dissect.target.plugins.os.windows.credential.credhist
¶
Module Contents¶
Classes¶
Windows CREDHIST file parser. |
Functions¶
Attributes¶
- dissect.target.plugins.os.windows.credential.credhist.log¶
- dissect.target.plugins.os.windows.credential.credhist.CredHistRecord¶
- dissect.target.plugins.os.windows.credential.credhist.credhist_def = Multiline-String¶
Show Value
""" struct entry { DWORD dwVersion; CHAR guidLink[16]; DWORD dwNextLinkSize; DWORD dwCredLinkType; DWORD algHash; // ALG_ID DWORD dwPbkdf2IterationCount; DWORD dwSidSize; DWORD algCrypt; // ALG_ID DWORD dwShaHashSize; DWORD dwNtHashSize; CHAR pSalt[16]; CHAR pSid[dwSidSize]; CHAR encrypted[0]; }; """
- dissect.target.plugins.os.windows.credential.credhist.c_credhist¶
- class dissect.target.plugins.os.windows.credential.credhist.CredHistEntry¶
- version: int¶
- guid: str¶
- user_sid: str¶
- raw: c_credhist¶
- decrypted: bool = False¶
- decrypt(password_hash: bytes) None ¶
Decrypt this CREDHIST entry using the provided password hash. Modifies
CredHistEntry.sha1
andCredHistEntry.nt
values.If the decrypted
nt
value is 16 bytes we assume the decryption was successful.- Parameters:
password_hash – Bytes of SHA1 password hash digest.
- Raises:
ValueError – If the decryption seems to have failed.
- class dissect.target.plugins.os.windows.credential.credhist.CredHistFile(fh: BinaryIO)¶
- fh¶
- entries¶
- __repr__() str ¶
- class dissect.target.plugins.os.windows.credential.credhist.CredHistPlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugin.Plugin
Windows CREDHIST file parser.
Windows XP:
C:\Documents and Settings\username\Application Data\Microsoft\Protect\CREDHIST
Windows 7 and up:C:\Users\username\AppData\Roaming\Microsoft\Protect\CREDHIST
- files¶
- check_compatible() None ¶
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- credhist() Iterator[CredHistRecord] ¶
Yield and decrypt all Windows CREDHIST entries on the target.
- dissect.target.plugins.os.windows.credential.credhist.keychain_passwords() set ¶