`dissect.target.plugins.os.windows.dpapi.master_key`¶

Module Contents¶

Classes¶

`MasterKey`
`MasterKeyFile`
`CredSystem`

Attributes¶

`HAS_CRYPTO`
`log`
`master_key_def`
`c_master_key`

dissect.target.plugins.os.windows.dpapi.master_key.HAS_CRYPTO = True¶

dissect.target.plugins.os.windows.dpapi.master_key.log¶

dissect.target.plugins.os.windows.dpapi.master_key.master_key_def = Multiline-String¶

Show Value

"""
struct DomainKey {
    DWORD   dwVersion;
    DWORD   secretLen;
    DWORD   accessCheckLen;
    char    guid[16];
    char    encryptedSecret[secretLen];
    char    accessCheckLen[accessCheckLen];
};

struct CredHist {
    DWORD   dwVersion;
    char    guid[16];
};

struct MasterKey {
    DWORD   dwVersion;
    char    pSalt[16];
    DWORD   dwPBKDF2IterationCount;
    DWORD   HMACAlgId;                  // This is actually ALG_ID
    DWORD   CryptAlgId;                 // This is actually ALG_ID
    // BYTE    pKey[];
};

struct CredSystem {
    DWORD   dwRevision;
    char    pMachine[20];
    char    pUser[20];
};

struct MasterKeyFileHeader {
    DWORD   dwVersion;                  // Masterkey version. Should be 1 or 2
    DWORD   dwReserved1;
    DWORD   dwReserved2;
    WCHAR   szGuid[36];                 // GUID of master key. Should match filename
    DWORD   dwUnused1;
    DWORD   dwUnused2;
    DWORD   dwPolicy;
    QWORD   qwUserKeySize;
    QWORD   qwLocalEncKeySize;
    QWORD   qwLocalKeySize;
    QWORD   qwDomainKeySize;
};
"""

dissect.target.plugins.os.windows.dpapi.master_key.c_master_key¶

class dissect.target.plugins.os.windows.dpapi.master_key.MasterKey(data: bytes)¶

decrypt_with_hash(user_sid: str, password_hash: bytes) → bool¶: Decrypts the master key with the given user’s SID and password hash.

decrypt_with_hash_10(user_sid: str, password_hash: bytes) → bool¶

Decrypts the master key with the given user’s hash and SID.

Newer version of decrypt_with_hash()

decrypt_with_password(user_sid: str, pwd: str) → bool¶: Decrypts the master key with the given user’s password and SID.

decrypt_with_key(key: bytes) → bool¶

Decrypts the master key with the given encryption key.

This function also extracts the HMAC part of the decrypted data and compares it with the computed one.

Note that once successfully decrypted, this function turns into a no-op.

class dissect.target.plugins.os.windows.dpapi.master_key.MasterKeyFile(fh: BinaryIO)¶

property decrypted: bool¶

property key: bytes¶

decrypt_with_hash(user_sid: str, password_hash: bytes) → bool¶: See MasterKey.decrypt_with_hash() and MasterKey.decrypt_with_hash_10().

decrypt_with_password(user_sid: str, pwd: str) → bool¶: See MasterKey.decrypt_with_password().

decrypt_with_key(key: bytes) → bool¶: See MasterKey.decrypt_with_key().

class dissect.target.plugins.os.windows.dpapi.master_key.CredSystem(buf: bytes)¶

dissect.target.plugins.os.windows.dpapi.master_key¶

Module Contents¶

Classes¶

Attributes¶

`dissect.target.plugins.os.windows.dpapi.master_key`¶