Loading repository data…
Loading repository data…
GhostPack / repository
SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project.
I did not come up with this logic, it is simply a port from Mimikatz in order to better understand the process and operationalize it to fit our workflow.
The SharpChrome subproject is an adaptation of work from @gentilkiwi and @djhohnstein, specifically his SharpChrome project. However, this version of SharpChrome uses a different version of the C# SQL library that supports lockless opening. SharpChrome is built as a separate project in SharpDPAPI because of the size of the SQLite library utilized.
Both Chrome and newer Chromium-based Edge browsers can be triaged with SharpChrome.
SharpChrome also uses an minimized version of @AArnott's BCrypt P/Invoke code released under the MIT License.
If you're unfamiliar with DPAPI, check out this post for more background information. For more information on Credentials and Vaults in regards to DPAPI, check out Benjamin's wiki entry on the subject.
@harmj0y is the primary author of this port.
SharpDPAPI is licensed under the BSD 3-Clause license.
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.20.0
Retrieve a domain controller's DPAPI backup key, optionally specifying a DC and output file:
SharpDPAPI backupkey [/nowrap] [/server:SERVER.domain] [/file:key.pvk]
The *search* comand will search for potential DPAPI blobs in the registry, files, folders, and base64 blobs:
search /type:registry [/path:HKLM\path\to\key] [/showErrors]
search /type:folder /path:C:\path\to\folder [/maxBytes:<numOfBytes>] [/showErrors]
search /type:file /path:C:\path\to\file [/maxBytes:<numOfBytes>]
search /type:base64 [/base:<base64 string>]
Machine/SYSTEM Triage:
machinemasterkeys - triage all reachable machine masterkey files (elevates to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret)
machinecredentials - use 'machinemasterkeys' and then triage machine Credential files
machinevaults - use 'machinemasterkeys' and then triage machine Vaults
machinetriage - run the 'machinecredentials' and 'machinevaults' commands
User Triage:
Arguments for the 'masterkeys' command:
/target:FILE/folder - triage a specific masterkey, or a folder full of masterkeys (otherwise triage local masterkeys)
/pvk:BASE64... - use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
/pvk:key.pvk - use a DPAPI domain private key file to first decrypt reachable user masterkeys
/password:X - decrypt the target user's masterkeys using a plaintext password (works remotely)
/ntlm:X - decrypt the target user's masterkeys using a NTLM hash (works remotely)
/credkey:X - decrypt the target user's masterkeys using a DPAPI credkey (domain or local SHA1, works remotely)
/rpc - decrypt the target user's masterkeys by asking domain controller to do so
/server:SERVER - triage a remote server, assuming admin access
/hashes - output usermasterkey file 'hashes' in JTR/Hashcat format (no decryption)
Arguments for the credentials|vaults|rdg|keepass|triage|blob|ps commands:
Decryption:
/unprotect - force use of CryptUnprotectData() for 'ps', 'rdg', or 'blob' commands
/pvk:BASE64... - use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
/pvk:key.pvk - use a DPAPI domain private key file to first decrypt reachable user masterkeys
/password:X - decrypt the target user's masterkeys using a plaintext password (works remotely)
/ntlm:X - decrypt the target user's masterkeys using a NTLM hash (works remotely)
/credkey:X - decrypt the target user's masterkeys using a DPAPI credkey (domain or local SHA1, works remotely)
/rpc - decrypt the target user's masterkeys by asking domain controller to do so
GUID1:SHA1 ... - use a one or more GUID:SHA1 masterkeys for decryption
/mkfile:FILE - use a file of one or more GUID:SHA1 masterkeys for decryption
Targeting:
/target:FILE/folder - triage a specific 'Credentials','.rdg|RDCMan.settings', 'blob', or 'ps' file location, or 'Vault' folder
/server:SERVER - triage a remote server, assuming admin access
Note: must use with /pvk:KEY or /password:X
Note: not applicable to 'blob' or 'ps' commands
Certificate Triage:
Arguments for the 'certificates' command:
/showall - show all decrypted private key files, not just ones that are linked to installed certs (the default)
/machine - use the local machine store for certificate triage
/mkfile | /target - for /machine triage
[all decryption args from User Triage above]
Note: in most cases, just use *triage* if you're targeting user DPAPI secrets and *machinetriage* if you're going after SYSTEM DPAPI secrets.
These functions wrap all the other applicable functions that can be automatically run.
__ _
(_ |_ _. ._ ._ / |_ ._ _ ._ _ _
__) | | (_| | |_) \_ | | | (_) | | | (/_
|
v1.9.0
Retrieve a domain controller's DPAPI backup key, optionally specifying a DC and output file:
SharpChrome backupkey [/nowrap] [/server:SERVER.domain] [/file:key.pvk]
Global arguments for the 'cookies', 'logins', and 'statekeys' commands:
Decryption:
/unprotect - force use of CryptUnprotectData() (default for unprivileged execution)
/pvk:BASE64... - use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
/pvk:key.pvk - use a DPAPI domain private key file to first decrypt reachable user masterkeys
/password:X - decrypt the target user's masterkeys using a plaintext password (works remotely)
/ntlm:X - decrypt the target user's masterkeys using a NTLM hash (works remotely)
/prekey:X - decrypt the target user's masterkeys using a DPAPI prekey (domain or local SHA1, works remotely)
/rpc - decrypt the target user's masterkeys by asking domain controller to do so
GUID1:SHA1 ... - use a one or more GUID:SHA1 masterkeys for decryption
/statekey:X - a decrypted AES state key (from the 'statekey' command)
Targeting:
/target:FILE - triage a specific 'Cookies', 'Login Data', or 'Local State' file location
/target:C:\Users\X\ - triage a specific user folder for any specified command
/server:SERVER - triage a remote server, assuming admin access (note: must use with /pvk:KEY)
/browser:X - triage 'chrome' (default), (chromium-based) 'edge', or 'slack'
Output:
/format:X - either 'csv' (default) or 'table' display
/showall - show Login Data entries with null passwords and expired Cookies instead of filtering (default)
/consoleoutfile:X - output all console output to a file on disk
'cookies' command specific arguments:
/cookie:"REGEX" - only return cookies where the cookie name matches the supplied regex
/url:"REGEX" - only return cookies where the cookie URL matches the supplied regex
/format:json - output cookie values in an EditThisCookie JSON import format. Best when used with a regex!
/setneverexpire - set expirations for cookies output to now + 100 years (for json output)
One of the goals with SharpDPAPI is to operationalize Benjamin's DPAPI work in a way that fits with our workflow.
How exactly you use the toolset will depend on what phase of an engagement you're in. In general this breaks into "have I compromised the domain or not".
If domain admin (or equivalent) privileges have been obtained, the domain DPAPI backup key can be retrieved with the backupkey command (or with Mimikatz). This domain private key never changes, and can decrypt any DPAPI masterkeys for domain users. This means, given a domain DPAPI backup key, an attacker can decrypt masterkeys for any domain user that can then be used to decrypt any Vault/Credentials/Chrome Logins/other DPAPI blobs/etc. The key retrieved from the backupkey command can be used with the masterkeys, credentials, vaults, rdg, or triage commands.
If DA privileges have not bee