Masterkeys and prekeys and stuff

[netgoatfr]

So i have this code:

import os
import glob
from pypykatz.dpapi.dpapi import DPAPI

WINDOWS_LOCATION = "/run/media/****/***/" # Censored
HIVE = os.path.join(WINDOWS_LOCATION,"Windows","System32","config")
dpapi = DPAPI()


def find_masterkey_files(base_path):
    master_key_paths = []
    # Common locations for masterkey files
    common_paths = [
        r"Users/*/AppData/Roaming/Microsoft/Protect/S-*/*",
        r"Windows/ServiceProfiles/LocalService/AppData/Roaming/Microsoft/Protect/S-*/*",
        r"Windows/ServiceProfiles/NetworkService/AppData/Roaming/Microsoft/Protect/S-*/*"
    ]

    for i in common_paths:
        l = glob.glob(i,root_dir=base_path)
        master_key_paths.extend([os.path.join(base_path,x) for x in l])

    return master_key_paths

def try_decrypt_masterkey_file(location,prekeys):
    l = []
    for i in prekeys:
        dct = dpapi.decrypt_masterkey_file(location,i)
        l.append(dct)
    return l
def find_file(dir,name):
    for file in os.listdir(dir):
        if re.match(name,file):
            return os.path.join(dir,file)

prekeys = [x for x in dpapi.get_prekeys_form_registry_files(
    find_file(HIVE,"SYSTEM"),
    find_file(HIVE,"SECURITY"),
    find_file(HIVE,"SAM"),
    find_file(HIVE,"SOFTWARE")
)]
print(repr(prekeys)) # This just show the prekeys (user and machine)
master_keys = find_masterkey_files(WINDOWS_LOCATION)
for kind in prekeys: # Try to decrypt the masterkeys file using every prekeys
    for key in master_keys:
        if "preferred" not in key.lower():
            print(try_decrypt_masterkey_file(key,kind))
            # This always return empty stuff
            # eg: [({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {}), ({}, {})]
         

But everytime i run it, i never get any masterkey. Is that normal ?
Btw the ultimate goal is to decrypt the local state and get the encryption password for every autofill n stuff of a browser without being live on the computer.

[skelsec]

Hello,
can you check what happens when you call dpapi.decrypt_masterkey_file without feeding it the prekeys? Like:

def try_decrypt_masterkey_file(location,prekeys):
    l = []
    dct = dpapi.decrypt_masterkey_file(location)
    l.append(dct)
    return l

[netgoatfr]

(also in case you didn't saw it i added the software parameter to dpapi.get_prekeys_form_registry_files)

Sadly no, still nothing.

[({}, {})]
[({}, {})]
[({}, {})]
[({}, {})]
[({}, {})]
[({}, {})]

[netgoatfr]

But thanks for that hella fast response !

[netgoatfr]

Lil update. I tried to only use pypykatz to fetch stuff

HIVE = os.path.join(WINDOWS_LOCATION,"Windows","System32","config")
def find_file(dir,name):
    for file in os.listdir(dir):
        if re.match(name,file):
            return os.path.join(dir,file)
reg:OffineRegistry = OffineRegistry.from_files(find_file(HIVE,"SYSTEM"),find_file(HIVE,"SAM"),find_file(HIVE,"SECURITY"),find_file(HIVE,"SOFTWARE"))
#print(dpapi.decrypt_all_chrome(dpapi.find_chrome_database_file_offline(USERS),throw=True))
masterkey_files = (dpapi.find_masterkey_files_offline(USERS,WINDOWS_LOCATION))
prekeys = dpapi.get_prekeys_form_registry_files(find_file(HIVE,"SYSTEM"),find_file(HIVE,"SECURITY"),find_file(HIVE,"SAM"),find_file(HIVE,"SOFTWARE"))
for i in masterkey_files.values():
    for kind in prekeys:
        for key in kind:
            for hit in dpapi.decrypt_masterkey_file(i,key):
                if hit:
                    print("WHOOOOOOOO:",hit)

And still got nothing.