Skip to content

Commit

Permalink
Add efs.decrypt command and some refactoring
Browse files Browse the repository at this point in the history
  • Loading branch information
thewhiteninja committed Oct 10, 2021
1 parent 0cb9b7b commit 546e024
Show file tree
Hide file tree
Showing 35 changed files with 988 additions and 522 deletions.
5 changes: 4 additions & 1 deletion NTFS.vcxproj
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,10 @@
<ClInclude Include="Sources\Drive\volume.h" />
<ClInclude Include="Sources\EFS\certificate_file.h" />
<ClInclude Include="Sources\EFS\export_flag.h" />
<ClInclude Include="Sources\EFS\fek.h" />
<ClInclude Include="Sources\EFS\key_file.h" />
<ClInclude Include="Sources\EFS\masterkey_file.h" />
<ClInclude Include="Sources\EFS\pkcs12_archive.h" />
<ClInclude Include="Sources\EFS\private_key.h" />
<ClInclude Include="Sources\EFS\private_key_enc.h" />
<ClInclude Include="Sources\EFS\public_key.h" />
Expand Down Expand Up @@ -68,6 +70,7 @@
<ClCompile Include="Sources\Commands\command_btree.cpp" />
<ClCompile Include="Sources\Commands\command_efs_backup.cpp" />
<ClCompile Include="Sources\Commands\command_efs_certificate.cpp" />
<ClCompile Include="Sources\Commands\command_efs_decrypt.cpp" />
<ClCompile Include="Sources\Commands\command_efs_key.cpp" />
<ClCompile Include="Sources\Commands\command_efs_masterkey.cpp" />
<ClCompile Include="Sources\Commands\command_extract.cpp" />
Expand All @@ -93,7 +96,7 @@
<ClCompile Include="Sources\EFS\certificate_file.cpp" />
<ClCompile Include="Sources\EFS\key_file.cpp" />
<ClCompile Include="Sources\EFS\masterkey_file.cpp" />
<ClCompile Include="Sources\EFS\pkcs12_backup.h" />
<ClCompile Include="Sources\EFS\pkcs12_archive.cpp" />
<ClCompile Include="Sources\EFS\private_key.cpp" />
<ClCompile Include="Sources\EFS\private_key_enc.cpp" />
<ClCompile Include="Sources\EFS\public_key.cpp" />
Expand Down
15 changes: 12 additions & 3 deletions NTFS.vcxproj.filters
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,12 @@
<ClInclude Include="Sources\EFS\certificate_file.h">
<Filter>Header Files\EFS</Filter>
</ClInclude>
<ClInclude Include="Sources\EFS\pkcs12_archive.h">
<Filter>Header Files\EFS</Filter>
</ClInclude>
<ClInclude Include="Sources\EFS\fek.h">
<Filter>Header Files\EFS</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Sources\main.cpp">
Expand Down Expand Up @@ -320,15 +326,18 @@
<ClCompile Include="Sources\Commands\command_efs_backup.cpp">
<Filter>Source Files\Commands</Filter>
</ClCompile>
<ClCompile Include="Sources\EFS\pkcs12_backup.h">
<Filter>Header Files\EFS</Filter>
</ClCompile>
<ClCompile Include="Sources\Commands\commands.cpp">
<Filter>Source Files\Commands</Filter>
</ClCompile>
<ClCompile Include="Sources\Commands\command_efs_certificate.cpp">
<Filter>Source Files\Commands</Filter>
</ClCompile>
<ClCompile Include="Sources\Commands\command_efs_decrypt.cpp">
<Filter>Source Files\Commands</Filter>
</ClCompile>
<ClCompile Include="Sources\EFS\pkcs12_archive.cpp">
<Filter>Source Files\EFS</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<None Include="README.md">
Expand Down
35 changes: 32 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
[![Language: C++](https://img.shields.io/badge/Language-C%2B%2B-brightgreen.svg?tyle=flat-square)](#)
[![x64](https://img.shields.io/badge/Windows-64_bit-0078d7.svg)](#)
[![x86](https://img.shields.io/badge/Windows-32_bit-0078d7.svg)](#)
[![v1.3](https://img.shields.io/badge/Version-1.3-ff5733.svg)](#)
[![v1.4](https://img.shields.io/badge/Version-1.4-ff5733.svg)](#)
[![Build](https://ci.appveyor.com/api/projects/status/a3cn5dpdv146tdji?svg=true)](https://ci.appveyor.com/project/thewhiteninja/ntfstool)

<img align="right" width="100" height="100" src="https://cdn-icons-png.flaticon.com/512/3850/3850133.png">
Expand Down Expand Up @@ -79,6 +79,7 @@ Options can be entered as decimal or hex number with "0x" prefix (ex: inode).
| [bitlocker](#bitlocker) | Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed. |
| [bitdecrypt](#bitdecrypt) | Decrypt a volume to a file using password, recovery key or bek. |
| [efs.backup](#efs-backup) | Export EFS keys in PKCS12 (pfx) format. |
| [efs.decrypt](#efs-decrypt) | Decrypt EFS encrypted file using keys in PKCS12 (pfx) format. |
| [efs.certificate](#efs-certificate) | List, display and export system certificates (SystemCertificates/My/Certificates). |
| [efs.key](#efs-key) | List, display, decrypt and export private keys (Crypto/RSA). |
| [efs.masterkey](#efs-masterkey) | List, display and decrypt masterkeys (Protect). |
Expand Down Expand Up @@ -707,6 +708,34 @@ Current third-party libs:
</td></tr>
</table>


### EFS-decrypt
<table>
<tr><td>efs.decrypt efs.decrypt disk=0 volume=4 from=c:\cat.png pfx=z:\my_backup.pfx password=backup output=c:\socute.png</td></tr>
<tr><td>

Decrypt EFS file from \\.\PhysicalDrive0 > Volume:4
---------------------------------------------------

[+] Loading PKCS12 input file
[-] KeyID : 86598de9ed5dbdd00aa2ff467ed71f1f28acf61b
[-] Reading record: 13525
[+] Parsing $EFS streams
[-] 1 data decryption field(s) found
[+] Decrypting FEK
[-] FEK
+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------------------------------------------------------+
| Entropy | 32 |
| Algorithm | CALG_AES_256 |
| Key (256bits) | 5BBBB8A7F9DD9B9FFFDE9E62370254979F32A9CFFDDB74212A0C1AEECCD75B4A |
+----------------------------------------------------------------------------------+
[+] Decrypting file
[-] Decrypted file written to c:\socute.png (1.94 MiB)
</td></tr>
</table>

### EFS-certificate
<table>
<tr><td>efs.certificate disk=0 volume=4</td></tr>
Expand Down Expand Up @@ -810,7 +839,7 @@ Current third-party libs:
| | | ff:0c |
+----------------------------------------------------------------------------------------------------------------------------+
</td></tr>
<tr><td>efs.certificate disk=0 volume=4 inode=0xb5a4 output=mycert format=pem</td></tr>
<tr><td>efs.certificate disk=0 volume=4 inode=0xb5a4 output=mycert</td></tr>
<tr><td>

Display certificate from \\.\PhysicalDrive0 > Volume:4
Expand Down Expand Up @@ -997,7 +1026,7 @@ Current third-party libs:
| | | F39FC063F1F20323E3220229E29FA42D |
+----------------------------------------------------------+
</td></tr>
<tr><td> efs.key disk=0 volume=4 inode=742107 masterkey=34...eb output=mykey format=pem</td></tr>
<tr><td> efs.key disk=0 volume=4 inode=742107 masterkey=34...eb output=mykey</td></tr>
<tr><td>

Decrypt key from \\.\PhysicalDrive0 > Volume:4
Expand Down
6 changes: 1 addition & 5 deletions Sources/Commands/command_btree.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,7 @@

int print_btree_info(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, std::shared_ptr<Options> opts)
{
if ((vol->filesystem() != "NTFS") && (vol->filesystem() != "Bitlocker"))
{
std::cerr << "[!] NTFS volume required" << std::endl;
return 1;
}
if (!commands::helpers::is_ntfs(disk, vol)) return 1;

std::shared_ptr<NTFSExplorer> explorer = std::make_shared<NTFSExplorer>(vol);
std::shared_ptr<MFTRecord> record = commands::helpers::find_record(explorer, opts);
Expand Down
10 changes: 3 additions & 7 deletions Sources/Commands/command_efs_backup.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,12 @@
#include <EFS/private_key.h>
#include <EFS/masterkey_file.h>
#include <EFS/key_file.h>
#include <EFS/pkcs12_backup.h>
#include <EFS/pkcs12_archive.h>


int backup_keys(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, std::shared_ptr<Options> opts)
{
if ((vol->filesystem() != "NTFS") && (vol->filesystem() != "Bitlocker"))
{
std::cerr << "[!] NTFS volume required" << std::endl;
return 1;
}
if (!commands::helpers::is_ntfs(disk, vol)) return 1;

std::cout << std::setfill('0');
utils::ui::title("Backup certificates and keys from " + disk->name() + " > Volume:" + std::to_string(vol->index()));
Expand Down Expand Up @@ -214,7 +210,7 @@ int backup_keys(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, std::sh
auto decrypted_private_key = keyfile->private_key()->decrypt_with_masterkey(masterkey);
if (decrypted_private_key != nullptr)
{
std::shared_ptr<PKCS12Backup> pkcs12 = std::make_shared<PKCS12Backup>(cert, decrypted_private_key);
std::shared_ptr<PKCS12Archive> pkcs12 = std::make_shared<PKCS12Archive>(cert, decrypted_private_key);
if (opts->output == "")
{
opts->output = cert->hash();
Expand Down
36 changes: 5 additions & 31 deletions Sources/Commands/command_efs_certificate.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,9 @@
#include "EFS/certificate_file.h"


const std::vector<std::string> format = { "pem" };

int show_certificate(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, std::shared_ptr<Options> opts)
{
if ((vol->filesystem() != "NTFS") && (vol->filesystem() != "Bitlocker"))
{
std::cerr << "[!] NTFS volume required" << std::endl;
return 1;
}
if (!commands::helpers::is_ntfs(disk, vol)) return 1;

std::cout << std::setfill('0');
utils::ui::title("Display certificate from " + disk->name() + " > Volume:" + std::to_string(vol->index()));
Expand Down Expand Up @@ -126,29 +120,13 @@ int show_certificate(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, st
}
else
{
if (opts->format == "")
{
opts->format = format[0];
}
else
{
opts->format = utils::strings::lower(opts->format);
}

if (std::find(format.begin(), format.end(), opts->format) == format.end())
if (certificate_file->export_to_PEM(opts->output) == 0)
{
std::cerr << "[!] Invalid output format (" << opts->format << ")" << std::endl;
std::cout << "[+] Certificate exported to " << opts->output << ".pem" << std::endl;
}
else
{
if (certificate_file->export_to_PEM(opts->output) == 0)
{
std::cout << "[+] Certificate exported to " << opts->output << ".pem" << std::endl;
}
else
{
std::cerr << "[!] Unable to export the certificate" << std::endl;
}
std::cerr << "[!] Unable to export the certificate" << std::endl;
}
}

Expand All @@ -157,11 +135,7 @@ int show_certificate(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, st

int list_certificates(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, std::shared_ptr<Options> opts)
{
if ((vol->filesystem() != "NTFS") && (vol->filesystem() != "Bitlocker"))
{
std::cerr << "[!] NTFS volume required" << std::endl;
return 1;
}
if (!commands::helpers::is_ntfs(disk, vol)) return 1;

std::cout << std::setfill('0');
utils::ui::title("List certificates from " + disk->name() + " > Volume:" + std::to_string(vol->index()));
Expand Down
Loading

0 comments on commit 546e024

Please sign in to comment.