def run(self, args): from pypykatz.dpapi.dpapi import DPAPI dpapi = DPAPI() if args.dapi_module == 'prekey': if args.prekey_command == 'registry': if args.system is None: raise Exception( 'SYSTEM hive must be specified for registry parsing!') if args.sam is None and args.security is None: raise Exception( 'Either SAM or SECURITY hive must be supplied for registry parsing! Best to have both.' ) dpapi.get_prekeys_form_registry_files(args.system, args.security, args.sam) elif args.prekey_command == 'password': if args.sid is None: raise Exception( 'SID must be specified for generating prekey in this mode' ) pw = args.password if args.password is None: import getpass pw = getpass.getpass() dpapi.get_prekeys_from_password(args.sid, password=pw) elif args.prekey_command == 'nt': if args.nthash is None or args.sid is None: raise Exception( 'NT hash and SID must be specified for generating prekey in this mode' ) dpapi.get_prekeys_from_password(args.sid, nt_hash=args.nthash) dpapi.dump_pre_keys(args.out_file) elif args.dapi_module == 'minidump': if args.minidumpfile is None: raise Exception( 'minidump file must be specified for mindiump parsing!') dpapi.get_masterkeys_from_lsass_dump(args.minidumpfile) dpapi.dump_masterkeys(args.out_file) if args.out_file is not None: dpapi.dump_pre_keys(args.out_file + '_prekeys') else: dpapi.dump_pre_keys() elif args.dapi_module == 'masterkey': if args.prekey is None: raise Exception( 'Etieher KEY or path to prekey file must be supplied!') dpapi.load_prekeys(args.prekey) dpapi.decrypt_masterkey_file(args.masterkeyfile) if len(dpapi.masterkeys) == 0 and len(dpapi.backupkeys) == 0: print('Failed to decrypt the masterkeyfile!') return dpapi.dump_masterkeys(args.out_file) elif args.dapi_module == 'credential': dpapi.load_masterkeys(args.mkf) cred_blob = dpapi.decrypt_credential_file(args.cred) print(cred_blob.to_text()) elif args.dapi_module == 'vpol': dpapi.load_masterkeys(args.mkf) key1, key2 = dpapi.decrypt_vpol_file(args.vpol) print('VPOL key1: %s' % key1.hex()) print('VPOL key2: %s' % key2.hex()) elif args.dapi_module == 'vcred': if args.vpolkey is None or len(args.vpolkey) == 0: raise Exception('VPOL key bust be specified!') dpapi.vault_keys = [bytes.fromhex(x) for x in args.vpolkey] res = dpapi.decrypt_vcrd_file(args.vcred) for attr in res: for i in range(len(res[attr])): if res[attr][i] is not None: print('AttributeID: %s Key %s' % (attr.id, i)) print(hexdump(res[attr][i])) elif args.dapi_module == 'securestring': dpapi.load_masterkeys(args.mkf) try: bytes.fromhex(args.securestring) except Exception as e: print('Error! %s' % e) dec_sec = dpapi.decrypt_securestring_file(args.securestring) else: dec_sec = dpapi.decrypt_securestring_hex(args.securestring) print('HEX: %s' % dec_sec.hex()) print('STR: %s' % dec_sec.decode('utf-16-le')) elif args.dapi_module == 'blob': dpapi.load_masterkeys(args.mkf) try: bytes.fromhex(args.blob) except Exception as e: print('Error! %s' % e) dec_sec = dpapi.decrypt_securestring_file(args.blob) else: dec_sec = dpapi.decrypt_securestring_hex(args.blob) print('HEX: %s' % dec_sec.hex()) print('STR: %s' % dec_sec.decode('utf-16-le')) elif args.dapi_module == 'chrome': dpapi.load_masterkeys(args.mkf) db_paths = {} db_paths['pypykatz'] = {} db_paths['pypykatz']['localstate'] = args.localstate if args.cookies is not None: db_paths['pypykatz']['cookies'] = args.cookies if args.logindata is not None: db_paths['pypykatz']['logindata'] = args.logindata res = dpapi.decrypt_all_chrome(db_paths, throw=False) for file_path, url, user, password in res['logins']: print('file: %s user: %s pass: %s url: %s' % (file_path, user, password, url)) for file_path, host_key, name, path, value in res['cookies']: print('file: %s host_key: %s name: %s path: %s value: %s' % (file_path, host_key, name, path, value)) elif args.dapi_module == 'wifi': dpapi.load_masterkeys(args.mkf) wificonfig_enc = DPAPI.parse_wifi_config_file(args.wifixml) wificonfig = dpapi.decrypt_wifi_config_file_inner(wificonfig_enc) print('%s : %s' % (wificonfig['name'], wificonfig['key']))
def run(self, args): from pypykatz.dpapi.dpapi import DPAPI dpapi = DPAPI() if args.dapi_module == 'prekey': if args.prekey_command == 'registry': if args.system is None: raise Exception('SYSTEM hive must be specified for registry parsing!') if args.sam is None and args.security is None: raise Exception('Either SAM or SECURITY hive must be supplied for registry parsing! Best to have both.') dpapi.get_prekeys_form_registry_files(args.system, args.security, args.sam) elif args.prekey_command == 'password': if args.sid is None: raise Exception('SID must be specified for generating prekey in this mode') pw = args.password if args.password is None: import getpass pw = getpass.getpass() dpapi.get_prekeys_from_password(args.sid, password = pw) elif args.prekey_command == 'nt': if args.nthash is None or args.sid is None: raise Exception('NT hash and SID must be specified for generating prekey in this mode') dpapi.get_prekeys_from_password(args.sid, nt_hash = args.nthash) dpapi.dump_pre_keys(args.out_file) elif args.dapi_module == 'minidump': if args.minidumpfile is None: raise Exception('minidump file must be specified for mindiump parsing!') dpapi.get_masterkeys_from_lsass_dump(args.minidumpfile) dpapi.dump_masterkeys(args.out_file) if args.out_file is not None: dpapi.dump_pre_keys(args.out_file + '_prekeys') else: dpapi.dump_pre_keys() elif args.dapi_module == 'masterkey': if args.prekey is None: raise Exception('Etieher KEY or path to prekey file must be supplied!') dpapi.load_prekeys(args.prekey) dpapi.decrypt_masterkey_file(args.masterkeyfile) if len(dpapi.masterkeys) == 0 and len(dpapi.backupkeys) == 0: print('Failed to decrypt the masterkeyfile!') return dpapi.dump_masterkeys(args.out_file) elif args.dapi_module == 'credential': dpapi.load_masterkeys(args.mkf) cred_blob = dpapi.decrypt_credential_file(args.cred) print(cred_blob.to_text()) elif args.dapi_module == 'vpol': dpapi.load_masterkeys(args.mkf) key1, key2 = dpapi.decrypt_vpol_file(args.vpol) print('VPOL key1: %s' % key1.hex()) print('VPOL key2: %s' % key2.hex()) elif args.dapi_module == 'vcred': if args.vpolkey is None or len(args.vpolkey) == 0: raise Exception('VPOL key bust be specified!') dpapi.vault_keys = [bytes.fromhex(x) for x in args.vpolkey] res = dpapi.decrypt_vcrd_file(args.vcred) for attr in res: for i in range(len(res[attr])): if res[attr][i] is not None: print('AttributeID: %s Key %s' % (attr.id, i)) print(hexdump(res[attr][i])) elif args.dapi_module == 'securestring': dpapi.load_masterkeys(args.mkf) try: bytes.fromhex(args.securestring) except Exception as e: print('Error! %s' %e) dec_sec = dpapi.decrypt_securestring_file(args.securestring) else: dec_sec = dpapi.decrypt_securestring_hex(args.securestring) print('HEX: %s' % dec_sec.hex()) print('STR: %s' % dec_sec.decode('utf-16-le')) elif args.dapi_module == 'blob': dpapi.load_masterkeys(args.mkf) try: bytes.fromhex(args.blob) except Exception as e: print('Error! %s' %e) dec_sec = dpapi.decrypt_securestring_file(args.blob) else: dec_sec = dpapi.decrypt_securestring_hex(args.blob) print('HEX: %s' % dec_sec.hex()) print('STR: %s' % dec_sec.decode('utf-16-le'))