(data.remain()) self.cleartext = None
def parse(self, data): self.dpapiblob = blob.DPAPIBlob(data.remain()) self.cleartext = None self.login = None self.password = None self.other = []
reg = registry.Regedit() secrets = reg.get_lsa_secrets(options.security, options.system) dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal'] smkp = masterkey.MasterKeyPool() smkp.loadDirectory(options.sysmkdir) smkp.addSystemCredential(dpapi_system) smkp.try_credential_hash(None, None) can_decrypt_sys_blob = True for cred_file in args: with open(cred_file, 'rb') as fin: print '-' * 79 enc_cred = vaultstruct.CREDENTIAL_FILE.parse(fin.read()) cred_blob = blob.DPAPIBlob(enc_cred.data.raw) if umkp: dec_cred, res_err = decrypt_blob(umkp, cred_blob) elif smkp: dec_cred, res_err = decrypt_blob(smkp, cred_blob) else: sys.exit('No MasterKey pools available!') if not dec_cred: helper_dec_err(res_err) continue cred_dec = vaultstruct.CREDENTIAL_DECRYPTED.parse(dec_cred) print cred_dec if cred_dec.header.unk_type == 3:
secrets = reg.get_lsa_secrets(options.security, options.system) dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal'] smkp = masterkey.MasterKeyPool() smkp.loadDirectory(options.sysmkdir) smkp.addSystemCredential(dpapi_system) smkp.try_credential_hash(None, None) can_decrypt_sys_blob = True for cred_file in args: with open(cred_file, 'rb') as fin: print '-'*79 enc_cred = vaultstruct.CREDENTIAL_FILE.parse(fin.read()) print enc_cred cred_blob = blob.DPAPIBlob(enc_cred.blob) if umkp: dec_cred, res_err = decrypt_blob(umkp, cred_blob) elif smkp: dec_cred, res_err = decrypt_blob(smkp, cred_blob) else: sys.exit('No MasterKey pools available!') if not dec_cred: helper_dec_err(res_err) continue cred_dec = vaultstruct.CREDENTIAL_DECRYPTED.parse(dec_cred) print cred_dec if cred_dec.header.unk_type == 3:
from DPAPI.Core import masterkey from DPAPI.Core import registry except ImportError: raise ImportError('Missing dpapick, install it or set PYTHONPATH.') def check_parameters(options, args): """Simple checks on the parameters set by the user.""" if not args or not len(args) == 1: sys.exit('You must provide an argument.') elif not os.path.isfile(args[0]): sys.exit('Argument must be a file.') if __name__ == '__main__': """Utility core.""" usage = ( 'usage: %prog [*no-options*] BLOB file.\n\n' 'It tries to parse the input file and it reports the BLOB properties.') parser = optparse.OptionParser(usage=usage) (options, args) = parser.parse_args() check_parameters(options, args) try: blob = blob.DPAPIBlob(open(args[0], 'rb').read()) print blob except: print '\nBLOB parsing failure! See next details.\n' raise
def parse(self, data): self.login = None self.cleartext = None self.dpapiblob = blob.DPAPIBlob(data.remain()) self.entropy = None
mkp.try_credential_hash(None, None) else: if options.credhist: mkp.addCredhistFile(options.sid, options.credhist) if options.password: mkp.try_credential(options.sid, options.password) elif options.pwdhash: mkp.try_credential_hash(options.sid, options.pwdhash.decode('hex')) vaults_dir = args[0] vpol_filename = os.path.join(os.path.sep, vaults_dir, 'Policy.vpol') with open(vpol_filename, 'rb') as fin: vpol = vaultstruct.VAULT_POL.parse(fin.read()) vpol_blob = blob.DPAPIBlob(vaultstruct.DPAPI_BLOB_STRUCT.build(vpol.vpol_store.blob_store.raw)) vpol_decrypted = decrypt_blob(mkp, vpol_blob) if not vpol_decrypted: sys.exit('Unable to decrypt blob.') vpol_keys = vaultstruct.VAULT_POL_KEYS.parse(vpol_decrypted) key_aes128 = vpol_keys.vpol_key1.bcrypt_blob.key key_aes256 = vpol_keys.vpol_key2.bcrypt_blob.key for file in os.listdir(vaults_dir): if file.lower().endswith('.vcrd'): filepath = os.path.join(vaults_dir, file) print '-'*79 print 'Working on: %s\n' % file
secrets = reg.get_lsa_secrets(options.security, options.system) dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal'] mkp = masterkey.MasterKeyPool() mkp.loadDirectory(options.masterkeydir) mkp.addSystemCredential(dpapi_system) mkp.try_credential_hash(None, None) for root, _, files in os.walk(options.wifi_dir): for file in files: filepath = os.path.join(root, file) with open(filepath, 'r') as f: file_data = f.read().replace('\x0a', '').replace('\x0d', '') wifi_name = re.search('<name>([^<]+)</name>', file_data) wifi_name = wifi_name.group(1) key_material_re = re.search( '<keyMaterial>([0-9A-F]+)</keyMaterial>', file_data) if not key_material_re: continue key_material = key_material_re.group(1) wblob = blob.DPAPIBlob(key_material.decode('hex')) wifi_pwd = '<not decrypted>' mks = mkp.getMasterKeys(wblob.mkguid) for mk in mks: if mk.decrypted: wblob.decrypt(mk.get_key()) if wblob.decrypted: wifi_pwd = wblob.cleartext break print 'Wifi:{} Password:{}'.format(wifi_name, wifi_pwd)
mkp.try_credential_hash(None, None) else: if options.credhist: mkp.addCredhistFile(options.sid, options.credhist) if options.password: mkp.try_credential(options.sid, options.password) elif options.pwdhash: mkp.try_credential_hash(options.sid, options.pwdhash.decode('hex')) vaults_dir = args[0] vpol_filename = os.path.join(os.path.sep, vaults_dir, 'Policy.vpol') with open(vpol_filename, 'rb') as fin: vpol = vaultstruct.VAULT_POL.parse(fin.read()) vpol_blob = blob.DPAPIBlob(vpol.vpol_store.blob_store.raw) vpol_decrypted = decrypt_blob(mkp, vpol_blob) if not vpol_decrypted: sys.exit('Unable to decrypt blob.') vpol_keys = vaultstruct.VAULT_POL_KEYS.parse(vpol_decrypted) key_aes128 = vpol_keys.vpol_key1.bcrypt_blob.key key_aes256 = vpol_keys.vpol_key2.bcrypt_blob.key for file in os.listdir(vaults_dir): if file.lower().endswith('.vcrd'): filepath = os.path.join(vaults_dir, file) print '-' * 79 print 'Working on: %s\n' % file
def parse(self, data): l = data.eat("L") - 4 self.wifiStruct = WirelessInfo.WifiStruct(data.eat("%us" % l)) self.dpapiblob = blob.DPAPIBlob(data.remain())