Last active
September 27, 2025 13:01
-
-
Save garrettfoster13/bb643efb36c2a6f377588bc5c7ecc6a5 to your computer and use it in GitHub Desktop.
Revisions
-
garrettfoster13 revised this gist
May 1, 2025 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,7 +43,7 @@ def parse_blob(blobbyboy, mk=None): return mkid def arg_parse(): parser = argparse.ArgumentParser(add_help=True, description="DPAPI problems", formatter_class=argparse.RawDescriptionHelpFormatter) parser.add_argument("-b", "--blob", action="store", help="hex blob to pull Masterkey GUID from...starts with 01000000...") parser.add_argument("-d", "--dpapikey", action="store", help="hex blob of dpapi userkey from secretsdump. Ex: b2cbf91d18635db109a7d10dfe4fda422ce03f29") -
Apr 30, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,86 @@ import sys import argparse from impacket.dpapi import MasterKeyFile, MasterKey, DPAPI_BLOB from impacket.uuid import bin_to_string from binascii import unhexlify, hexlify def decrypt_masterkey(mk_blob, dpapikey): """Decrypt masterkey blob with dpapikey pulled from secretsdump""" try: mkf = MasterKeyFile(mk_blob) mk_blob = mk_blob[len(mkf):] mk = MasterKey(mk_blob[:mkf['MasterKeyLen']]) mk_blob = mk_blob[len(mk):] decrypted_key = mk.decrypt(dpapikey) if not decrypted_key: print("[!] Failed to decrypt masterkey.") print("[*] Decrypted masterkey: 0x" + hexlify(decrypted_key).decode('utf-8')) return decrypted_key except Exception as e: print(e) def decrypt_blob(blobbyboy, masterkey): """Decrypt the blob with the decrypted masterkey""" try: blob_bytes = unhexlify(blobbyboy) blob = DPAPI_BLOB(blob_bytes) decrypted = blob.decrypt(masterkey) decoded_string = decrypted.decode('utf-16le').replace('\x00', '').replace('\\\\', '\\') print(f"[*] Decrypted something: {decoded_string}") except Exception as e: print(e) def parse_blob(blobbyboy, mk=None): """Parse the master key guid from the provided blob""" print("parsing blob for master key GUID") blob_bytes = unhexlify(blobbyboy) blob = DPAPI_BLOB(blob_bytes) mkid = bin_to_string(blob['GuidMasterKey']) return mkid def arg_parse(): parser = argparse.ArgumentParser(add_help=True, description="SKEL2K BB", formatter_class=argparse.RawDescriptionHelpFormatter) parser.add_argument("-b", "--blob", action="store", help="hex blob to pull Masterkey GUID from...starts with 01000000...") parser.add_argument("-d", "--dpapikey", action="store", help="hex blob of dpapi userkey from secretsdump. Ex: b2cbf91d18635db109a7d10dfe4fda422ce03f29") parser.add_argument("-m", "--masterkey", action="store", help="path to masterkey file blob") args = parser.parse_args() if len(sys.argv) == 1: parser.print_help() sys.exit(1) return args def main(): args = arg_parse() if args.blob and not (args.dpapikey or args.masterkey): mkid = parse_blob(args.blob) print(f"[*] Got key ID: {mkid}") if args.dpapikey: dpapikey_bytes=unhexlify(args.dpapikey) if args.masterkey: with open (args.masterkey, 'rb') as mkeyfile: mk = mkeyfile.read() decrypted_mk = decrypt_masterkey(mk, dpapikey_bytes) if decrypted_mk: decrypt_blob(args.blob, decrypted_mk) if __name__ == '__main__': main()