def run(self, args):
from pypykatz.dpapi.dpapi import DPAPI
dpapi = DPAPI()
if args.dapi_module == 'prekey':
if args.prekey_command == 'registry':
if args.system is None:
raise Exception(
'SYSTEM hive must be specified for registry parsing!')
if args.sam is None and args.security is None:
raise Exception(
'Either SAM or SECURITY hive must be supplied for registry parsing! Best to have both.'
)
dpapi.get_prekeys_form_registry_files(args.system,
args.security, args.sam)
elif args.prekey_command == 'password':
if args.sid is None:
raise Exception(
'SID must be specified for generating prekey in this mode'
)
pw = args.password
if args.password is None:
import getpass
pw = getpass.getpass()
dpapi.get_prekeys_from_password(args.sid, password=pw)
elif args.prekey_command == 'nt':
if args.nthash is None or args.sid is None:
raise Exception(
'NT hash and SID must be specified for generating prekey in this mode'
)
dpapi.get_prekeys_from_password(args.sid, nt_hash=args.nthash)
dpapi.dump_pre_keys(args.out_file)
elif args.dapi_module == 'minidump':
if args.minidumpfile is None:
raise Exception(
'minidump file must be specified for mindiump parsing!')
dpapi.get_masterkeys_from_lsass_dump(args.minidumpfile)
dpapi.dump_masterkeys(args.out_file)
if args.out_file is not None:
dpapi.dump_pre_keys(args.out_file + '_prekeys')
else:
dpapi.dump_pre_keys()
elif args.dapi_module == 'masterkey':
if args.prekey is None:
raise Exception(
'Etieher KEY or path to prekey file must be supplied!')
dpapi.load_prekeys(args.prekey)
dpapi.decrypt_masterkey_file(args.masterkeyfile)
if len(dpapi.masterkeys) == 0 and len(dpapi.backupkeys) == 0:
print('Failed to decrypt the masterkeyfile!')
return
dpapi.dump_masterkeys(args.out_file)
elif args.dapi_module == 'credential':
dpapi.load_masterkeys(args.mkf)
cred_blob = dpapi.decrypt_credential_file(args.cred)
print(cred_blob.to_text())
elif args.dapi_module == 'vpol':
dpapi.load_masterkeys(args.mkf)
key1, key2 = dpapi.decrypt_vpol_file(args.vpol)
print('VPOL key1: %s' % key1.hex())
print('VPOL key2: %s' % key2.hex())
elif args.dapi_module == 'vcred':
if args.vpolkey is None or len(args.vpolkey) == 0:
raise Exception('VPOL key bust be specified!')
dpapi.vault_keys = [bytes.fromhex(x) for x in args.vpolkey]
res = dpapi.decrypt_vcrd_file(args.vcred)
for attr in res:
for i in range(len(res[attr])):
if res[attr][i] is not None:
print('AttributeID: %s Key %s' % (attr.id, i))
print(hexdump(res[attr][i]))
elif args.dapi_module == 'securestring':
dpapi.load_masterkeys(args.mkf)
try:
bytes.fromhex(args.securestring)
except Exception as e:
print('Error! %s' % e)
dec_sec = dpapi.decrypt_securestring_file(args.securestring)
else:
dec_sec = dpapi.decrypt_securestring_hex(args.securestring)
print('HEX: %s' % dec_sec.hex())
print('STR: %s' % dec_sec.decode('utf-16-le'))
elif args.dapi_module == 'blob':
dpapi.load_masterkeys(args.mkf)
try:
bytes.fromhex(args.blob)
except Exception as e:
print('Error! %s' % e)
dec_sec = dpapi.decrypt_securestring_file(args.blob)
else:
dec_sec = dpapi.decrypt_securestring_hex(args.blob)
print('HEX: %s' % dec_sec.hex())
print('STR: %s' % dec_sec.decode('utf-16-le'))
elif args.dapi_module == 'chrome':
dpapi.load_masterkeys(args.mkf)
db_paths = {}
db_paths['pypykatz'] = {}
db_paths['pypykatz']['localstate'] = args.localstate
if args.cookies is not None:
db_paths['pypykatz']['cookies'] = args.cookies
if args.logindata is not None:
db_paths['pypykatz']['logindata'] = args.logindata
res = dpapi.decrypt_all_chrome(db_paths, throw=False)
for file_path, url, user, password in res['logins']:
print('file: %s user: %s pass: %s url: %s' %
(file_path, user, password, url))
for file_path, host_key, name, path, value in res['cookies']:
print('file: %s host_key: %s name: %s path: %s value: %s' %
(file_path, host_key, name, path, value))
elif args.dapi_module == 'wifi':
dpapi.load_masterkeys(args.mkf)
wificonfig_enc = DPAPI.parse_wifi_config_file(args.wifixml)
wificonfig = dpapi.decrypt_wifi_config_file_inner(wificonfig_enc)
print('%s : %s' % (wificonfig['name'], wificonfig['key']))
def run(self, args):
from pypykatz.dpapi.dpapi import DPAPI
dpapi = DPAPI()
if args.dapi_module == 'prekey':
if args.prekey_command == 'registry':
if args.system is None:
raise Exception('SYSTEM hive must be specified for registry parsing!')
if args.sam is None and args.security is None:
raise Exception('Either SAM or SECURITY hive must be supplied for registry parsing! Best to have both.')
dpapi.get_prekeys_form_registry_files(args.system, args.security, args.sam)
elif args.prekey_command == 'password':
if args.sid is None:
raise Exception('SID must be specified for generating prekey in this mode')
pw = args.password
if args.password is None:
import getpass
pw = getpass.getpass()
dpapi.get_prekeys_from_password(args.sid, password = pw)
elif args.prekey_command == 'nt':
if args.nthash is None or args.sid is None:
raise Exception('NT hash and SID must be specified for generating prekey in this mode')
dpapi.get_prekeys_from_password(args.sid, nt_hash = args.nthash)
dpapi.dump_pre_keys(args.out_file)
elif args.dapi_module == 'minidump':
if args.minidumpfile is None:
raise Exception('minidump file must be specified for mindiump parsing!')
dpapi.get_masterkeys_from_lsass_dump(args.minidumpfile)
dpapi.dump_masterkeys(args.out_file)
if args.out_file is not None:
dpapi.dump_pre_keys(args.out_file + '_prekeys')
else:
dpapi.dump_pre_keys()
elif args.dapi_module == 'masterkey':
if args.prekey is None:
raise Exception('Etieher KEY or path to prekey file must be supplied!')
dpapi.load_prekeys(args.prekey)
dpapi.decrypt_masterkey_file(args.masterkeyfile)
if len(dpapi.masterkeys) == 0 and len(dpapi.backupkeys) == 0:
print('Failed to decrypt the masterkeyfile!')
return
dpapi.dump_masterkeys(args.out_file)
elif args.dapi_module == 'credential':
dpapi.load_masterkeys(args.mkf)
cred_blob = dpapi.decrypt_credential_file(args.cred)
print(cred_blob.to_text())
elif args.dapi_module == 'vpol':
dpapi.load_masterkeys(args.mkf)
key1, key2 = dpapi.decrypt_vpol_file(args.vpol)
print('VPOL key1: %s' % key1.hex())
print('VPOL key2: %s' % key2.hex())
elif args.dapi_module == 'vcred':
if args.vpolkey is None or len(args.vpolkey) == 0:
raise Exception('VPOL key bust be specified!')
dpapi.vault_keys = [bytes.fromhex(x) for x in args.vpolkey]
res = dpapi.decrypt_vcrd_file(args.vcred)
for attr in res:
for i in range(len(res[attr])):
if res[attr][i] is not None:
print('AttributeID: %s Key %s' % (attr.id, i))
print(hexdump(res[attr][i]))
elif args.dapi_module == 'securestring':
dpapi.load_masterkeys(args.mkf)
try:
bytes.fromhex(args.securestring)
except Exception as e:
print('Error! %s' %e)
dec_sec = dpapi.decrypt_securestring_file(args.securestring)
else:
dec_sec = dpapi.decrypt_securestring_hex(args.securestring)
print('HEX: %s' % dec_sec.hex())
print('STR: %s' % dec_sec.decode('utf-16-le'))
elif args.dapi_module == 'blob':
dpapi.load_masterkeys(args.mkf)
try:
bytes.fromhex(args.blob)
except Exception as e:
print('Error! %s' %e)
dec_sec = dpapi.decrypt_securestring_file(args.blob)
else:
dec_sec = dpapi.decrypt_securestring_hex(args.blob)
print('HEX: %s' % dec_sec.hex())
print('STR: %s' % dec_sec.decode('utf-16-le'))