`dissect.target.plugins.os.windows.credhist`¶

Module Contents¶

Classes¶

`CredHistEntry`
`CredHistFile`
`CredHistPlugin`	Windows CREDHIST file parser.

Functions¶

keychain_passwords

Attributes¶

`log`
`CredHistRecord`
`credhist_def`
`c_credhist`

dissect.target.plugins.os.windows.credhist.log¶

dissect.target.plugins.os.windows.credhist.CredHistRecord¶

dissect.target.plugins.os.windows.credhist.credhist_def = Multiline-String¶

Show Value

"""
struct entry {
    DWORD   dwVersion;
    CHAR    guidLink[16];
    DWORD   dwNextLinkSize;
    DWORD   dwCredLinkType;
    DWORD   algHash;                    // ALG_ID
    DWORD   dwPbkdf2IterationCount;
    DWORD   dwSidSize;
    DWORD   algCrypt;                   // ALG_ID
    DWORD   dwShaHashSize;
    DWORD   dwNtHashSize;
    CHAR    pSalt[16];
    CHAR    pSid[dwSidSize];
    CHAR    encrypted[0];
};
"""

dissect.target.plugins.os.windows.credhist.c_credhist¶

class dissect.target.plugins.os.windows.credhist.CredHistEntry¶

version: int¶

guid: str¶

user_sid: str¶

sha1: bytes | None¶

nt: bytes | None¶

hash_alg: dissect.target.plugins.os.windows.dpapi.crypto.HashAlgorithm¶

cipher_alg: dissect.target.plugins.os.windows.dpapi.crypto.CipherAlgorithm¶

raw: c_credhist¶

decrypted: bool = False¶

decrypt(password_hash: bytes) → None¶

Decrypt this CREDHIST entry using the provided password hash. Modifies CredHistEntry.sha1 and CredHistEntry.nt values.

If the decrypted nt value is 16 bytes we assume the decryption was successful.

Parameters:: password_hash – Bytes of SHA1 password hash digest.
Raises:: ValueError – If the decryption seems to have failed.

class dissect.target.plugins.os.windows.credhist.CredHistFile(fh: BinaryIO)¶

__repr__() → str¶: Return repr(self).

decrypt(password_hash: bytes) → None¶: Decrypt a CREDHIST chain using the provided password SHA1 hash.

class dissect.target.plugins.os.windows.credhist.CredHistPlugin(target: dissect.target.target.Target)¶

Bases: dissect.target.plugin.Plugin

Windows CREDHIST file parser.

Windows XP: C:\Documents and Settings\username\Application Data\Microsoft\Protect\CREDHIST Windows 7 and up: C:\Users\username\AppData\Roaming\Microsoft\Protect\CREDHIST

Resources:

https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#41

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

credhist() → Iterator[CredHistRecord]¶: Yield and decrypt all Windows CREDHIST entries on the target.

dissect.target.plugins.os.windows.credhist.keychain_passwords() → set¶

dissect.target.plugins.os.windows.credhist¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.plugins.os.windows.credhist`¶