garrettfoster13 · May 1, 2025 13:06
diff --git a/dpapi.py b/dpapi.py
 import sys
 import argparse
 from impacket.dpapi import MasterKeyFile, MasterKey, DPAPI_BLOB
 from impacket.uuid import bin_to_string
 from binascii import unhexlify, hexlify


 def decrypt_masterkey(mk_blob, dpapikey):
    """Decrypt masterkey blob with dpapikey pulled from secretsdump"""
    try:
        mkf = MasterKeyFile(mk_blob)
        mk_blob = mk_blob[len(mkf):]
        mk = MasterKey(mk_blob[:mkf['MasterKeyLen']])
        mk_blob = mk_blob[len(mk):]
        decrypted_key = mk.decrypt(dpapikey)
        if not decrypted_key:
            print("[!] Failed to decrypt masterkey.")
            
        print("[*] Decrypted masterkey: 0x" + hexlify(decrypted_key).decode('utf-8'))
        return decrypted_key
    except Exception as e:
        print(e)


 def decrypt_blob(blobbyboy, masterkey):
    """Decrypt the blob with the decrypted masterkey"""
    try:
        blob_bytes = unhexlify(blobbyboy)
        blob = DPAPI_BLOB(blob_bytes)
        decrypted = blob.decrypt(masterkey)
        decoded_string = decrypted.decode('utf-16le').replace('\x00', '').replace('\\\\', '\\')
        print(f"[*] Decrypted something: {decoded_string}")
    except Exception as e:
      print(e)


 def parse_blob(blobbyboy, mk=None):
    """Parse the master key guid from the provided blob"""
    print("parsing blob for master key GUID")
    blob_bytes = unhexlify(blobbyboy)
    blob = DPAPI_BLOB(blob_bytes)
    mkid = bin_to_string(blob['GuidMasterKey'])
    return mkid

 def arg_parse():
    parser = argparse.ArgumentParser(add_help=True, description="DPAPI problems", formatter_class=argparse.RawDescriptionHelpFormatter) 
    
    parser.add_argument("-b", "--blob", action="store", help="hex blob to pull Masterkey GUID from...starts with 01000000...")
    parser.add_argument("-d", "--dpapikey", action="store", help="hex blob of dpapi userkey from secretsdump. Ex: b2cbf91d18635db109a7d10dfe4fda422ce03f29")
    parser.add_argument("-m", "--masterkey", action="store", help="path to masterkey file blob")
    
    
    args = parser.parse_args()
    
    if len(sys.argv) == 1:
        parser.print_help()
        sys.exit(1)
    
    return args

 def main():
    
    args = arg_parse()
    if args.blob and not (args.dpapikey or args.masterkey):
        mkid = parse_blob(args.blob)
        print(f"[*] Got key ID: {mkid}")

    
    if args.dpapikey:
        dpapikey_bytes=unhexlify(args.dpapikey)

    if args.masterkey:
        with open (args.masterkey, 'rb') as mkeyfile:
            mk = mkeyfile.read()
    
        decrypted_mk = decrypt_masterkey(mk, dpapikey_bytes)
        if decrypted_mk:
            decrypt_blob(args.blob, decrypted_mk)
    

    
 if __name__ == '__main__':
    main()
	import sys
	import argparse
	from impacket.dpapi import MasterKeyFile, MasterKey, DPAPI_BLOB
	from impacket.uuid import bin_to_string
	from binascii import unhexlify, hexlify


	def decrypt_masterkey(mk_blob, dpapikey):
	"""Decrypt masterkey blob with dpapikey pulled from secretsdump"""
	try:
	mkf = MasterKeyFile(mk_blob)
	mk_blob = mk_blob[len(mkf):]
	mk = MasterKey(mk_blob[:mkf['MasterKeyLen']])
	mk_blob = mk_blob[len(mk):]
	decrypted_key = mk.decrypt(dpapikey)
	if not decrypted_key:
	print("[!] Failed to decrypt masterkey.")

	print("[*] Decrypted masterkey: 0x" + hexlify(decrypted_key).decode('utf-8'))
	return decrypted_key
	except Exception as e:
	print(e)


	def decrypt_blob(blobbyboy, masterkey):
	"""Decrypt the blob with the decrypted masterkey"""
	try:
	blob_bytes = unhexlify(blobbyboy)
	blob = DPAPI_BLOB(blob_bytes)
	decrypted = blob.decrypt(masterkey)
	decoded_string = decrypted.decode('utf-16le').replace('\x00', '').replace('\\\\', '\\')
	print(f"[*] Decrypted something: {decoded_string}")
	except Exception as e:
	print(e)


	def parse_blob(blobbyboy, mk=None):
	"""Parse the master key guid from the provided blob"""
	print("parsing blob for master key GUID")
	blob_bytes = unhexlify(blobbyboy)
	blob = DPAPI_BLOB(blob_bytes)
	mkid = bin_to_string(blob['GuidMasterKey'])
	return mkid

	def arg_parse():
	parser = argparse.ArgumentParser(add_help=True, description="DPAPI problems", formatter_class=argparse.RawDescriptionHelpFormatter)

	parser.add_argument("-b", "--blob", action="store", help="hex blob to pull Masterkey GUID from...starts with 01000000...")
	parser.add_argument("-d", "--dpapikey", action="store", help="hex blob of dpapi userkey from secretsdump. Ex: b2cbf91d18635db109a7d10dfe4fda422ce03f29")
	parser.add_argument("-m", "--masterkey", action="store", help="path to masterkey file blob")


	args = parser.parse_args()

	if len(sys.argv) == 1:
	parser.print_help()
	sys.exit(1)

	return args

	def main():

	args = arg_parse()
	if args.blob and not (args.dpapikey or args.masterkey):
	mkid = parse_blob(args.blob)
	print(f"[*] Got key ID: {mkid}")


	if args.dpapikey:
	dpapikey_bytes=unhexlify(args.dpapikey)

	if args.masterkey:
	with open (args.masterkey, 'rb') as mkeyfile:
	mk = mkeyfile.read()

	decrypted_mk = decrypt_masterkey(mk, dpapikey_bytes)
	if decrypted_mk:
	decrypt_blob(args.blob, decrypted_mk)



	if __name__ == '__main__':
	main()