def setUp(self):
self.raw = ("01000000d08c9ddf0115d1118c7a00c0"
"4fc297eb010000003fb376ba974b974e"
"96037865fb972cec0000000044000000"
"7000770064003a006600750066006600"
"61003b00200065006e00740072006f00"
"70007900280061007300630069006900"
"29003d005500700054006f0041007000"
"70000000106600000001000020000000"
"600ed99a7cba8250b56e6571a852a435"
"ba30522905fc6f297c2f5a31d6b7fa45"
"000000000e8000000002000020000000"
"dc2539884092c76194a57bbf090e94dc"
"ec850a23f03afcef723de96b6b1a4638"
"10000000d747986bfd422553f30c8fb1"
"265e1365400000003c4236133cc43d41"
"6ed650106e0f980de4c58e5db4513ea0"
"605207b0835ac69c2c95f3b5b26511c4"
"4543a996b390952689843a20dbbaa209"
"e6440b74ff02c49c").decode("hex")
self.mkey = ("c942b584a88a36f3ce8abe61a62d4036"
"49dfdd8fd9b256a4a7ff64bfe2b60df8"
"cb563be71d0d65f8be03ebdd76b4dba1"
"68a9e3883fee758d2c4aeef040571cc2").decode("hex")
self.blob = blob.DPAPIBlob(self.raw)
self.entropy = "UpToApp\x00"
def preprocess(self, **k):
self.login = k.get("login", None)
entrop = [0x69f31ea3, 0x1fd96207, 0x7d35e91e, 0x487dd24f]
seed = 0xba0da71d
maxint = 0xffffffff
# Compute entropy
arr = array.array('B')
arr.fromstring(k["username"] + k["computername"])
for i, v in enumerate(arr):
entrop[i & 3] ^= (seed * v) & maxint
seed = (seed * 0xbc8f) & maxint
self.entropy = "".join(
map(lambda y: struct.pack("<L", y & maxint), entrop))
# Decode & extract blob
v = entrop[0] | 1
arr = array.array('B')
for i in range(4, len(self.raw), 2):
a = (((ord(self.raw[i]) - 0x21) << 4) & 0xf0) | (
(ord(self.raw[i + 1]) - 0x21) & 0x0f)
arr.append((a - (v & 0xff)) % 256)
v = (v * 0x0ff5) & maxint
self.dpapiblob = blob.DPAPIBlob(arr.tostring())
def decrypt_credential_block(mkp, credential_block):
"""Helper to decrypt credential block."""
sblob_raw = ''.join(
b.raw_data for b in credential_block.CREDENTIAL_DEC_BLOCK_ENC)
sblob = blob.DPAPIBlob(sblob_raw)
return decrypt_blob(mkp, sblob)
def parse(self, data):
"""Parses raw data into structured data.
Automatically called by __init__. You should not call it manually.
data is a DataStruct object.
"""
self.dpapiblob = blob.DPAPIBlob(data.remain())
def preprocess(self, **k):
self.entropy = self.APPLE_ENTROPY
with open(k["aoskit"], "rb") as f:
plist = CFPropertyList.CFPropertyList(f)
plist.load()
plist_values = CFPropertyList.native_types(plist.value)
self.account = plist_values.keys()[0]
plist_data_dict = plist_values[self.account]
self.dpapiblob = blob.DPAPIBlob(plist_data_dict['data'])
def parse(self, data):
self.crc_ok = False
self.user_key = None
self.dbx_key = None
data.pop('B')
self.crc = data.pop_string(self.V0_CRC_LEN)
self.raw = data.remain()
self.version, dpapi_len = data.eat('LL')
self.dpapiblob = blob.DPAPIBlob(data.eat_string(dpapi_len))
def parse(self, data):
tmp = data.read("L")
d = data
if tmp == 0:
## Windows 7
data.read("L")
self.credtype = data.eat("L")
data.eat("L")
else:
## Windows XP
d = data.eat_sub(tmp)
d.eat("2L")
self.credtype = d.eat("L")
self.timestamp = d.eat("Q") #timestamp 64bits
if self.timestamp > 0:
self.timestamp /= 10000000
self.timestamp -= 11644473600
d.eat("L")
self.persist = d.eat("L")
d.eat("3L") #NULL
self.name = d.eat_length_and_string("L").decode("UTF-16LE")
self.comment = d.eat_length_and_string("L").decode("UTF-16LE")
self.alias = d.eat_length_and_string("L").decode("UTF-16LE")
if tmp == 0:
## windows 7
d.eat_length_and_string("L")
self.username = d.eat_length_and_string("L").decode("UTF-16LE")
self.password = None
if self.credtype == 1 or self.credtype == 4:
self.dpapiblob = blob.DPAPIBlob(d.eat_length_and_string("L"))
elif self.credtype == 2: # domain password
self.password = d.eat_length_and_string("L")
self.password = self.password.decode('UTF-16LE')
self.dpapiblob = None
elif self.credtype == 3: # domain certificate
self.password = d.eat_length_and_string("L")
self.dpapiblob = None
self.entropy = self._entropy.get(self.credtype)
if self.entropy is not None:
s = ""
for c in self.entropy:
s += struct.pack("<h", ord(c) << 2)
self.entropy = s
def getwifipassword(self, systemhive, securityhive, masterkeydir,
profiledirectory):
"""
getwifipassword returns all wifi passwords located at X:/ProgramData/Microsoft/Wlansvc
"""
reg = registry.Regedit()
secrets = reg.get_lsa_secrets(securityhive, systemhive)
dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal']
mkp = masterkey.MasterKeyPool()
mkp.loadDirectory(masterkeydir)
mkp.addSystemCredential(dpapi_system)
mkp.try_credential_hash(None, None)
finalpass = dict()
for root, _, files in os.walk(profiledirectory):
for file in files:
filepath = os.path.join(root, file)
with open(filepath, 'r') as f:
file_data = f.read().replace('\x0a',
'').replace('\x0d', '')
wifi_name = re.search('<name>([^<]+)</name>', file_data)
wifi_name = wifi_name.group(1)
key_material_re = re.search(
'<keyMaterial>([0-9A-F]+)</keyMaterial>', file_data)
if not key_material_re:
continue
key_material = key_material_re.group(1)
wblob = blob.DPAPIBlob(key_material.decode('hex'))
wifi_pwd = '<not decrypted>'
mks = mkp.getMasterKeys(wblob.mkguid)
for mk in mks:
if mk.decrypted:
wblob.decrypt(mk.get_key())
if wblob.decrypted:
wifi_pwd = wblob.cleartext
break
print 'Wifi:{} Password:{}'.format(wifi_name, wifi_pwd)
finalpass[wifi_name] = wifi_pwd
print finalpass
return finalpass
def setUp(self):
self.raw = ("01000000d08c9ddf0115d1118c7a00c0"
"4fc297eb010000002f44b69f6a628049"
"9c85d238be955b3c000000003c000000"
"4400500041005000490063006b002000"
"730069006d0070006c00650020006200"
"6c006f0062002000670065006e006500"
"7200610074006f007200000003660000"
"a80000001000000055d9d46709e463db"
"53c783ec1edd69dc0000000004800000"
"a00000001000000038d39c66910558b6"
"a4e961b5de40e84918000000eae8acdd"
"f984a8efae7701754baf9f844c9f1cbd"
"df818a9f14000000be5c65c109be3c7f"
"d4787df81e923b596f635d0f").decode("hex")
self.mkey = ("f1cd9c3915428d12c0e9bf5ac0c44dda"
"647e6e387118c09eb00a294e485a3f6e"
"fe47f16686ad5f60fbd740164de87711"
"6eb70d35445b22ddebdb02b0d55ee613").decode("hex")
self.blob = blob.DPAPIBlob(self.raw)
def setUp(self):
self.raw = ("01000000d08c9ddf0115d1118c7a00c0"
"4fc297eb010000003fb376ba974b974e"
"96037865fb972cec0000000002000000"
"00001066000000010000200000009798"
"683005ff678f507036b44bcbbcfe1501"
"15346bf67bd75ad73b42ce6331bf0000"
"00000e800000000200002000000040da"
"71bec41e2cf971d270977099e1d34030"
"f0875de802967769f7b4906cbc951000"
"00005ccee1467028df028177bda3c9c3"
"40574000000045fb9275a0e852ed4b9f"
"2e34ec6100bb2d3bd5225da37bccb73b"
"fb89b4073dc215840c8beeb728201ab6"
"9a41945c944cf6ae645d2e69d00b752c"
"a1552b42ed3d").decode("hex")
self.mkey = ("c942b584a88a36f3ce8abe61a62d4036"
"49dfdd8fd9b256a4a7ff64bfe2b60df8"
"cb563be71d0d65f8be03ebdd76b4dba1"
"68a9e3883fee758d2c4aeef040571cc2").decode("hex")
self.blob = blob.DPAPIBlob(self.raw)
def setUp(self):
self.raw = ("01000000d08c9ddf0115d1118c7a00c0"
"4fc297eb0100000018fa1d263223e549"
"93d9388d2f271486000000003c000000"
"4400500041005000490063006b002000"
"730069006d0070006c00650020006200"
"6c006f0062002000670065006e006500"
"7200610074006f007200000003660000"
"a8000000100000000c1e54f10d3ac713"
"ef4c19dbc440e4a70000000004800000"
"a000000010000000bde7c0f3b1d5def7"
"cbb6669c2c2b361c2000000062658248"
"66ed719fe25046d193bf6fd8252be099"
"ac10609b50677b57ea61bbbf14000000"
"5906ca660b04e0c1bce743ebe5b21aa9"
"e79acc1f").decode("hex")
self.mkey = ("d0c624a61e4080ac28ec07f33466581ec"
"04980f26953aa940258dc4ced7fd5452"
"51208d88d6bac5c64b5cd69b4e214009"
"3174f51ab07f0f5fb7a45462a2c00e4").decode("hex")
self.blob = blob.DPAPIBlob(self.raw)
self.entropy = "toto123"
def preprocess(self, **k):
s = []
if k.get('file'):
f = open(k['file'], "r")
s = f.read().split("\n")
f.close()
elif k.get('content'):
s = k['content'].split("\n")
for l in s:
(n, t, v) = l.split(":", 3)
v = v.rstrip()
if t == 'i':
v = int(v)
elif t == 'b':
if len(v) & 1 == 1:
# if odd length, strip the last quartet which should be a
# useless "0"
v = v[:-1]
v = v.decode('hex')
self.values[n] = v
if self.values['password 51']:
self.dpapiblob = blob.DPAPIBlob(self.values['password 51'])
def parse(self, data):
self.dpapiblob = blob.DPAPIBlob(data.remain())
def getOutlookPassword(self, mkpDir, sid, credHist, ntUser, userPassword):
dic = {}
'''
OutlokkMasterkey = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/S-1-5-21-3173276068-3308429807-3105269238-1000"
OutlookSID = "S-1-5-21-3173276068-3308429807-3105269238-1000"
OutlookCredhist = "/home/hackaton/Escritorio/dropbox/Archivos necesarios/Protect/CREDHIST"
Ntuser = "******"
Userpassword = "******"'''
mkp = masterkey.MasterKeyPool()
mkp.loadDirectory(mkpDir)
mkp.addCredhistFile(sid, credHist)
mkp.try_credential(sid, userPassword) # Credential of the USER
email = []
password = []
# Open the registry
with open(ntUser, 'rb') as f:
r = registry.Registry.Registry(f)
# Path of the Outlook file in Registry
directory = r.open(
'Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676'
)
for reg in directory.subkeys():
auxreg = []
for regnumber in reg.values(): # 000001 000002 000003.....
auxreg.append(regnumber.name())
# For IMAP
if "IMAP Password" in auxreg:
username = reg.value('Email').value()
password = reg.value('IMAP Password').value()
break
# For IMAP
if "POP3 Password" in auxreg:
username = reg.value('Email').value()
password = reg.value('POP3 Password').value()
break
# Function de hacer cosas
for char in username:
if char.encode("hex") != "00":
email.append(char)
finalusername = ''.join(email)
dic['user'] = finalusername
# File to create the blob
fi = open("blob", 'w')
notruncate = password # This password is not truncated, need to delete the first byte
passwordhex = password.encode("hex") # Convert the hex to hexadecimal
binstr = binascii.unhexlify(
passwordhex[2:]) # The blop does not need the first byte.
fi.write(binstr) # Write the blop in a file
fi.close()
blob1 = blob.DPAPIBlob(open(
'blob', 'rb').read()) # Load the blop from the file
finalpass = []
mks = mkp.getMasterKeys(blob1.mkguid)
for mk in mks:
if mk.decrypted:
blob1.decrypt(mk.get_key())
if blob1.decrypted:
password = blob1.cleartext
for char in password:
if char.encode("hex") != "00":
finalpass.append(char)
finalpassword = ''.join(finalpass)
dic['password'] = finalpassword
try:
os.remove("blob")
except:
pass
return {self.__class__.__name__: dic}
def parse(self, data):
self.dpapiblob = blob.DPAPIBlob(data.remain())
self.cleartext = None
def parse(self, data):
self.dpapiblob = blob.DPAPIBlob(data.remain())
self.cleartext = None
self.login = None
self.password = None
self.other = []
reg = registry.Regedit()
secrets = reg.get_lsa_secrets(options.security, options.system)
dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal']
smkp = masterkey.MasterKeyPool()
smkp.loadDirectory(options.sysmkdir)
smkp.addSystemCredential(dpapi_system)
smkp.try_credential_hash(None, None)
can_decrypt_sys_blob = True
for cred_file in args:
with open(cred_file, 'rb') as fin:
print '-' * 79
enc_cred = vaultstruct.CREDENTIAL_FILE.parse(fin.read())
cred_blob = blob.DPAPIBlob(enc_cred.data.raw)
if umkp:
dec_cred, res_err = decrypt_blob(umkp, cred_blob)
elif smkp:
dec_cred, res_err = decrypt_blob(smkp, cred_blob)
else:
sys.exit('No MasterKey pools available!')
if not dec_cred:
helper_dec_err(res_err)
continue
cred_dec = vaultstruct.CREDENTIAL_DECRYPTED.parse(dec_cred)
print cred_dec
if cred_dec.header.unk_type == 3:
secrets = reg.get_lsa_secrets(options.security, options.system)
dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal']
smkp = masterkey.MasterKeyPool()
smkp.loadDirectory(options.sysmkdir)
smkp.addSystemCredential(dpapi_system)
smkp.try_credential_hash(None, None)
can_decrypt_sys_blob = True
for cred_file in args:
with open(cred_file, 'rb') as fin:
print '-'*79
enc_cred = vaultstruct.CREDENTIAL_FILE.parse(fin.read())
print enc_cred
cred_blob = blob.DPAPIBlob(enc_cred.blob)
if umkp:
dec_cred, res_err = decrypt_blob(umkp, cred_blob)
elif smkp:
dec_cred, res_err = decrypt_blob(smkp, cred_blob)
else:
sys.exit('No MasterKey pools available!')
if not dec_cred:
helper_dec_err(res_err)
continue
cred_dec = vaultstruct.CREDENTIAL_DECRYPTED.parse(dec_cred)
print cred_dec
if cred_dec.header.unk_type == 3:
from DPAPI.Core import masterkey
from DPAPI.Core import registry
except ImportError:
raise ImportError('Missing dpapick, install it or set PYTHONPATH.')
def check_parameters(options, args):
"""Simple checks on the parameters set by the user."""
if not args or not len(args) == 1:
sys.exit('You must provide an argument.')
elif not os.path.isfile(args[0]):
sys.exit('Argument must be a file.')
if __name__ == '__main__':
"""Utility core."""
usage = (
'usage: %prog [*no-options*] BLOB file.\n\n'
'It tries to parse the input file and it reports the BLOB properties.')
parser = optparse.OptionParser(usage=usage)
(options, args) = parser.parse_args()
check_parameters(options, args)
try:
blob = blob.DPAPIBlob(open(args[0], 'rb').read())
print blob
except:
print '\nBLOB parsing failure! See next details.\n'
raise
def parse(self, data):
self.login = None
self.cleartext = None
self.dpapiblob = blob.DPAPIBlob(data.remain())
self.entropy = None
mkp.try_credential_hash(None, None)
else:
if options.credhist:
mkp.addCredhistFile(options.sid, options.credhist)
if options.password:
mkp.try_credential(options.sid, options.password)
elif options.pwdhash:
mkp.try_credential_hash(options.sid, options.pwdhash.decode('hex'))
vaults_dir = args[0]
vpol_filename = os.path.join(os.path.sep, vaults_dir, 'Policy.vpol')
with open(vpol_filename, 'rb') as fin:
vpol = vaultstruct.VAULT_POL.parse(fin.read())
vpol_blob = blob.DPAPIBlob(vaultstruct.DPAPI_BLOB_STRUCT.build(vpol.vpol_store.blob_store.raw))
vpol_decrypted = decrypt_blob(mkp, vpol_blob)
if not vpol_decrypted:
sys.exit('Unable to decrypt blob.')
vpol_keys = vaultstruct.VAULT_POL_KEYS.parse(vpol_decrypted)
key_aes128 = vpol_keys.vpol_key1.bcrypt_blob.key
key_aes256 = vpol_keys.vpol_key2.bcrypt_blob.key
for file in os.listdir(vaults_dir):
if file.lower().endswith('.vcrd'):
filepath = os.path.join(vaults_dir, file)
print '-'*79
print 'Working on: %s\n' % file
secrets = reg.get_lsa_secrets(options.security, options.system)
dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal']
mkp = masterkey.MasterKeyPool()
mkp.loadDirectory(options.masterkeydir)
mkp.addSystemCredential(dpapi_system)
mkp.try_credential_hash(None, None)
for root, _, files in os.walk(options.wifi_dir):
for file in files:
filepath = os.path.join(root, file)
with open(filepath, 'r') as f:
file_data = f.read().replace('\x0a', '').replace('\x0d', '')
wifi_name = re.search('<name>([^<]+)</name>', file_data)
wifi_name = wifi_name.group(1)
key_material_re = re.search(
'<keyMaterial>([0-9A-F]+)</keyMaterial>', file_data)
if not key_material_re:
continue
key_material = key_material_re.group(1)
wblob = blob.DPAPIBlob(key_material.decode('hex'))
wifi_pwd = '<not decrypted>'
mks = mkp.getMasterKeys(wblob.mkguid)
for mk in mks:
if mk.decrypted:
wblob.decrypt(mk.get_key())
if wblob.decrypted:
wifi_pwd = wblob.cleartext
break
print 'Wifi:{} Password:{}'.format(wifi_name, wifi_pwd)
mkp.try_credential_hash(None, None)
else:
if options.credhist:
mkp.addCredhistFile(options.sid, options.credhist)
if options.password:
mkp.try_credential(options.sid, options.password)
elif options.pwdhash:
mkp.try_credential_hash(options.sid, options.pwdhash.decode('hex'))
vaults_dir = args[0]
vpol_filename = os.path.join(os.path.sep, vaults_dir, 'Policy.vpol')
with open(vpol_filename, 'rb') as fin:
vpol = vaultstruct.VAULT_POL.parse(fin.read())
vpol_blob = blob.DPAPIBlob(vpol.vpol_store.blob_store.raw)
vpol_decrypted = decrypt_blob(mkp, vpol_blob)
if not vpol_decrypted:
sys.exit('Unable to decrypt blob.')
vpol_keys = vaultstruct.VAULT_POL_KEYS.parse(vpol_decrypted)
key_aes128 = vpol_keys.vpol_key1.bcrypt_blob.key
key_aes256 = vpol_keys.vpol_key2.bcrypt_blob.key
for file in os.listdir(vaults_dir):
if file.lower().endswith('.vcrd'):
filepath = os.path.join(vaults_dir, file)
print '-' * 79
print 'Working on: %s\n' % file
def parse(self, data):
l = data.eat("L") - 4
self.wifiStruct = WirelessInfo.WifiStruct(data.eat("%us" % l))
self.dpapiblob = blob.DPAPIBlob(data.remain())
