Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve DPAPI plugin #711

Merged
merged 22 commits into from
Sep 6, 2024
Merged

Improve DPAPI plugin #711

merged 22 commits into from
Sep 6, 2024

Conversation

JSCU-CNI
Copy link
Contributor

@JSCU-CNI JSCU-CNI commented May 21, 2024
edited
Loading

This PR improves several DPAPI related features:

  • move LSA logic from DPAPI to separate plugin
  • move SAM and CREDHIST plugins to dissect.target.plugins.os.windows.credential
  • add Windows XP support to DPAPI plugin (RC4 and DES3)
  • fix bug in _SHA256 identifier (0x800C instead of 0x8004)
  • add providers for DPAPI masterkey passphrases

The latter "dpapi provider" feature is experimental and we are keen to discuss a better InternalNamespacePlugin implementation.

Schamper
Schamper requested changes Jul 10, 2024
View reviewed changes
Copy link
Member

@Schamper Schamper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some initial comments. I will need to take a deeper dive into the key provider thing at a later stage, as I do think that can be done nicer.

JSCU-CNI added 2 commits July 24, 2024 11:23
@JSCU-CNI
Improve DPAPI plugin
ad2112f 
* separate LSA logic from DPAPI in separate plugin
* move SAM and CREDHIST plugins to plugins.os.windows.credential
* add Windows XP support to DPAPI plugin (RC4 and DES3)
* fix bug in _SHA256 identifier (0x800C instead of 0x8004)
* add providers for DPAPI masterkey passphrases
@JSCU-CNI
Further DPAPI improvements
fde58ae 
* Implement review feedback
* Improved test coverage for DPAPI (XP, vista, 7, 10)
* Added several helper functions for DPAPI tests
* LSA plugin now returns records
* Fixed DES3 DPAPI for WinXP
* Small rewrite of DPAPIPlugin master key discovery logic
* Added DefaultPassword LSA secret as DPAPI keyprovider
@JSCU-CNI JSCU-CNI force-pushed the dpapi-improvements branch from 9e70b0b to fde58ae Compare July 24, 2024 09:23
@JSCU-CNI
Copy link
Contributor Author

Thanks for the review @Schamper. We've implemented the review feedback in fde58ae. Test coverage should now be better. See the commit message for the other stuff we changed.

@JSCU-CNI JSCU-CNI requested a review from Schamper July 24, 2024 09:26
Schamper
Schamper requested changes Aug 2, 2024
View reviewed changes
Copy link
Member

@Schamper Schamper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still need to have a think about the key provider plugins, but you can have some fun with these comments already 😉.

@JSCU-CNI JSCU-CNI requested a review from Schamper August 5, 2024 11:40
@EinatFox EinatFox mentioned this pull request Aug 6, 2024
Closed
@EinatFox EinatFox linked an issue Aug 6, 2024 that may be closed by this pull request
Improve DPAPI plugin #711 #799
Closed
Schamper
Schamper requested changes Aug 6, 2024
View reviewed changes
@JSCU-CNI JSCU-CNI requested a review from Schamper August 6, 2024 16:55
@Schamper Schamper self-assigned this Aug 12, 2024
@JSCU-CNI
Copy link
Contributor Author

Is this PR good to go? :)

@Schamper
Copy link
Member

Schamper commented Aug 14, 2024
edited
Loading

I'm still a little bit torn on the keyprovider thing. I don't think it's reasonable to implement a proper solution in this PR, so I'm willing to have a temporary one instead, but I'd at least want to make the InternalNamespacePlugin to actually work, or if that's a bit difficult, at least have all the keyprovider plugins actually be internal only.

For reference, the idea I was leaning towards the most as a proper solution to this was nested namespaces, but that will take a smidge more work 😅. I'm a bit swamped the coming days, so if you're not willing to wait on my solution to the internal namespace stuff, feel free to have a go at it.

Another idea I had was a fancy "target keychain" that you can plug "password/key material providers" into. For example, also dump password databases into it. But I'm not sure if there's actually a real use case for that outside of this specific one. So I don't think that's a good way to go.

@Schamper
Copy link
Member

I've made a few changes, let me know if those work for you @JSCU-CNI.

Unfortunately target-query -l is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks. Probably most of that is already resolved with #763, and otherwise it will be picked up in that PR anyway. Sorry in the meantime @Zawadidone 😉.

@codecov Codecov
Copy link

codecov bot commented Aug 27, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 86.19529% with 41 lines in your changes missing coverage. Please review.

Project coverage is 75.59%. Comparing base (ce1e994) to head (adfc834).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
dissect/target/plugins/os/windows/dpapi/dpapi.py 76.82% 19 Missing ⚠️
...issect/target/plugins/os/windows/credential/lsa.py 90.19% 10 Missing ⚠️
...target/plugins/os/windows/dpapi/keyprovider/lsa.py 80.95% 4 Missing ⚠️
dissect/target/plugins/os/windows/dpapi/crypto.py 91.89% 3 Missing ⚠️
...t/plugins/os/windows/dpapi/keyprovider/credhist.py 85.71% 2 Missing ⚠️
...issect/target/plugins/os/windows/credential/sam.py 66.66% 1 Missing ⚠️
dissect/target/plugins/os/windows/dpapi/blob.py 50.00% 1 Missing ⚠️
...sect/target/plugins/os/windows/dpapi/master_key.py 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #711      +/-   ##
==========================================
+ Coverage   75.52%   75.59%   +0.06%     
==========================================
  Files         305      311       +6     
  Lines       26363    26540     +177     
==========================================
+ Hits        19911    20062     +151     
- Misses       6452     6478      +26
Flag Coverage Δ
unittests 75.59% <86.19%> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@JSCU-CNI
Copy link
Contributor Author

JSCU-CNI commented Sep 4, 2024

I've made a few changes, let me know if those work for you @JSCU-CNI.

That looks like a neat solution, thanks. I guess we can update the namespaces to dpapi.keyprovider.* once nested namespaces are fixed?

Unfortunately target-query -l is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks.

Is that blocking for now? I can see that get_all_records is listed, which looks like the only faulty behaviour to me.

@JSCU-CNI JSCU-CNI requested a review from Schamper September 4, 2024 10:52
@Schamper
Copy link
Member

Schamper commented Sep 5, 2024

That looks like a neat solution, thanks. I guess we can update the namespaces to dpapi.keyprovider.* once nested namespaces are fixed?

Yes.

Is that blocking for now? I can see that get_all_records is listed, which looks like the only faulty behaviour to me.

No, not blocking. I'd prefer #763 instead of trying to fix this. There were some other things broken as well, but it doesn't really matter 😄.

Schamper
Schamper previously approved these changes Sep 5, 2024
View reviewed changes
@JSCU-CNI
Copy link
Contributor Author

JSCU-CNI commented Sep 5, 2024

That should fix the tests.

@JSCU-CNI JSCU-CNI requested a review from Schamper September 5, 2024 15:05
@Schamper Schamper merged commit df404d5 into fox-it:main Sep 6, 2024
18 checks passed
@JSCU-CNI JSCU-CNI deleted the dpapi-improvements branch September 9, 2024 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Schamper Schamper Schamper approved these changes

Assignees

@Schamper Schamper

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve DPAPI plugin #711
2 participants
@JSCU-CNI @Schamper