All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- SharpDPAPI project
masterkeyscommand now accepts a/password:Xargument with/target:X
- SharpChrome project
- Chrome cookie file location updated for newer versions
- SharpChrome project
- Chrome statekey usage bug when triaging multiple users
- SharpChrome project
- Default cookie/logins/statekeys triage behavior is now to triage the current user if elevated, unless pvk/password/masterkeys specified
/target:Xcan now be aC:\Users\USER\folder for any specified triage- Added Brave statekey triage to
statekeys - Cleaned up Chromium triage code
- Removed out of date SharpDPAPI.cna aggressor script
- SharpDPAPI project
- Added
keepasscommand - ProtectedUserKey.bin decryption - Added
/entropyflag toblobcommand
- Added
- SharpDPAPI project
- Decrypted null bytes in certificate description fields messing up output
- SharpDPAPI project
- CNG private key decryption support \m/
- Additional CAPI/CNG cert search locations
/nowrapflag to thebackupkeycommand
- SharpDPAPI project
- Bug where some extracted key components ending in 00 caused error cases
- SharpDPAPI project
- Only decrypted private keys with certs present displayed by default, the
/showallflag forcertificateswill display all decrypted results - Combined
machinecertsintocertificates /machine - Corrected method for SHA1 MS hash computation fuckery with entropy (thanks @gentilkiwi)
- Re-added certificate triage to
triageandmachinetriage
- Only decrypted private keys with certs present displayed by default, the
- SharpDPAPI project
- /target option for machinecertificates
- more certificate information on extraction (including Enhanced Key Usages)
- SharpDPAPI project
- User certificate extraction corrected
- Few formatting issues
- SharpDPAPI project
- Ability to triage masterkey targets (or folder of targets) manually
- SharpChrome project
- Added Chromium-based brave support
- Added
/quietflag for csv output
- SharpChrome project
- Filtering fixes for cookies
- SharpDPAPI project
- Landed @leechristensen's
searchcommand to search for DPAPI blobs
- Landed @leechristensen's
- SharpDPAPI project
- Removed machine/user certificate triage from the
triageandmachinetriagecommands
- Removed machine/user certificate triage from the
- Code cleanup and refactoring
- SharpDPAPI project
- Landed @leftp's
certificatesandmachinecertscommands - Added
certificatesandmachinecertsentries to the README.md - Added certificate triage to the
triageandmachinetriagecommands - Using /password:X now causes the DPAPI masterkey cache to be output
- Landed @leftp's
- SharpChrome project:
- Using /password:X now causes the DPAPI masterkey cache to be output
- SharpChrome project
- '/password:X' integration
- SharpDPAPI project
- Combined TriageUserMasterKeysWithPass into TriageUserMasterKeys
- '/password:X' now properly works in SharpDPAPI while elevated, as well as remotely
- SharpChrome project
- Integrated new Chrome (v80+) AES statekey decryption from @djhohnstein's SharpChrome project.
- SharpDPAPI project
- landed @lefterispan's PR that incorporates plaintext password masterkey decryption.
- expanded the PR to allow /password specification for all SharpDPAPI functions
- SharpChrome project
- /setneverexpire flag for /format:json output for cookies that sets the expiration date to now + 100 years
- SharpChrome project
- Cookie datetime value parsing to prevent error conditions on invalid input.
- SharpChrome project
- Some file path output.
- ps command to decrypt exported PSCredential xmls (thanks for the idea @gentilkiwi ;)
- blob section for the README
- blob command outputs hex if the data doesn't appear to be text
- SharpChrome project
- Separate project that implements a SQLite parsing database for Chrome triage. Uses shared files with SharpDPAPI. Adapted from the SharpWeb/SharpChrome project by @djhohnstein.
- logins function
- Finds/decrypts Chrome 'Login Data' files. See README.md for complete syntax/flags.
- cookies function
- Finds/decrypts Chrome 'Cookies' files. See README.md for complete syntax/flags.
- Added /mkfile:FILE argument to credentials/vaults/rdg/triage commands, takes a SharpDPAPI or Mimikatz formatted file of {GUID}:SHA1 masterkey mappings (for offline triage)
- Cleaned up and simplified the credentials/vaults/rdg/triage command functions in SharpDPAPI
- Cleaned up and reorganized SharpDPAPI's default help menu output
- When using /server:X, .RDG files parsed from RDCMan.settings files are translated to \\UNC paths for parsing
- triage command when used against a remote /server:X now works properly
- rdg action
- Find RDCMan.settings and linked .RDG files, or take a given /target .RDG/RDCMan.settings file/folder, and decrypt passwords given a /pvk, GUID key lookup table, or CryptUnprotectData (with /unprotect).
- blob action
- Describe a supplied DPAPI binary blob, optionally decryption the blob with masterkey GUID lookups or a PVK masterkey decryption
- Added IsTextUnicode() for vault/credential/blob decryption display, showing hex if unicode is detected
- Added /target:C:\FOLDER\ option for the masterkeys function, for offline masterkey decryption
- Updated README
- masterkeys/vaults/creds/triage actions
- Remote server support for user vault/credential triage with /server:X
- machinemasterkeys perform master key triage for the local machine
- implicitly elevates to SYSTEM to extract the machine's local DPAPI key
- uses this key to triage all machine Credential files
- machinecredentials perform Credential file triage for the local machine
- implicitly elevates to SYSTEM via the machinemasterkeys approach
- uses the extracted masterkeys to decrypt any Credential files
- machinevaults perform vault triage for the local machine
- implicitly elevates to SYSTEM via the machinemasterkeys approach
- uses the extracted masterkeys to decrypt any machine Vaults
- machinetriage performs all machine triage actions (currently vault and credential)
- implicitly elevates to SYSTEM via the machinemasterkeys approach
- Expanded Vault credential format to handle vault credential clear attributes
- Expanded machine vault/credential search locations
- Broke out commands/files into the same general structure as Rubeus
- SharpDPAPI.cna Cobalt Strike aggressor script to automate the usage of SharpDPAPI (from @leechristensen)
- Wrapped main in try/catch
- Fixed Policy.vpol parsing to handle the "KSSM" (?) format. Thank you @gentilkiwi :)
- masterkeys action
- decrypts currently reachable master keys (current users or all if elevated) and attempts to decrypt them using a passed {GUI}:SHA1 masterkey lookup table, or a /pvk base64 blob representation of the domain DPAPI backup key
- credentials action
- decrypts currently reachable Credential files (current users or all if elevated) and attempts to decrypt them using a passed {GUI}:SHA1 masterkey lookup table, or a /pvk base64 blob representation of the domain DPAPI backup key
- vaults action
- decrypts currently reachable Vault files (current users or all if elevated) and attempts to decrypt them using a passed {GUI}:SHA1 masterkey lookup table, or a /pvk base64 blob representation of the domain DPAPI backup key
- triage action
- performs all triage actions (currently vault and credential)
- CHANGELOG
- modified the argument formats for the backupkey command
- retructured files so code isn't in a single file
- revamped README
- Initial release