dpapi

package
v0.0.0-...-7085336 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package dpapi implements DPAPI (Data Protection API) parsing and decryption for Windows secrets including master keys, credentials, and vaults.

Index

Constants

View Source 
const (
	CALG_SHA1    = 0x8004
	CALG_SHA512  = 0x800e
	CALG_HMAC    = 0x8009
	CALG_3DES    = 0x6603
	CALG_AES_256 = 0x6610
)

Algorithm constants

Variables

View Source 
var (
	// BACKUPKEY_BACKUP_GUID - 7F752B10-178E-11D1-AB8F-00805F14DB40 - backup a secret (ServerWrap)
	BACKUPKEY_BACKUP_GUID = [16]byte{
		0x10, 0x2B, 0x75, 0x7F, 0x8E, 0x17, 0xD1, 0x11,
		0xAB, 0x8F, 0x00, 0x80, 0x5F, 0x14, 0xDB, 0x40,
	}

	// BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID - 018FF48A-EABA-40C6-8F6D-72370240E967 - retrieve backup key
	BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = [16]byte{
		0x8A, 0xF4, 0x8F, 0x01, 0xBA, 0xEA, 0xC6, 0x40,
		0x8F, 0x6D, 0x72, 0x37, 0x02, 0x40, 0xE9, 0x67,
	}

	// BACKUPKEY_RESTORE_GUID_WIN2K - 7FE94D50-178E-11D1-AB8F-00805F14DB40 - legacy restore (ServerWrap)
	BACKUPKEY_RESTORE_GUID_WIN2K = [16]byte{
		0x50, 0x4D, 0xE9, 0x7F, 0x8E, 0x17, 0xD1, 0x11,
		0xAB, 0x8F, 0x00, 0x80, 0x5F, 0x14, 0xDB, 0x40,
	}
)

BKRP GUIDs for backup key retrieval

View Source 
var (
	// Windows Web Credentials
	VaultSchemaWebCredentials = [16]byte{
		0x3E, 0x0E, 0x35, 0xBE, 0x1B, 0x77, 0xD3, 0x01,
		0xBD, 0xFC, 0x00, 0xC0, 0x4F, 0xC2, 0xF3, 0xB7,
	}
	// Windows Credential Picker Protector
	VaultSchemaCredPickerProtector = [16]byte{
		0xE6, 0x9D, 0x70, 0x74, 0x39, 0x7E, 0x5E, 0x40,
		0xB1, 0x81, 0xC0, 0x26, 0x10, 0x81, 0x95, 0xF9,
	}
	// Windows Domain Password Credential
	VaultSchemaDomainPassword = [16]byte{
		0xE4, 0x6C, 0x2E, 0x92, 0xC2, 0x74, 0x0E, 0x49,
		0x80, 0xBE, 0xA6, 0x2F, 0x5E, 0xE7, 0x85, 0xE3,
	}
	// Windows Domain Certificate Credential
	VaultSchemaDomainCertificate = [16]byte{
		0x27, 0x1E, 0xE6, 0x88, 0xBB, 0x5D, 0x9F, 0x47,
		0xB5, 0x49, 0xE4, 0x73, 0x9B, 0xB0, 0xD0, 0x14,
	}
	// Windows Extended Credential
	VaultSchemaExtended = [16]byte{
		0x15, 0xE3, 0xA7, 0x3D, 0x30, 0xCA, 0xE3, 0x4E,
		0x8A, 0x25, 0xCE, 0x83, 0x05, 0x03, 0x05, 0x3E,
	}
	// Windows Domain Password Credential (NGC)
	VaultSchemaNGCPassword = [16]byte{
		0x83, 0x3E, 0x0A, 0xF9, 0x8D, 0x47, 0x75, 0x42,
		0x8A, 0xC7, 0xCD, 0xF9, 0xAD, 0x97, 0x4F, 0x42,
	}
)

Vault schema GUIDs

Functions

func DecryptWithBackupKey 

func DecryptWithBackupKey(domainKey *DomainKey, backupKey *BackupKey) ([]byte, error)

DecryptWithBackupKey decrypts a domain key using the domain backup key

Types

type BackupKey 

type BackupKey struct {
	Version     uint32
	Magic       uint32
	KeyLength   uint32
	Certificate []byte
	PrivateKey  *rsa.PrivateKey
	PVKData     []byte
}

BackupKey represents a domain backup key

func LoadBackupKeyFile 

func LoadBackupKeyFile(data []byte) (*BackupKey, error)

LoadBackupKeyFile loads a backup key from either PVK or PEM format

func LoadPEMFile 

func LoadPEMFile(data []byte) (*BackupKey, error)

LoadPEMFile loads a backup key from a PEM file

func LoadPVKFile 

func LoadPVKFile(data []byte) (*BackupKey, error)

LoadPVKFile loads a backup key from a PVK file

func ParseBackupKeyResponse 

func ParseBackupKeyResponse(data []byte) (*BackupKey, error)

ParseBackupKeyResponse parses the response from BKRP

func ParsePrivateKeyData 

func ParsePrivateKeyData(data []byte) (*BackupKey, error)

ParsePrivateKeyData parses raw backup key data from LSA secrets The format depends on the version stored in LSA

func (*BackupKey) Dump 

func (bk *BackupKey) Dump()

Dump prints backup key information

func (*BackupKey) ToPEM 

func (bk *BackupKey) ToPEM() ([]byte, error)

ToPEM converts the backup key to PEM format

func (*BackupKey) ToPVK 

func (bk *BackupKey) ToPVK() []byte

ToPVK converts the backup key to PVK format

type CredHist 

type CredHist struct {
	Version uint32
	GUID    string
}

CredHist represents a credential history link

func ParseCredHist 

func ParseCredHist(data []byte) (*CredHist, error)

ParseCredHist parses a credential history structure

type CredHistEntry 

type CredHistEntry struct {
	Version       uint32
	GUID          string
	UserSID       string
	HashAlgo      uint32
	CryptAlgo     uint32
	Salt          []byte
	Rounds        uint32
	HMACLen       uint32
	CipherTextLen uint32
	CipherText    []byte
	DecryptedKey  []byte
	DecryptedHMAC []byte
	SHA1          []byte // SHA1 of password used
	NTHash        []byte // NTLM hash of password
}

CredHistEntry represents a single entry in the credential history chain

func (*CredHistEntry) Decrypt 

func (entry *CredHistEntry) Decrypt(key []byte) error

Decrypt attempts to decrypt this CREDHIST entry using a key derived from password

func (*CredHistEntry) DecryptWithNTHash 

func (entry *CredHistEntry) DecryptWithNTHash(ntHash []byte, sid string) error

DecryptWithNTHash attempts to decrypt using an NTLM hash and SID

func (*CredHistEntry) DecryptWithPassword 

func (entry *CredHistEntry) DecryptWithPassword(password, sid string) error

DecryptWithPassword attempts to decrypt using a password and SID

func (*CredHistEntry) Dump 

func (entry *CredHistEntry) Dump()

Dump prints a single CREDHIST entry

func (*CredHistEntry) GetDecryptedNTHash 

func (entry *CredHistEntry) GetDecryptedNTHash() []byte

GetDecryptedNTHash returns the decrypted NTLM hash if available

func (*CredHistEntry) VerifyPassword 

func (entry *CredHistEntry) VerifyPassword(password string) bool

VerifyPassword verifies if a password matches this entry

type CredHistFile 

type CredHistFile struct {
	Version uint32
	GUID    string
	Entries []*CredHistEntry
}

CredHistFile represents a CREDHIST file containing a chain of credential history entries

func ParseCredHistFile 

func ParseCredHistFile(data []byte) (*CredHistFile, error)

ParseCredHistFile parses a CREDHIST file

func (*CredHistFile) Dump 

func (chf *CredHistFile) Dump()

Dump prints CREDHIST file information

func (*CredHistFile) WalkChain 

func (chf *CredHistFile) WalkChain(password, sid string) ([]*CredHistEntry, error)

WalkChain attempts to decrypt the entire credential history chain starting with the provided password and SID

type Credential 

type Credential struct {
	Flags          uint32
	Type           uint32
	LastWritten    uint64
	Persist        uint32
	TargetName     string
	Comment        string
	TargetAlias    string
	UserName       string
	CredentialBlob []byte
}

Credential represents a decrypted Windows credential

func ParseCredential 

func ParseCredential(data []byte) (*Credential, error)

ParseCredential parses a decrypted credential blob

func (*Credential) Dump 

func (c *Credential) Dump()

Dump prints Credential information

type CredentialFile 

type CredentialFile struct {
	Version   uint32
	Size      uint32
	Unknown   uint32
	DPAPIBlob *DPAPIBlob
}

CredentialFile represents a DPAPI credential file

func ParseCredentialFile 

func ParseCredentialFile(data []byte) (*CredentialFile, error)

ParseCredentialFile parses a credential file

type DPAPIBlob 

type DPAPIBlob struct {
	Version          uint32
	GUIDProvider     string
	MasterKeyVersion uint32
	GUIDMasterKey    string
	Flags            uint32
	Description      string
	AlgCrypt         uint32
	AlgCryptLen      uint32
	Salt             []byte
	HMACKeyLen       uint32
	HMACKey          []byte
	AlgHash          uint32
	AlgHashLen       uint32
	HMAC             []byte
	Data             []byte
	Sign             []byte
}

DPAPIBlob represents an encrypted DPAPI blob

func ParseDPAPIBlob 

func ParseDPAPIBlob(data []byte) (*DPAPIBlob, error)

ParseDPAPIBlob parses a DPAPI blob structure

func (*DPAPIBlob) Decrypt 

func (blob *DPAPIBlob) Decrypt(masterKey []byte) ([]byte, error)

Decrypt decrypts a DPAPI blob using the provided master key

func (*DPAPIBlob) DecryptWithEntropy 

func (blob *DPAPIBlob) DecryptWithEntropy(masterKey []byte, entropy []byte) ([]byte, error)

DecryptWithEntropy decrypts a DPAPI blob using the provided master key and optional entropy

func (*DPAPIBlob) Dump 

func (blob *DPAPIBlob) Dump()

Dump prints DPAPIBlob information

type DomainKey 

type DomainKey struct {
	Version     uint32
	SecretLen   uint32
	AccessCheck []byte
	GUID        string
	Secret      []byte
}

DomainKey represents a domain-encrypted master key

func ParseDomainKey 

func ParseDomainKey(data []byte) (*DomainKey, error)

ParseDomainKey parses a domain key structure

func (*DomainKey) Dump 

func (dk *DomainKey) Dump()

Dump prints DomainKey information

type MasterKey 

type MasterKey struct {
	Version      uint32
	Salt         []byte // 16 bytes
	Iterations   uint32
	HashAlgo     uint32
	CryptAlgo    uint32
	Data         []byte
	DecryptedKey []byte // Set after successful decryption
}

MasterKey represents an encrypted master key

func ParseMasterKey 

func ParseMasterKey(data []byte) (*MasterKey, error)

ParseMasterKey parses a master key structure

func (*MasterKey) Decrypt 

func (mk *MasterKey) Decrypt(key []byte) ([]byte, error)

Decrypt attempts to decrypt a master key using the provided key

func (*MasterKey) DecryptWithPassword 

func (mk *MasterKey) DecryptWithPassword(password, sid string) ([]byte, error)

DecryptWithPassword attempts to decrypt a master key using a password

func (*MasterKey) Dump 

func (mk *MasterKey) Dump()

Dump prints MasterKey information

type MasterKeyFile 

type MasterKeyFile struct {
	Version      uint32
	Unk1         uint32
	Unk2         uint32
	GUID         string // 36 chars UUID
	Unk3         uint32
	Policy       uint32
	Flags        uint32
	MasterKeyLen uint64
	BackupKeyLen uint64
	CredHistLen  uint64
	DomainKeyLen uint64
}

MasterKeyFile represents the header of a DPAPI master key file

func ParseMasterKeyFile 

func ParseMasterKeyFile(data []byte) (*MasterKeyFile, []byte, error)

ParseMasterKeyFile parses a master key file from raw bytes

func (*MasterKeyFile) Dump 

func (mkf *MasterKeyFile) Dump()

Dump prints MasterKeyFile information

type PVKFileHeader 

type PVKFileHeader struct {
	Magic      uint32 // 0xb0b5f11e
	Reserved   uint32
	KeyType    uint32
	Encrypted  uint32
	SaltLength uint32
	KeyLength  uint32
}

PVKFileHeader represents the PVK file header

type PreferredBackupKey 

type PreferredBackupKey struct {
	GUID [16]byte
}

PreferredBackupKey represents the GUID pointing to the preferred backup key

type PrivateKeyBlob 

type PrivateKeyBlob struct {
	PublicKeyStruc struct {
		Type     byte
		Version  byte
		Reserved uint16
		AlgID    uint32
	}
	RSAPubKey struct {
		Magic  uint32 // "RSA2" = 0x32415352
		BitLen uint32
		PubExp uint32
	}
	Modulus         []byte
	Prime1          []byte // p
	Prime2          []byte // q
	Exponent1       []byte // d mod (p-1)
	Exponent2       []byte // d mod (q-1)
	Coefficient     []byte // q^-1 mod p
	PrivateExponent []byte // d
}

PrivateKeyBlob represents a PRIVATEKEYBLOB structure

type VaultAttribute 

type VaultAttribute struct {
	ID       uint32
	Unknown1 uint32
	Unknown2 uint32
	Unknown3 uint32
	HasIV    bool
	IV       []byte
	Data     []byte
}

VaultAttribute represents an attribute in a vault credential

type VaultAttributeItem 

type VaultAttributeItem struct {
	ID       uint32
	Keyword  string
	Resource string
	Identity string
	Password string
}

VaultAttributeItem represents a decoded vault attribute

type VaultCredential 

type VaultCredential struct {
	SchemaGUID     string
	Unknown1       uint32
	LastWritten    uint64
	Unknown2       uint32
	Unknown3       uint32
	FriendlyName   string
	AttributeCount uint32
	Attributes     []*VaultAttribute
	DecryptedClear []byte
}

VaultCredential represents a VCRD file structure

func ParseVaultCredential 

func ParseVaultCredential(data []byte) (*VaultCredential, error)

ParseVaultCredential parses a VCRD file

func (*VaultCredential) Decrypt 

func (vc *VaultCredential) Decrypt(keyAES256, keyAES128 []byte) error

Decrypt decrypts vault credential attributes using policy keys

func (*VaultCredential) Dump 

func (vc *VaultCredential) Dump()

Dump prints vault credential information

func (*VaultCredential) GetSchemaName 

func (vc *VaultCredential) GetSchemaName() string

GetSchemaName returns a human-readable name for the vault schema

type VaultPolicy 

type VaultPolicy struct {
	Version     uint32
	GUID        string
	Description string
	Unknown1    uint32
	Unknown2    uint32
	Unknown3    uint32
	DPAPIBlob   *DPAPIBlob
	KeyAES256   []byte // Decrypted AES-256 key
	KeyAES128   []byte // Decrypted AES-128 key
}

VaultPolicy represents a VPOL file structure

func ParseVaultPolicy 

func ParseVaultPolicy(data []byte) (*VaultPolicy, error)

ParseVaultPolicy parses a VPOL file

func (*VaultPolicy) Decrypt 

func (vp *VaultPolicy) Decrypt(masterKey []byte) error

Decrypt decrypts the vault policy using a master key

func (*VaultPolicy) Dump 

func (vp *VaultPolicy) Dump()

Dump prints vault policy information

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.