ghostpack / sharpdpapi Goto Github PK
View Code? Open in Web Editor NEWSharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
License: Other
SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
License: Other
The blob
command fails when passed a {GUID}:SHA1
string. If the same key-value pair is passed in a file with the /mkfile
flag, it works as expected.
hi, just grabbed the latest version and compiled it (release, not debug)
I get the below error on Windows 11 (23H2)
Text error:
C:\tools\SharpDPAPI\SharpDPAPI\bin\Release>whoami
nt authority\system
C:\tools\SharpDPAPI\SharpDPAPI\bin\Release>SharpDPAPI.exe machinetriage
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.11.3
[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage
[!] Unhandled SharpDPAPI exception:
System.Security.Cryptography.CryptographicException: The cipher mode specified requires that an initialization vector (IV) be used.
at System.Security.Cryptography.CapiSymmetricAlgorithm.ProcessIV(Byte[] iv, Int32 blockSize, CipherMode cipherMode)
at System.Security.Cryptography.CapiSymmetricAlgorithm..ctor(Int32 blockSize, Int32 feedbackSize, SafeCspHandle provider, SafeCapiKeyHandle key, Byte[] iv, CipherMode cipherMode, PaddingMode paddingMode, EncryptionMode encryptionMode)
at System.Security.Cryptography.AesCryptoServiceProvider.CreateDecryptor(SafeCapiKeyHandle key, Byte[] iv)
at SharpDPAPI.Crypto.LSAAESDecrypt(Byte[] key, Byte[] data)
at SharpDPAPI.LSADump.GetLSAKey()
at SharpDPAPI.LSADump.GetLSASecret(String secretName)
at SharpDPAPI.LSADump.GetDPAPIKeys(Boolean show)
at SharpDPAPI.Triage.TriageSystemMasterKeys(Boolean show)
at SharpDPAPI.Commands.Machinetriage.Execute(Dictionary`2 arguments)
at SharpDPAPI.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
at SharpDPAPI.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
SharpDPAPI completed in 00:00:00.0240340
Hello:
I compiled sharpchrome and works well.
I compiled sharpdpapi and when run commands give this:
C:\Users\TESTACCOUNT\Downloads\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI\bin\Release>SharpDPAPI.exe machinevaults
(_ |_ . . ._ | \ |) /\ |) |
__) | | (| | |) |_/ | /--\ | |
|
v1.6.1
[*] Action: Machine DPAPI Vault Triage
[X] Must be elevated to triage SYSTEM DPAPI Credentials!
My AV (Avast) was disabled when doing compiled and also when running SharpDPAPI.exe machinevaults.
Any info much appreciated.
uPDATE:
I was running from VS developer cmd.
Hello:
When running sharpdpapi.exe I getting this:
C:\Users\TESTACCOUNT\Downloads\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI-master\SharpDPAPI\bin\Release>SharpDPAPI.exe machinevaults
(_ |_ . . ._ | \ |) /\ |) |
__) | | (| | |) |_/ | /--\ | |
|
v1.6.1
[*] Action: Machine DPAPI Vault Triage
[] Elevating to SYSTEM via token duplication for LSA secret retrieval
[] RevertToSelf()
[] Secret : DPAPI_SYSTEM
[] full: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[*] m/u : xxxxxxxxxxxxxxxxxxxxxxx / xxxxxxxxxxxxxxxxxxxxxxxxxx
[!] Unhandled SharpDPAPI exception:
System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{8bf0a20f-5420-11e9-ac9f-e84e06061855}.TM.blf' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost)
at SharpDPAPI.Triage.TriageSystemMasterKeys(Boolean show)
at SharpDPAPI.Commands.Machinevaults.Execute(Dictionary2 arguments) at SharpDPAPI.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary
2 arguments)
at SharpDPAPI.Program.Main(String[] args)
My sharpchrome.exe compiled run well.
Any info much appreciated.
When debugging the SharpDPAPI with below config/flags, I had an questions on why the pointer is not showing in the correct address as the debugger says.
Then I realized it might be due to misdecleared variables within the Struct,
public struct LSA_UNICODE_STRING : IDisposable
{
public ushort Length;
public ushort MaximumLength;
public ushort certLen;
public IntPtr buffer;
public LSA_UNICODE_STRING(string s)
{
Length = (ushort)(s.Length * 2);
MaximumLength = (ushort)(Length + 2);
certLen = (ushort)(Length + 2);
buffer = Marshal.StringToHGlobalUni(s);
}
public void Dispose()
{
Marshal.FreeHGlobal(buffer);
buffer = IntPtr.Zero;
}
public override string ToString()
{
return Marshal.PtrToStringUni(buffer);
}
}
which then I saw the ref to mimikatz header and added another declearation for certLen
. And that matched with length appearing apperaing 3 times in the memory shown here
and stepping through.
But previously, it also worked just fine without the certLen
. So I was wondering Does Marshal.PtrToStructure() in
Interop.LSA_UNICODE_STRING lusSecretData = (Interop.LSA_UNICODE_STRING)Marshal.PtrToStructure(PrivateData, typeof(Interop.LSA_UNICODE_STRING));
just magically finds the IntPtr in the memory of PrivateData
which is really after the CertLen + 2 null bytes?
Sorry if im being confusing here.
Hello Mate,
Loving SharpChrome and thanks for a wonderful project. I was wondering if the option to export cookies in the NetScape cookie format could be added? It's tab delimited and the syntax is cited here: https://www.hashbangcode.com/article/netscape-http-cooke-file-parser-php
The reason for the request is curl and wget can use this cookie format for requests, but not JSON.
Thanks for all the hard work.
Cheers,
Olly
C:\>C:\tools\SharpDPAPI\SharpDPAPI\bin\Debug\SharpDPAPI.exe machinemasterkeys
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.6.1
[*] Action: Machine DPAPI Masterkey File Triage
[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()
[*] Secret : DPAPI_SYSTEM
[*] full: <snip>
[*] m/u : <snip>
[!] Unhandled SharpDPAPI exception:
System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{86283df8-8d88-4a51-957d-449ff1919746}.TM.blf' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost)
at SharpDPAPI.Triage.TriageSystemMasterKeys(Boolean show) in C:\tools\SharpDPAPI\SharpDPAPI\lib\Triage.cs:line 161
at SharpDPAPI.Commands.Machinemasterkeys.Execute(Dictionary`2 arguments) in C:\tools\SharpDPAPI\SharpDPAPI\Commands\Machinemasterkeys.cs:line 15
at SharpDPAPI.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments) in C:\tools\SharpDPAPI\SharpDPAPI\Domain\CommandCollection.cs:line 46
at SharpDPAPI.Program.Main(String[] args) in C:\tools\SharpDPAPI\SharpDPAPI\Program.cs:line 24
FullName
--------
C:\Windows\System32\Microsoft\Protect\Recovery
C:\Windows\System32\Microsoft\Protect\S-1-5-18
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat.LOG1
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat.LOG2
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{440de6b5-c574-4468-b756-a0b8ea25fdc0}.TM.blf
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{ea68be95-bae7-405a-8b69-51103f0bfa0d}.TMContainer00000000000000000001.regtrans-ms
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{7c30ad6c-e65d-42c6-b7a6-04acffb7cb1f}.TMContainer00000000000000000002.regtrans-ms
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User
C:\Windows\System32\Microsoft\Protect\S-1-5-18\d60dafcc-6ea7-4d5c-a955-c2ab0e6017b6
C:\Windows\System32\Microsoft\Protect\S-1-5-18\b32c164f-b24a-414b-98b5-0a6640eab86c
C:\Windows\System32\Microsoft\Protect\S-1-5-18\15c3da9d-e25c-41ff-97dc-449a0d7d58dd
C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\3700badb-931e-44b5-b3f5-ea3b232c32d6
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1ede99f5-79b5-418f-9c40-20deb084e219
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\eff1de12-4bb7-4760-9dfe-e9626bef6405
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred
Hi Will,
I think This command doesn't work anymore: SharpChrome.exe cookies /unprotect
since the location of the cookie file is now C:\Users*\AppData\Local\Google\Chrome\User Data\Default\Network.
output taken From the BH2022 ATTA lab:
__ _
(_ |_ _. ._ ._ / |_ ._ _ ._ _ _
__) | | (_| | |_) \_ | | | (_) | | | (/_
|
v1.11.1
[*] Action: Chrome Saved Cookies Triage
[*] Triaging non-expired cookies. Use '/showall' to display ALL cookies.
[*] Triaging Chrome Cookies for current user
[*] AES state key file : C:\Users\thor\AppData\Local\Google\Chrome\User Data\Local State
[*] AES state key : 001B279C498A9BA70B76E301E45D7B2752475FEFA2690EAA17BAE06616489018
Got error when Chrome is open.
Using SharpChrome v1.12.0, Windows 11, Google Chrome Version 122.0.6261.129
System.NullReferenceException: Object reference not set to an instance of an object.
at SharpChrome.Chrome.ParseChromeCookies(Dictionary`2 MasterKeys, String cookieFilePath, String displayFormat, Boolean showAll, Boolean unprotect, String cookieRegex, String urlRegex, Boolean setneverexpire, Byte[] aesStateKey, Boolean quiet)
at SharpChrome.Chrome.TriageChromeCookies(Dictionary`2 MasterKeys, String computerName, String userFolder, String displayFormat, Boolean showAll, Boolean unprotect, String cookieRegex, String urlRegex, Boolean setneverexpire, String stateKey, String browser, Boolean quiet)
at SharpChrome.Commands.Cookies.Execute(Dictionary`2 arguments)
at SharpChrome.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
at SharpChrome.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
SharpDPAPI request: Print a notification message if there are 0 Window credentials or Vault entries (Posting for a friend: i.e., @tifkin_ ๐ )
Same issue as found here: GhostPack/Seatbelt#119
Add /out flag to the blob
command to output raw decrypted data.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.