This Script identifies the current master key GUID of the blob being encrypted by the system.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 |
Remove-Variable * -ErrorAction SilentlyContinue; Remove-Module *; $error.Clear(); Clear-Host #This will Break the Webcall scripts Add-Type -AssemblyName System.Security; $Password = "Password123" $PasswordBytes = [System.Text.Encoding]::ASCII.GetBytes($Password) $SecurePassword = [Security.Cryptography.ProtectedData]::Protect($PasswordBytes, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine) $SecurePasswordStr = [System.Convert]::ToBase64String($SecurePassword) Write-Host $SecurePasswordStr $PlainText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($SecurePasswordStr)) $SecurePassword | foreach { Write-Host -NoNewline $_.ToString("X").PadLeft(2,"0")""; } Write-Host #$SecurePassword | Format-Hex #$dapiblob = New-Object DPAPI_BLOB #[System.Runtime.InteropServices.Marshal]::Copy($dapiblob,0,$PlainText,$PlainText.Length) [byte[]](0,1,2,3) | foreach { $dwVersion = $dwVersion + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwVersion: " + $dwVersion [byte[]](7,6,5,4,9,8,11,10,13,12,14,15,16,17,18,19) | foreach { $guidProvider = $guidProvider + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "guidProvider: " + $guidProvider [byte[]](20,21,22,23) | foreach { $dwMasterKeyVersion = $dwMasterKeyVersion + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwMasterKeyVersion: " + $dwMasterKeyVersion [byte[]](27,26,25,24,29,28,31,30,32,33,34,35,36,37,38,39) | foreach { $guidMasterKey = $guidMasterKey + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "guidMasterKey: " + $guidMasterKey [byte[]](40,41,42,43) | foreach { $dwFlags = $dwFlags + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwFlags: " + $dwFlags [byte[]](44,45,46,47) | foreach { $dwDescriptionLen = $dwDescriptionLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwDescriptionLen: " + $dwDescriptionLen [byte[]](48,49) | foreach { $szDescription = $szDescription + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "szDescription: " + $szDescription [byte[]](50,51,52,53) | foreach { $algCrypt = $algCrypt + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "algCrypt: " + $algCrypt [byte[]](54,55,56,57) | foreach { $dwAlgCryptLen = $dwAlgCryptLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwAlgCryptLen: " + $dwAlgCryptLen [byte[]](58,59,60,61) | foreach { $dwSaltLen = $dwSaltLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwSaltLen: " + $dwSaltLen [byte[]](62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77) | foreach { $pbSalt = $pbSalt + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "pbSalt: " + $pbSalt [byte[]](78,79,80,81) | foreach { $dwHmacKeyLen = $dwHmacKeyLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwHmacKeyLen: " + $dwHmacKeyLen [byte[]](78,79,80,81) | foreach { $pbHmackKey = $pbHmackKey + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "pbHmackKey: " + $pbHmackKey [byte[]](82,83,84,85) | foreach { $algHash = $algHash + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "algHash: " + $algHash [byte[]](86,87,88,89) | foreach { $dwAlgHashLen = $dwAlgHashLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwAlgHashLen: " + $dwAlgHashLen [byte[]](90,91,92,93) | foreach { $dwHmac2KeyLen = $dwHmac2KeyLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwHmac2KeyLen: " + $dwHmac2KeyLen [byte[]](94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109) | foreach { $pbHmack2Key = $pbHmack2Key + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "pbHmack2Key: " + $pbHmack2Key [byte[]](110,111,112,113) | foreach { $dwDataLen = $dwDataLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwDataLen: " + $dwDataLen [byte[]](114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137) | foreach { $pbData = $pbData + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "pbData: " + $pbData [byte[]](138,139,140,141) | foreach { $dwSignLen = $dwSignLen + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "dwSignLen: " + $dwSignLen [byte[]](151,152,153,154,155,156,157,158,159,160,161) | foreach { $pbSign = $pbSign + " " + $SecurePassword[$_].ToString("X").PadLeft(2,"0"); } "pbSign: " + $pbSign; $SecureStr = [System.Convert]::FromBase64String($SecurePasswordStr) $StringBytes = [Security.Cryptography.ProtectedData]::Unprotect($SecureStr, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine) $PasswordStr = [System.Text.Encoding]::ASCII.GetString($StringBytes) Write-Host $PasswordStr |
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAVHV+3dV0XEGGpdeIwr/L2wQAAAACAAAAAAADZgAAwAAAABAAAAC3Acu0kGl1ShI7AcSSNulJAAAAAASAAACgAAAAEAAAAAa0kmV05zGLZugZc0g+nKsQAAAAkkkbinmUcBiew391AqPh7hQAAAAfMziHP5hXYfx OmmTywtVTS9cJGA== 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 54 75 7E DD D5 74 5C 41 86 A5 D7 88 …
Continue reading “Dumping Information about DAPI Blobs from Powershell and .NET”