diff options
| author | mattifestation <mattgraeber@gmail.com> | 2014-05-31 21:22:22 -0400 |
|---|---|---|
| committer | mattifestation <mattgraeber@gmail.com> | 2014-05-31 21:22:22 -0400 |
| commit | 3444a0700e07e2471e894ce50af69552665e3fbe (patch) | |
| tree | b12d66295d93b329d27ba092eb013b39ae95547a /Exfiltration | |
| parent | 890247deec3c0c5252305924990e12aa7fda77f5 (diff) | |
| download | PowerSploit-3444a0700e07e2471e894ce50af69552665e3fbe.tar.gz PowerSploit-3444a0700e07e2471e894ce50af69552665e3fbe.zip | |
Updated Get-VaultCredentials - Package SID
Package SIDs are now displayed for Win8 apps. Both the package SID and
secret key are requirements for authenticating to Win8 app servers.
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/Get-VaultCredentials.ps1 | 17 | ||||
| -rw-r--r-- | Exfiltration/Get-VaultCredentials.ps1xml | 3 |
2 files changed, 19 insertions, 1 deletions
diff --git a/Exfiltration/Get-VaultCredentials.ps1 b/Exfiltration/Get-VaultCredentials.ps1 index c51cc7f..4c33127 100644 --- a/Exfiltration/Get-VaultCredentials.ps1 +++ b/Exfiltration/Get-VaultCredentials.ps1 @@ -235,13 +235,19 @@ Only web credentials can be displayed in cleartext. [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid]) } + $VAULT_ELEMENT_TYPE::Sid { + $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr) + Write-Verbose "0x$($SidPtr.ToString('X8'))" + $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr) + $SidObject.Value + } + # These elements are currently unimplemented. # I have yet to see these used in practice. $VAULT_ELEMENT_TYPE::ByteArray { $null } $VAULT_ELEMENT_TYPE::TimeStamp { $null } $VAULT_ELEMENT_TYPE::ProtectedArray { $null } $VAULT_ELEMENT_TYPE::Attribute { $null } - $VAULT_ELEMENT_TYPE::Sid { $null } $VAULT_ELEMENT_TYPE::Last { $null } } } @@ -363,10 +369,19 @@ Only web credentials can be displayed in cleartext. $Credential = $null } + $PackageSid = $null + + if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero)) + { + $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid + } + + $Properties = @{ Vault = $VaultType Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null } Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null } + PackageSid = $PackageSid Credential = $Credential LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified) } diff --git a/Exfiltration/Get-VaultCredentials.ps1xml b/Exfiltration/Get-VaultCredentials.ps1xml index 7b3f568..33e909f 100644 --- a/Exfiltration/Get-VaultCredentials.ps1xml +++ b/Exfiltration/Get-VaultCredentials.ps1xml @@ -23,6 +23,9 @@ <PropertyName>Credential</PropertyName> </ListItem> <ListItem> + <PropertyName>PackageSid</PropertyName> + </ListItem> + <ListItem> <PropertyName>LastModified</PropertyName> </ListItem> </ListItems> |