dissect.target 3.19.dev56__py3-none-any.whl → 3.19.dev58__py3-none-any.whl

dissect/target/plugin.py

@@ -142,7 +142,7 @@ def get_nonprivate_attributes(cls: Type[Plugin]) -> list[Any]:
 
 def get_nonprivate_methods(cls: Type[Plugin]) -> list[Callable]:
     """Retrieve all public methods of a :class:`Plugin`."""
-    return [attr for attr in get_nonprivate_attributes(cls) if not isinstance(attr, property)]
+    return [attr for attr in get_nonprivate_attributes(cls) if not isinstance(attr, property) and callable(attr)]
 
 
 def get_descriptors_on_nonprivate_methods(cls: Type[Plugin]) -> list[RecordDescriptor]:
@@ -1020,7 +1020,7 @@ class NamespacePlugin(Plugin):
                 continue
 
             # The method needs to output records
-            if getattr(subplugin_func, "__output__", None) != "record":
+            if getattr(subplugin_func, "__output__", None) not in ["record", "yield"]:
                 continue
 
             # The method may not be part of a parent class.
@@ -1106,6 +1106,9 @@ class NamespacePlugin(Plugin):
             cls.__init_subclass_namespace__(cls, **kwargs)
 
 
+__COMMON_PLUGIN_METHOD_NAMES__ = {attr.__name__ for attr in get_nonprivate_methods(Plugin)}
+
+
 class InternalPlugin(Plugin):
     """Parent class for internal plugins.
 
@@ -1115,13 +1118,17 @@ class InternalPlugin(Plugin):
 
     def __init_subclass__(cls, **kwargs):
         for method in get_nonprivate_methods(cls):
-            if callable(method):
+            if callable(method) and method.__name__ not in __COMMON_PLUGIN_METHOD_NAMES__:
                 method.__internal__ = True
 
         super().__init_subclass__(**kwargs)
         return cls
 
 
+class InternalNamespacePlugin(NamespacePlugin, InternalPlugin):
+    pass
+
+
 @dataclass(frozen=True, eq=True)
 class PluginFunction:
     name: str

dissect/target/plugins/os/windows/credential/lsa.py

@@ -0,0 +1,174 @@
+from __future__ import annotations
+
+import hashlib
+from functools import cached_property
+from typing import Iterator
+
+from dissect.target.exceptions import RegistryKeyNotFoundError, UnsupportedPluginError
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+
+try:
+    from Crypto.Cipher import AES, ARC4, DES
+
+    HAS_CRYPTO = True
+except ImportError:
+    HAS_CRYPTO = False
+
+
+LSASecretRecord = TargetRecordDescriptor(
+    "windows/credential/lsa",
+    [
+        ("datetime", "ts"),
+        ("string", "name"),
+        ("string", "value"),
+    ],
+)
+
+
+class LSAPlugin(Plugin):
+    """Windows Local Security Authority (LSA) plugin.
+
+    Resources:
+        - https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication
+        - https://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html (Windows XP)
+        - https://github.com/fortra/impacket/blob/master/impacket/examples/secretsdump.py
+    """
+
+    __namespace__ = "lsa"
+
+    SECURITY_POLICY_KEY = "HKEY_LOCAL_MACHINE\\SECURITY\\Policy"
+    SYSTEM_KEY = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA"
+
+    def check_compatible(self) -> None:
+        if not HAS_CRYPTO:
+            raise UnsupportedPluginError("Missing pycryptodome dependency")
+
+        if not self.target.has_function("registry") or not list(self.target.registry.keys(self.SYSTEM_KEY)):
+            raise UnsupportedPluginError("Registry key not found: %s", self.SYSTEM_KEY)
+
+    @cached_property
+    def syskey(self) -> bytes:
+        """Return byte value of Windows system SYSKEY, also called BootKey."""
+        lsa = self.target.registry.key(self.SYSTEM_KEY)
+        syskey_keys = ["JD", "Skew1", "GBG", "Data"]
+        # This magic value rotates the order of the data
+        alterator = [0x8, 0x5, 0x4, 0x2, 0xB, 0x9, 0xD, 0x3, 0x0, 0x6, 0x1, 0xC, 0xE, 0xA, 0xF, 0x7]
+
+        r = bytes.fromhex("".join([lsa.subkey(key).class_name for key in syskey_keys]))
+        return bytes(r[i] for i in alterator)
+
+    @cached_property
+    def lsakey(self) -> bytes:
+        """Decrypt and return the LSA key of the Windows system."""
+        security_pol = self.target.registry.key(self.SECURITY_POLICY_KEY)
+
+        try:
+            # Windows Vista or newer
+            enc_key = security_pol.subkey("PolEKList").value("(Default)").value
+            lsa_key = _decrypt_aes(enc_key, self.syskey)
+            return lsa_key[68:100]
+        except RegistryKeyNotFoundError:
+            pass
+
+        try:
+            # Windows XP
+            enc_key = security_pol.subkey("PolSecretEncryptionKey").value("(Default)").value
+            lsa_key = _decrypt_rc4(enc_key, self.syskey)
+            return lsa_key[16:32]
+        except RegistryKeyNotFoundError:
+            pass
+
+        raise ValueError("Unable to determine LSA policy key location in registry")
+
+    @cached_property
+    def _secrets(self) -> dict[str, bytes] | None:
+        """Return dict of Windows system decrypted LSA secrets."""
+        if not self.target.ntversion:
+            raise ValueError("Unable to determine Windows NT version")
+
+        result = {}
+        for subkey in self.target.registry.key(self.SECURITY_POLICY_KEY).subkey("Secrets").subkeys():
+            enc_data = subkey.subkey("CurrVal").value("(Default)").value
+
+            # Windows Vista or newer
+            if float(self.target.ntversion) >= 6.0:
+                secret = _decrypt_aes(enc_data, self.lsakey)
+
+            # Windows XP
+            else:
+                secret = _decrypt_des(enc_data, self.lsakey)
+
+            result[subkey.name] = secret
+
+        return result
+
+    @export(record=LSASecretRecord)
+    def secrets(self) -> Iterator[LSASecretRecord]:
+        """Yield decrypted LSA secrets from a Windows target."""
+        for key, value in self._secrets.items():
+            yield LSASecretRecord(
+                ts=self.target.registry.key(f"{self.SECURITY_POLICY_KEY}\\Secrets\\{key}").ts,
+                name=key,
+                value=value.hex(),
+                _target=self.target,
+            )
+
+
+def _decrypt_aes(data: bytes, key: bytes) -> bytes:
+    ctx = hashlib.sha256()
+    ctx.update(key)
+    for _ in range(1, 1000 + 1):
+        ctx.update(data[28:60])
+
+    ciphertext = data[60:]
+    plaintext = []
+
+    for i in range(0, len(ciphertext), 16):
+        cipher = AES.new(ctx.digest(), AES.MODE_CBC, iv=b"\x00" * 16)
+        plaintext.append(cipher.decrypt(ciphertext[i : i + 16].ljust(16, b"\x00")))
+
+    return b"".join(plaintext)
+
+
+def _decrypt_rc4(data: bytes, key: bytes) -> bytes:
+    md5 = hashlib.md5()
+    md5.update(key)
+    for _ in range(1000):
+        md5.update(data[60:76])
+    rc4_key = md5.digest()
+
+    cipher = ARC4.new(rc4_key)
+    return cipher.decrypt(data[12:60])
+
+
+def _decrypt_des(data: bytes, key: bytes) -> bytes:
+    plaintext = []
+
+    enc_size = int.from_bytes(data[:4], "little")
+    data = data[len(data) - enc_size :]
+
+    key0 = key
+    for _ in range(0, len(data), 8):
+        ciphertext = data[:8]
+        block_key = _transform_key(key0[:7])
+
+        cipher = DES.new(block_key, DES.MODE_ECB)
+        plaintext.append(cipher.decrypt(ciphertext))
+
+        key0 = key0[7:]
+        data = data[8:]
+
+        if len(key0) < 7:
+            key0 = key[len(key0) :]
+
+    return b"".join(plaintext)
+
+
+def _transform_key(key: bytes) -> bytes:
+    new_key = []
+    new_key.append(((key[0] >> 0x01) << 1) & 0xFE)
+    for i in range(0, 6):
+        new_key.append((((key[i] & ((1 << (i + 1)) - 1)) << (6 - i) | (key[i + 1] >> (i + 2))) << 1) & 0xFE)
+    new_key.append(((key[6] & 0x7F) << 1) & 0xFE)
+    return bytes(new_key)

dissect/target/plugins/os/windows/{sam.py → credential/sam.py}

@@ -210,7 +210,7 @@ struct SAM_HASH_AES {  /* size: >=24 */
 c_sam = cstruct().load(sam_def)
 
 SamRecord = TargetRecordDescriptor(
-    "windows/registry/sam",
+    "windows/credential/sam",
     [
         ("uint32", "rid"),
         ("string", "fullname"),
@@ -303,6 +303,9 @@ class SamPlugin(Plugin):
         if not HAS_CRYPTO:
             raise UnsupportedPluginError("Missing pycryptodome dependency")
 
+        if not self.target.has_function("lsa"):
+            raise UnsupportedPluginError("LSA plugin is required for SAM plugin")
+
         if not len(list(self.target.registry.keys(self.SAM_KEY))) > 0:
             raise UnsupportedPluginError(f"Registry key not found: {self.SAM_KEY}")
 
@@ -374,7 +377,7 @@ class SamPlugin(Plugin):
             nt (string): Parsed NT-hash.
         """
 
-        syskey = self.target.dpapi.syskey  # aka. bootkey
+        syskey = self.target.lsa.syskey  # aka. bootkey
         samkey = self.calculate_samkey(syskey)  # aka. hashed bootkey or hbootkey
 
         almpassword = b"LMPASSWORD\0"

dissect/target/plugins/os/windows/dpapi/blob.py

@@ -90,6 +90,9 @@ class Blob:
         if self.decrypted:
             return True
 
+        if not master_key:
+            raise ValueError("No master key provided to decrypt blob with")
+
         for algo in [crypt_session_key_type1, crypt_session_key_type2]:
             session_key = algo(
                 master_key,

dissect/target/plugins/os/windows/dpapi/crypto.py

@@ -2,17 +2,16 @@ from __future__ import annotations
 
 import hashlib
 import hmac
-from typing import Optional, Union
 
 try:
-    from Crypto.Cipher import AES, ARC4
+    from Crypto.Cipher import AES, ARC4, DES3
 
     HAS_CRYPTO = True
 except ImportError:
     HAS_CRYPTO = False
 
-CIPHER_ALGORITHMS: dict[Union[int, str], CipherAlgorithm] = {}
-HASH_ALGORITHMS: dict[Union[int, str], HashAlgorithm] = {}
+CIPHER_ALGORITHMS: dict[int | str, CipherAlgorithm] = {}
+HASH_ALGORITHMS: dict[int | str, HashAlgorithm] = {}
 
 
 class CipherAlgorithm:
@@ -35,17 +34,27 @@ class CipherAlgorithm:
         return CIPHER_ALGORITHMS[name]()
 
     def derive_key(self, key: bytes, hash_algorithm: HashAlgorithm) -> bytes:
-        """Mimics the corresponding native Microsoft function."""
+        """Mimics the corresponding native Microsoft function.
+
+        Resources:
+            - https://github.com/tijldeneut/DPAPIck3/blob/main/dpapick3/crypto.py#L185
+        """
+
         if len(key) > hash_algorithm.block_length:
             key = hashlib.new(hash_algorithm.name, key).digest()
 
-        if len(key) >= hash_algorithm.digest_length:
+        if len(key) >= self.key_length:
             return key
 
         key = key.ljust(hash_algorithm.block_length, b"\x00")
-        pad1 = bytes(c ^ 0x36 for c in key)
-        pad2 = bytes(c ^ 0x5C for c in key)
-        return hashlib.new(hash_algorithm.name, pad1).digest() + hashlib.new(hash_algorithm.name, pad2).digest()
+        pad1 = bytes(c ^ 0x36 for c in key)[: hash_algorithm.block_length]
+        pad2 = bytes(c ^ 0x5C for c in key)[: hash_algorithm.block_length]
+        key = hashlib.new(hash_algorithm.name, pad1).digest() + hashlib.new(hash_algorithm.name, pad2).digest()
+        key = self.fixup_key(key)
+        return key
+
+    def fixup_key(self, key: bytes) -> bytes:
+        return key
 
     def decrypt_with_hmac(
         self, data: bytes, key: bytes, iv: bytes, hash_algorithm: HashAlgorithm, rounds: int
@@ -55,7 +64,7 @@ class CipherAlgorithm:
 
         return self.decrypt(data, key, iv)
 
-    def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
         raise NotImplementedError()
 
 
@@ -66,7 +75,7 @@ class _AES(CipherAlgorithm):
     iv_length = 128 // 8
     block_length = 128 // 8
 
-    def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
         if not HAS_CRYPTO:
             raise RuntimeError("Missing pycryptodome dependency")
 
@@ -100,7 +109,7 @@ class _RC4(CipherAlgorithm):
     iv_length = 128 // 8
     block_length = 1 // 8
 
-    def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
         if not HAS_CRYPTO:
             raise RuntimeError("Missing pycryptodome dependency")
 
@@ -108,6 +117,34 @@ class _RC4(CipherAlgorithm):
         return cipher.decrypt(data)
 
 
+class _DES3(CipherAlgorithm):
+    id = 0x6603
+    name = "DES3"
+    key_length = 192 // 8
+    iv_length = 64 // 8
+    block_length = 64 // 8
+
+    def fixup_key(self, key: bytes) -> bytes:
+        nkey = []
+        for byte in key:
+            parity_bit = 0
+            for i in range(8):
+                parity_bit ^= (byte >> i) & 1
+
+            nkey.append(byte if parity_bit == 0 else byte | 1)
+        return bytes(nkey[: self.key_length])
+
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
+        if not HAS_CRYPTO:
+            raise RuntimeError("Missing pycryptodome dependency")
+
+        if len(key) != 24:
+            raise ValueError(f"Invalid DES3 CBC key length {len(key)}")
+
+        cipher = DES3.new(key, DES3.MODE_CBC, iv=iv if iv else b"\x00" * 8)
+        return cipher.decrypt(data)
+
+
 class HashAlgorithm:
     id: int
     name: str
@@ -123,7 +160,7 @@ class HashAlgorithm:
         return HASH_ALGORITHMS[id]()
 
     @classmethod
-    def from_name(cls, name: str) -> Optional[HashAlgorithm]:
+    def from_name(cls, name: str) -> HashAlgorithm | None:
         return HASH_ALGORITHMS[name]()
 
 
@@ -148,7 +185,7 @@ class _HMAC(_SHA1):
 
 
 class _SHA256(HashAlgorithm):
-    id = 0x8004
+    id = 0x800C
     name = "sha256"
     digest_length = 256 // 8
     block_length = 512 // 8
@@ -197,12 +234,12 @@ def dpapi_hmac(pwd_hash: bytes, hmac_salt: bytes, value: bytes, hash_algorithm:
 
 def crypt_session_key_type1(
     master_key: bytes,
-    nonce: Optional[bytes],
+    nonce: bytes | None,
     hash_algorithm: HashAlgorithm,
-    entropy: Optional[bytes] = None,
-    strong_password: Optional[str] = None,
-    smart_card_secret: Optional[bytes] = None,
-    verify_blob: Optional[bytes] = None,
+    entropy: bytes | None = None,
+    strong_password: str | None = None,
+    smart_card_secret: bytes | None = None,
+    verify_blob: bytes | None = None,
 ) -> bytes:
     """Computes the decryption key for Type1 DPAPI blob, given the master key and optional information.
 
@@ -218,6 +255,7 @@ def crypt_session_key_type1(
         strong_password: Optional password used for decryption or the blob itself.
         smart_card_secret: Optional MS Next Gen Crypto secret (e.g. from PIN code).
         verify_blob: Optional encrypted blob used for integrity check.
+
     Returns:
         decryption key
     """
@@ -258,10 +296,10 @@ def crypt_session_key_type2(
     masterkey: bytes,
     nonce: bytes,
     hash_algorithm: HashAlgorithm,
-    entropy: Optional[bytes] = None,
-    strong_password: Optional[str] = None,
-    smart_card_secret: Optional[bytes] = None,
-    verify_blob: Optional[bytes] = None,
+    entropy: bytes | None = None,
+    strong_password: str | None = None,
+    smart_card_secret: bytes | None = None,
+    verify_blob: bytes | None = None,
 ) -> bytes:
     """Computes the decryption key for Type2 DPAPI blob, given the masterkey and optional information.
 

dissect/target/plugins/os/windows/dpapi/dpapi.py

@@ -1,18 +1,11 @@
-import hashlib
+from __future__ import annotations
+
 import re
 from functools import cache, cached_property
 from pathlib import Path
-
-try:
-    from Crypto.Cipher import AES
-
-    HAS_CRYPTO = True
-except ImportError:
-    HAS_CRYPTO = False
-
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers import keychain
 from dissect.target.plugin import InternalPlugin
 from dissect.target.plugins.os.windows.dpapi.blob import Blob as DPAPIBlob
 from dissect.target.plugins.os.windows.dpapi.master_key import CredSystem, MasterKeyFile
@@ -20,175 +13,176 @@ from dissect.target.target import Target
 
 
 class DPAPIPlugin(InternalPlugin):
-    __namespace__ = "dpapi"
+    """Windows Data Protection API (DPAPI) plugin.
 
-    MASTER_KEY_REGEX = re.compile("^[0-9a-f]{8}(?:-[0-9a-f]{4}){3}-[0-9a-f]{12}$")
+    Resources:
+        - Reversing ``Crypt32.dll``
+        - https://learn.microsoft.com/en-us/windows/win32/api/dpapi/
+        - https://github.com/fortra/impacket/blob/master/examples/dpapi.py
+        - https://github.com/tijldeneut/DPAPIck3
+        - https://www.passcape.com/index.php?section=docsys&cmd=details&id=28
+    """
 
-    SECURITY_POLICY_KEY = "HKEY_LOCAL_MACHINE\\SECURITY\\Policy"
-    SYSTEM_KEY = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA"
+    __namespace__ = "dpapi"
 
-    SYSTEM_USERNAME = "System"
+    RE_MASTER_KEY = re.compile("^[0-9a-f]{8}(?:-[0-9a-f]{4}){3}-[0-9a-f]{12}$")
+    SYSTEM_SID = "S-1-5-18"
 
     def __init__(self, target: Target):
         super().__init__(target)
         self.keychain = cache(self.keychain)
 
     def check_compatible(self) -> None:
-        if not HAS_CRYPTO:
-            raise UnsupportedPluginError("Missing pycryptodome dependency")
-
-        if not list(self.target.registry.keys(self.SYSTEM_KEY)):
-            raise UnsupportedPluginError(f"Registry key not found: {self.SYSTEM_KEY}")
+        if not self.target.has_function("lsa"):
+            raise UnsupportedPluginError("Windows registry and LSA plugins are required for DPAPI decryption")
 
     def keychain(self) -> set:
-        passwords = set()
-
-        for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
-            if key.key_type == keychain.KeyType.PASSPHRASE:
-                passwords.add(key.value)
-
-        # It is possible to encrypt using an empty passphrase.
-        passwords.add("")
-        return passwords
-
-    @cached_property
-    def syskey(self) -> bytes:
-        lsa = self.target.registry.key(self.SYSTEM_KEY)
-        syskey_keys = ["JD", "Skew1", "GBG", "Data"]
-        # This magic value rotates the order of the data
-        alterator = [0x8, 0x5, 0x4, 0x2, 0xB, 0x9, 0xD, 0x3, 0x0, 0x6, 0x1, 0xC, 0xE, 0xA, 0xF, 0x7]
-
-        r = bytes.fromhex("".join([lsa.subkey(key).class_name for key in syskey_keys]))
-        return bytes(r[i] for i in alterator)
-
-    @cached_property
-    def lsakey(self) -> bytes:
-        policy_key = "PolEKList"
-
-        encrypted_key = self.target.registry.key(self.SECURITY_POLICY_KEY).subkey(policy_key).value("(Default)").value
-
-        lsa_key = _decrypt_aes(encrypted_key, self.syskey)
-
-        return lsa_key[68:100]
-
-    @cached_property
-    def secrets(self) -> dict[str, bytes]:
-        result = {}
-
-        reg_secrets = self.target.registry.key(self.SECURITY_POLICY_KEY).subkey("Secrets")
-        for subkey in reg_secrets.subkeys():
-            enc_data = subkey.subkey("CurrVal").value("(Default)").value
-            secret = _decrypt_aes(enc_data, self.lsakey)
-            result[subkey.name] = secret
-
-        return result
+        return set(self.target._dpapi_keyprovider.keys())
 
     @cached_property
     def master_keys(self) -> dict[str, dict[str, MasterKeyFile]]:
-        # This assumes that there is no user named System.
-        # As far as I can tell, the name "System" is saved for the actual System user
-        # Therefore the user can't actually exist in `all_with_home`
-        result = {self.SYSTEM_USERNAME: {}}
+        """Returns dict of found DPAPI master keys on the Windows target for SYSTEM and regular users."""
+        master_keys = {}
+
+        # Search for SYSTEM master keys
+        master_keys[self.SYSTEM_SID] = {}
 
-        system_master_key_path = self.target.fs.path("sysvol/Windows/System32/Microsoft/Protect/S-1-5-18")
+        system_master_key_path = self.target.fs.path(f"sysvol/Windows/System32/Microsoft/Protect/{self.SYSTEM_SID}")
         system_user_master_key_path = system_master_key_path.joinpath("User")
 
         for dir in [system_master_key_path, system_user_master_key_path]:
-            user_mks = self._load_master_keys_from_path(self.SYSTEM_USERNAME, dir)
-            result[self.SYSTEM_USERNAME].update(user_mks)
+            user_mks = self._load_master_keys_from_path(self.SYSTEM_SID, dir)
+            master_keys[self.SYSTEM_SID].update(user_mks)
+
+        # Search for user master keys, generally located at $HOME/AppData/Roaming/Microsoft/Protect/{user_sid}/{mk_guid}
+        PROTECT_DIRS = [
+            # Windows Vista and newer
+            "AppData/Roaming/Microsoft/Protect",
+            # Windows XP
+            "Application Data/Microsoft/Protect",
+        ]
 
         for user in self.target.user_details.all_with_home():
-            path = user.home_path.joinpath("AppData/Roaming/Microsoft/Protect").joinpath(user.user.sid)
-            user_mks = self._load_master_keys_from_path(user.user.name, path)
-            if user_mks:
-                result[user.user.name] = user_mks
+            sid = user.user.sid
+            master_keys.setdefault(sid, {})
 
-        return result
+            for protect_dir in PROTECT_DIRS:
+                path = user.home_path.joinpath(protect_dir).joinpath(sid)
+                if user_mks := self._load_master_keys_from_path(sid, path):
+                    master_keys[sid] |= user_mks
 
-    @cached_property
-    def _users(self) -> dict[str, dict[str, str]]:
-        return {u.name: {"sid": u.sid} for u in self.target.users()}
+        return master_keys
+
+    def _load_master_keys_from_path(self, sid: str, path: Path) -> Iterator[tuple[str, MasterKeyFile]]:
+        """Iterate over the provided ``path`` and search for master key files for the given user SID."""
 
-    def _load_master_keys_from_path(self, username: str, path: Path) -> dict[str, MasterKeyFile]:
         if not path.exists():
-            return {}
+            self.target.log.info("Unable to load master keys from path as it does not exist: %s", path)
+            return
 
-        result = {}
         for file in path.iterdir():
-            if self.MASTER_KEY_REGEX.findall(file.name):
-                with file.open() as fh:
-                    mkf = MasterKeyFile(fh)
-
-                if username == self.SYSTEM_USERNAME:
-                    dpapi_system = CredSystem(self.secrets["DPAPI_SYSTEM"][16:])
+            if not self.RE_MASTER_KEY.findall(file.name):
+                continue
+
+            with file.open() as fh:
+                mkf = MasterKeyFile(fh)
+
+            # Decrypt SYSTEM master key using the DPAPI_SYSTEM LSA secret.
+            if sid == self.SYSTEM_SID:
+                if "DPAPI_SYSTEM" not in self.target.lsa._secrets:
+                    self.target.log.warning("Unable to decrypt SYSTEM master key: LSA secret missing")
+                    continue
+
+                # Windows XP
+                if float(self.target.ntversion) < 6.0:
+                    secret_offset = 8
+
+                # Windows Vista and newer
+                else:
+                    secret_offset = 16
+
+                dpapi_system = CredSystem(self.target.lsa._secrets["DPAPI_SYSTEM"][secret_offset:])
+                mkf.decrypt_with_key(dpapi_system.machine_key)
+                mkf.decrypt_with_key(dpapi_system.user_key)
+
+                # Decrypting the System master key should always succeed
+                if not mkf.decrypted:
+                    self.target.log.error("Failed to decrypt SYSTEM master key!")
+                    continue
+
+                yield file.name, mkf
+
+            # Decrypt user master key
+            else:
+                # Iterate over every master key password we have from the keychain
+                for provider, mk_pass in self.keychain():
+                    try:
+                        if mkf.decrypt_with_password(sid, mk_pass):
+                            self.target.log.info(
+                                "Decrypted user master key with password '%s' from provider %s", mk_pass, provider
+                            )
+                            break
+                    except ValueError:
+                        pass
+
+                    try:
+                        if mkf.decrypt_with_hash(sid, bytes.fromhex(mk_pass)):
+                            self.target.log.info(
+                                "Decrypted SID %s master key with hash '%s' from provider %s", sid, mk_pass, provider
+                            )
+                            break
+                    except ValueError:
+                        pass
 
-                    if not mkf.decrypt_with_key(dpapi_system.machine_key):
-                        mkf.decrypt_with_key(dpapi_system.user_key)
+                if not mkf.decrypted:
+                    self.target.log.warning("Could not decrypt master key '%s' for SID '%s'", file.name, sid)
 
-                    # This should not be possible, decrypting the System master key should always succeed
-                    if not mkf.decrypted:
-                        raise Exception("Failed to decrypt System master key")
+                yield file.name, mkf
 
-                if user := self._users.get(username):
-                    for mk_pass in self.keychain():
-                        if mkf.decrypt_with_password(user["sid"], mk_pass):
-                            break
+    @cached_property
+    def _users(self) -> dict[str, str]:
+        """Cached map of username to SID."""
+        return {user.name: user.sid for user in self.target.users()}
 
-                        try:
-                            if mkf.decrypt_with_hash(user["sid"], bytes.fromhex(mk_pass)) is True:
-                                break
-                        except ValueError:
-                            pass
+    def decrypt_system_blob(self, data: bytes) -> bytes:
+        """Decrypt the given bytes using the SYSTEM master key."""
+        return self.decrypt_user_blob(data, sid=self.SYSTEM_SID)
 
-                    if not mkf.decrypted:
-                        self.target.log.warning("Could not decrypt DPAPI master key for username '%s'", username)
+    def decrypt_user_blob(self, data: bytes, username: str | None = None, sid: str | None = None) -> bytes:
+        """Decrypt the given bytes using the master key of the given SID or username."""
 
-                result[file.name] = mkf
+        if not sid and not username:
+            raise ValueError("Either sid or username argument is required")
 
-        return result
+        if not sid and username:
+            sid = self._users.get(username)
 
-    def decrypt_system_blob(self, data: bytes) -> bytes:
-        """Decrypt the given bytes using the System master key."""
-        return self.decrypt_user_blob(data, self.SYSTEM_USERNAME)
+        if not sid:
+            raise ValueError("No SID provided or no SID found")
 
-    def decrypt_user_blob(self, data: bytes, username: str) -> bytes:
-        """Decrypt the given bytes using the master key of the given user."""
-        blob = DPAPIBlob(data)
+        try:
+            blob = DPAPIBlob(data)
+        except EOFError as e:
+            raise ValueError(f"Failed to parse DPAPI blob: {e}")
 
-        if not (mk := self.master_keys.get(username, {}).get(blob.guid)):
-            raise ValueError(f"Blob UUID is unknown to {username} master keys")
+        if not (mk := self.master_keys.get(sid, {}).get(blob.guid)):
+            raise ValueError(f"Blob is encrypted using master key {blob.guid} that we do not have for SID {sid}")
 
         if not blob.decrypt(mk.key):
-            raise ValueError(f"Failed to decrypt blob for user {username}")
+            raise ValueError(f"Failed to decrypt blob for SID {sid}")
 
         return blob.clear_text
 
     def decrypt_blob(self, data: bytes) -> bytes:
         """Attempt to decrypt the given bytes using any of the available master keys."""
-        blob = DPAPIBlob(data)
+        try:
+            blob = DPAPIBlob(data)
+        except EOFError as e:
+            raise ValueError(f"Failed to parse DPAPI blob: {e}")
 
         for user in self.master_keys:
             for mk in self.master_keys[user].values():
                 if blob.decrypt(mk.key):
                     return blob.clear_text
 
-        raise ValueError("Failed to decrypt blob")
-
-
-def _decrypt_aes(data: bytes, key: bytes) -> bytes:
-    ctx = hashlib.sha256()
-    ctx.update(key)
-
-    tmp = data[28:60]
-    for _ in range(1, 1000 + 1):
-        ctx.update(tmp)
-
-    aeskey = ctx.digest()
-    iv = b"\x00" * 16
-
-    result = []
-    for i in range(60, len(data), 16):
-        cipher = AES.new(aeskey, AES.MODE_CBC, iv)
-        result.append(cipher.decrypt(data[i : i + 16].ljust(16, b"\x00")))
-
-    return b"".join(result)
+        raise ValueError("Failed to decrypt blob using any available master key")

dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py

@@ -0,0 +1,21 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+
+class CredHistKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_credhist"
+
+    def check_compatible(self) -> None:
+        if not self.target.has_function("credhist"):
+            raise UnsupportedPluginError("CREDHIST plugin not available on target")
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        for credhist in self.target.credhist():
+            if value := getattr(credhist, "sha1"):
+                yield self.__namespace__, value

dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py

@@ -0,0 +1,17 @@
+from typing import Iterator
+
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+
+class EmptyKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_empty"
+
+    def check_compatible(self) -> None:
+        return
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        yield self.__namespace__, ""

dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py

@@ -0,0 +1,20 @@
+from typing import Iterator
+
+from dissect.target.helpers import keychain
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+
+class KeychainKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_keychain"
+
+    def check_compatible(self) -> None:
+        return
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
+            if key.key_type == keychain.KeyType.PASSPHRASE:
+                yield self.__namespace__, key.value

dissect/target/plugins/os/windows/dpapi/keyprovider/keyprovider.py

@@ -0,0 +1,8 @@
+from dissect.target.plugin import InternalNamespacePlugin
+
+
+class KeyProviderPlugin(InternalNamespacePlugin):
+    __namespace__ = "_dpapi_keyprovider"
+
+    def check_compatible(self) -> None:
+        return None

dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py

@@ -0,0 +1,38 @@
+from typing import Iterator
+
+from dissect.cstruct import cstruct
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+defaultpassword_def = """
+struct DefaultPassword {
+    DWORD   length;
+    char    flags[4*3];
+    WCHAR   data[length/2];
+    char    checksum_or_guid[0x10];
+};
+"""
+
+c_defaultpassword = cstruct().load(defaultpassword_def)
+
+
+class LSADefaultPasswordKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_lsa_defaultpassword"
+
+    def check_compatible(self) -> None:
+        if not self.target.has_function("lsa"):
+            raise UnsupportedPluginError("LSA plugin not available on target")
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        if default_pass := self.target.lsa._secrets.get("DefaultPassword"):
+            try:
+                value = c_defaultpassword.DefaultPassword(default_pass).data
+            except Exception:
+                self.target.log.warning("Failed to parse LSA DefaultPassword value")
+                return
+            yield self.__namespace__, value

dissect/target/plugins/os/windows/dpapi/master_key.py

@@ -95,6 +95,9 @@ class MasterKey:
 
     def decrypt_with_password(self, user_sid: str, pwd: str) -> bool:
         """Decrypts the master key with the given user's password and SID."""
+        if self.decrypted:
+            return True
+
         pwd = pwd.encode("utf-16-le")
 
         for algo in ["sha1", "md4"]:

{dissect.target-3.19.dev56.dist-info → dissect.target-3.19.dev58.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev56
+Version: 3.19.dev58
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3
@@ -31,7 +31,7 @@ Requires-Dist: dissect.ntfs <4,>=3.4
 Requires-Dist: dissect.regf <4,>=3.3
 Requires-Dist: dissect.util <4,>=3
 Requires-Dist: dissect.volume <4,>=2
-Requires-Dist: flow.record ~=3.15.0
+Requires-Dist: flow.record ~=3.16.0
 Requires-Dist: structlog
 Provides-Extra: cb
 Requires-Dist: dissect.target[full] ; extra == 'cb'

{dissect.target-3.19.dev56.dist-info → dissect.target-3.19.dev58.dist-info}/RECORD

@@ -3,7 +3,7 @@ dissect/target/container.py,sha256=0YcwcGmfJjhPXUB6DEcjWEoSuAtTDxMDpoTviMrLsxM,9
 dissect/target/exceptions.py,sha256=ULi7NXlqju_d8KENEL3aimmfKTFfbNssfeWhAnOB654,2972
 dissect/target/filesystem.py,sha256=__p2p72B6mKgIiAOj85EC3ESdZ8gjgkm2pt1KKym3h0,60743
 dissect/target/loader.py,sha256=I8WNzDA0SMy42F7zfyBcSKj_VKNv64213WUvtGZ77qE,7374
-dissect/target/plugin.py,sha256=k9xWNnIGQG0DQsq6DKYJ6_DAX1aIA0SjzniWmOwX8O4,50317
+dissect/target/plugin.py,sha256=xbvmjZMFNwJXZYMBE4KI93-nWL9Zhum8x39ydcO6s2o,50578
 dissect/target/report.py,sha256=06uiP4MbNI8cWMVrC1SasNS-Yg6ptjVjckwj8Yhe0Js,7958
 dissect/target/target.py,sha256=m4bAKgPLUJERKgxRZFevKvEBNaz77wIC5mVrDe6eI8o,32438
 dissect/target/volume.py,sha256=aQZAJiny8jjwkc9UtwIRwy7nINXjCxwpO-_UDfh6-BA,15801
@@ -269,7 +269,6 @@ dissect/target/plugins/os/windows/amcache.py,sha256=ZZNOs3bILTf0AGkDkhoatndl0j39
 dissect/target/plugins/os/windows/catroot.py,sha256=QVwMF5nuMzCkWnoOMs5BkwYoKN61HKmlxo8mKMoD3w8,10937
 dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqOwRfa5gjJd7c,3056
 dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
-dissect/target/plugins/os/windows/credhist.py,sha256=YSjuyd53Augdy_lKKzZHtx5Ozt0HzF6LDYIOb-8P1Pw,7058
 dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1Ej-kfvEBmHbrdIGw,9467
 dissect/target/plugins/os/windows/defender.py,sha256=zh3brEvJmknD5ef0PGuLZ1G95Fgdh-dlgi-ZEbADKXo,32716
 dissect/target/plugins/os/windows/env.py,sha256=-u9F9xWy6PUbQmu5Tv_MDoVmy6YB-7CbHokIK_T3S44,13891
@@ -281,7 +280,6 @@ dissect/target/plugins/os/windows/notifications.py,sha256=T1CIvQgpW__qDR0Rq5zpeW
 dissect/target/plugins/os/windows/prefetch.py,sha256=v4OgSKMwcihz0SOuA0o0Ec8wsAKuiuEmJolqZmHFgJA,10491
 dissect/target/plugins/os/windows/recyclebin.py,sha256=zx58hDCvcrD_eJl9nJmr_i80krSN03ya8nQzWFr2Tw0,4917
 dissect/target/plugins/os/windows/registry.py,sha256=EfqUkgbzaqTuq1kIPYNG1TfvJxhJE5X-TEjV3K_xsPU,12814
-dissect/target/plugins/os/windows/sam.py,sha256=NwKzfP_ae8SXgCoj_apa-29ZeFxeQsGidJ6llF1khP8,15468
 dissect/target/plugins/os/windows/services.py,sha256=MoVPJ1GKpPaJrGd2DYtuHEmKqC2uOKRc5SZKB12goSs,6068
 dissect/target/plugins/os/windows/sru.py,sha256=sOM7CyMkW8XIXzI75GL69WoqUrSK2X99TFIfdQR2D64,17767
 dissect/target/plugins/os/windows/startupinfo.py,sha256=kl8Y7M4nVfmJ71I33VCegtbHj-ZOeEsYAdlNbgwtUOA,3406
@@ -291,14 +289,24 @@ dissect/target/plugins/os/windows/thumbcache.py,sha256=23YjOjTNoE7BYITmg8s9Zs8Wi
 dissect/target/plugins/os/windows/ual.py,sha256=TYF-R46klEa_HHb86UJd6mPrXwHlAMOUTzC0pZ8uiq0,9787
 dissect/target/plugins/os/windows/wer.py,sha256=ogecvKYxAvDXLptQj4cn0JLn1FxaXjeSuJWs4JgkoZs,8656
 dissect/target/plugins/os/windows/wua_history.py,sha256=GrSmnEbPYUrQzixG5JWElMRBoCrUPnZKpsVIwpfPQfg,54785
+dissect/target/plugins/os/windows/credential/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/plugins/os/windows/credential/credhist.py,sha256=YSjuyd53Augdy_lKKzZHtx5Ozt0HzF6LDYIOb-8P1Pw,7058
+dissect/target/plugins/os/windows/credential/lsa.py,sha256=bo5zS4gDvMDU0c4456ZJ4FrDkcTnWdpmLaQZnZ33_fI,5638
+dissect/target/plugins/os/windows/credential/sam.py,sha256=iRqMNPLqrObJG2h6brzvAyeVBnIIgHVX_p_Hw_Jfa3A,15599
 dissect/target/plugins/os/windows/defender_helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/windows/defender_helpers/defender_patterns.py,sha256=xsZH0WqMX_mC1q55jgp4RDHBRh2UQBXZVhJD0DRiwZU,9329
 dissect/target/plugins/os/windows/defender_helpers/defender_records.py,sha256=_azaY5Y1cH-WPmkA5k94PMktZGYXmWJG8addFQxQ554,5177
 dissect/target/plugins/os/windows/dpapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/windows/dpapi/blob.py,sha256=j3MMROXroes7pr_VLt8Xv6WEpv19hlgDpOxOJyZMRvo,5044
-dissect/target/plugins/os/windows/dpapi/crypto.py,sha256=_F1F2j1chQw-KLqfWvgL2mCkF3HSvdVnM78OZ0ph9hc,9337
-dissect/target/plugins/os/windows/dpapi/dpapi.py,sha256=NrLtx61m8PXsB3CzxUQgc1BKkaAVBOre1oEfGvqgtuw,7130
-dissect/target/plugins/os/windows/dpapi/master_key.py,sha256=oUuUfvMXmhRrgIs1CXTR6CdETKNYZwoStXSqtDdil78,6111
+dissect/target/plugins/os/windows/dpapi/blob.py,sha256=OcCdsQBJ0s6yJCjpv_scd8XW8dtzBNfPBpRLvEcrEP0,5148
+dissect/target/plugins/os/windows/dpapi/crypto.py,sha256=0dUMQkhaI_bg7ccMxde18q6YvcY2Mjru2AmHLrgfVH4,10378
+dissect/target/plugins/os/windows/dpapi/dpapi.py,sha256=Rz9VHLnMDVJqbrarfD9O_u9HOQWLeGpl0nXjsM_qoo0,7486
+dissect/target/plugins/os/windows/dpapi/master_key.py,sha256=sQYMWJ66DvqTLWQX5U0y0dTOg6LhOBokd3EjRM-ykPM,6163
+dissect/target/plugins/os/windows/dpapi/keyprovider/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py,sha256=25W3Zl9fNPYmbracPaZ5mHlkGlJUNaAB6yXrKyqTHP4,741
+dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py,sha256=K39KXg16lPuyO_aZVqGG1WcMf7SrQLTwvruLQQKX6LU,442
+dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py,sha256=3c4R3eg0ZQpRzpt62848gSwZvv71A0CmZiQQBV6X10g,665
+dissect/target/plugins/os/windows/dpapi/keyprovider/keyprovider.py,sha256=L_q4jYNMuUkIb3OoPSWO1WIFjZyre4cAE9J3nhzRPKg,212
+dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py,sha256=gM-UXuA8qBzgzpr3YsEib1YspWQ7At8pcGBjOGomI4I,1218
 dissect/target/plugins/os/windows/exchange/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/windows/exchange/exchange.py,sha256=ofoapuDQXefIX4sTzwNboyk5RztN2JEyw1OWl5cx-wo,1564
 dissect/target/plugins/os/windows/log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -356,10 +364,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.19.dev56.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.19.dev56.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.19.dev56.dist-info/METADATA,sha256=L-B6HjmylvgtkkqzQNrLepKXEn8hhjbxaW8R8xvb-3Y,12897
-dissect.target-3.19.dev56.dist-info/WHEEL,sha256=cVxcB9AmuTcXqmwrtPhNK88dr7IR_b6qagTj0UvIEbY,91
-dissect.target-3.19.dev56.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.19.dev56.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.19.dev56.dist-info/RECORD,,
+dissect.target-3.19.dev58.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.19.dev58.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.19.dev58.dist-info/METADATA,sha256=ds6L0Tl8rGiXP9RJGdype6uHycYg9TBhK2_CuQKPo9c,12897
+dissect.target-3.19.dev58.dist-info/WHEEL,sha256=cVxcB9AmuTcXqmwrtPhNK88dr7IR_b6qagTj0UvIEbY,91
+dissect.target-3.19.dev58.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.19.dev58.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.19.dev58.dist-info/RECORD,,