-
Notifications
You must be signed in to change notification settings - Fork 2
/
masker_key_file.go
85 lines (72 loc) · 2.59 KB
/
masker_key_file.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package masterkey
import (
"github.com/wat4r/dpapitk/gocrypto"
"github.com/wat4r/dpapitk/hashlib"
"github.com/wat4r/dpapitk/utils"
)
// InitMasterKeyFile Init master key file.
func InitMasterKeyFile(masterKeyFileData []byte) MasterKeyFile {
var masterKeyFile = parseMasterKeyFileData(masterKeyFileData)
masterKeyFile.Decrypted = false
masterKeyFile.MasterKey.Decrypted = false
masterKeyFile.BackupKey.Decrypted = false
masterKeyFile.DomainKey.Decrypted = false
return masterKeyFile
}
// DecryptWithPassword Decrypt master key file with user password.
func (masterKeyFile *MasterKeyFile) DecryptWithPassword(userSID, password string) {
pwdEncode := utils.Utf16LfEncode(password)
// domain1607+ or domain
sidEncode := utils.Utf16LfEncode(userSID)
ntlmHash := hashlib.New("md4", pwdEncode)
derived := hashlib.Pbkdf2(ntlmHash, sidEncode, 32, 10000, "sha256")
derived = hashlib.Pbkdf2(derived, sidEncode, 16, 1, "sha256")
masterKeyFile.decryptWithHash(userSID, derived)
if masterKeyFile.Decrypted {
return
}
// local
masterKeyFile.decryptWithHash(userSID, hashlib.New("sha1", pwdEncode))
if masterKeyFile.Decrypted {
return
}
// domain1607- or domain
masterKeyFile.decryptWithHash(userSID, hashlib.New("md4", pwdEncode))
if masterKeyFile.Decrypted {
return
}
}
// DecryptWithHash Decrypt master key file with ntlm hash or sha1 hash.
func (masterKeyFile *MasterKeyFile) DecryptWithHash(userSID string, hash string) {
masterKeyFile.decryptWithHash(userSID, utils.HexToBytes(hash))
}
// DecryptWithPvk Decrypt master key file with domain backup key.
func (masterKeyFile *MasterKeyFile) DecryptWithPvk(pvkFileData []byte) {
masterKeyFile.DomainKey.decryptWithPvk(pvkFileData)
masterKeyFile.Decrypted = masterKeyFile.DomainKey.Decrypted
if masterKeyFile.Decrypted {
masterKeyFile.Key = masterKeyFile.DomainKey.Key
}
}
// Decrypt master key file with password hash.
func (masterKeyFile *MasterKeyFile) decryptWithHash(userSID string, pwdHash []byte) {
masterKey := &masterKeyFile.MasterKey
backupKey := &masterKeyFile.BackupKey
gocrypto.InitCryptoAlgo()
if !masterKey.Decrypted {
masterKey.DecryptWithHash(userSID, pwdHash)
if !masterKey.Decrypted {
sidEncode := utils.Utf16LfEncode(userSID)
derived := hashlib.Pbkdf2(pwdHash, sidEncode, 32, 10000, "sha256")
derived = hashlib.Pbkdf2(derived, sidEncode, 16, 1, "sha256")
masterKey.DecryptWithHash(userSID, derived)
}
}
if !backupKey.Decrypted {
backupKey.DecryptWithHash(userSID, pwdHash)
}
masterKeyFile.Decrypted = masterKey.Decrypted || backupKey.Decrypted
if masterKeyFile.Decrypted {
masterKeyFile.Key = masterKey.Key
}
}