dissect.target.plugins.os.windows.dpapi.master_key

Module Contents

Classes

MasterKey
MasterKeyFile
CredSystem

Attributes

master_key_def
c_master_key

dissect.target.plugins.os.windows.dpapi.master_key.master_key_def = Multiline-String

Show Value

"""
struct DomainKey {
    DWORD   dwVersion;
    DWORD   secretLen;
    DWORD   accessCheckLen;
    char    guid[16];
    char    encryptedSecret[secretLen];
    char    accessCheckLen[accessCheckLen];
};

struct CredHist {
    DWORD   dwVersion;
    char    guid[16];
};

struct MasterKey {
    DWORD   dwVersion;
    char    pSalt[16];
    DWORD   dwPBKDF2IterationCount;
    DWORD   HMACAlgId;                  // This is actually ALG_ID
    DWORD   CryptAlgId;                 // This is actually ALG_ID
    // BYTE    pKey[];
};

struct CredSystem {
    DWORD   dwRevision;
    char    pMachine[20];
    char    pUser[20];
};

struct MasterKeyFileHeader {
    DWORD   dwVersion;                  // Masterkey version. Should be 1 or 2
    DWORD   dwReserved1;
    DWORD   dwReserved2;
    WCHAR   szGuid[36];                 // GUID of master key. Should match filename
    DWORD   dwUnused1;
    DWORD   dwUnused2;
    DWORD   dwPolicy;
    QWORD   qwUserKeySize;
    QWORD   qwLocalEncKeySize;
    QWORD   qwLocalKeySize;
    QWORD   qwDomainKeySize;
};
"""

dissect.target.plugins.os.windows.dpapi.master_key.c_master_key

class dissect.target.plugins.os.windows.dpapi.master_key.MasterKey(data: bytes)

decrypt_with_hash(user_sid: str, password_hash: bytes) → bool

Decrypts the master key with the given user’s SID and password hash.

decrypt_with_hash_10(user_sid: str, password_hash: bytes) → bool

Decrypts the master key with the given user’s hash and SID.

Newer version of decrypt_with_hash()

decrypt_with_password(user_sid: str, pwd: str) → bool

Decrypts the master key with the given user’s password and SID.

decrypt_with_key(key: bytes) → bool

Decrypts the master key with the given encryption key.

This function also extracts the HMAC part of the decrypted data and compares it with the computed one.

Note that once successfully decrypted, this function turns into a no-op.

class dissect.target.plugins.os.windows.dpapi.master_key.MasterKeyFile(fh: BinaryIO)

property decrypted: bool

property key: bytes

decrypt_with_hash(user_sid: str, password_hash: bytes) → bool

See MasterKey.decrypt_with_hash() and MasterKey.decrypt_with_hash_10().

decrypt_with_password(user_sid: str, pwd: str) → bool

See MasterKey.decrypt_with_password().

decrypt_with_key(key: bytes) → bool

See MasterKey.decrypt_with_key().

class dissect.target.plugins.os.windows.dpapi.master_key.CredSystem(buf: bytes)