openwall · magnumripper · Oct 10, 2018 · Oct 5, 2018 · Oct 5, 2018 · Oct 7, 2018
diff --git a/run/DPAPImk2john.py b/run/DPAPImk2john.py
@@ -276,11 +276,13 @@ def des_set_odd_parity(key):
 CryptoAlgo.add_algo(0x800d, name="sha384", digestLength=384, blockLength=1024)
 CryptoAlgo.add_algo(0x800e, name="sha512", digestLength=512, blockLength=1024)
 
-
-def pbkdf2(passphrase, salt, keylen, iterations, digest='sha1'):
+def pbkdf2_ms(passphrase, salt, keylen, iterations, digest='sha1'):
     """Implementation of PBKDF2 that allows specifying digest algorithm.
 
     Returns the corresponding expanded key which is keylen long.
+
+    Note: This is not real pbkdf2, but instead a slight modification of it.
+    Seems like Microsoft tried to implement pbkdf2 but got the xoring wrong.
     """
     buff = ""
     i = 1
@@ -294,6 +296,23 @@ def pbkdf2(passphrase, salt, keylen, iterations, digest='sha1'):
         buff += derived
     return buff[:keylen]
 
+def pbkdf2(passphrase, salt, keylen, iterations, digest='sha1'):
+    """Implementation of PBKDF2 that allows specifying digest algorithm.
+
+    Returns the corresponding expanded key which is keylen long.
+    """
+    buff = ""
+    i = 1
+    while len(buff) < keylen:
+        U = salt + struct.pack("!L", i)
+        i += 1
+        derived = hmac.new(passphrase, U, digestmod=lambda: hashlib.new(digest)).digest()
+        actual = derived
+        for r in xrange(iterations - 1):
+            actual = hmac.new(passphrase, actual, digestmod=lambda: hashlib.new(digest)).digest()
+            derived = ''.join([chr(ord(x) ^ ord(y)) for (x, y) in zip(derived, actual)])
+        buff += derived
+    return buff[:keylen]
 
 def derivePwdHash(pwdhash, userSID, digest='sha1'):
     """Internal use. Computes the encryption key from a user's password hash"""
@@ -303,7 +322,7 @@ def derivePwdHash(pwdhash, userSID, digest='sha1'):
 def dataDecrypt(cipherAlgo, hashAlgo, raw, encKey, iv, rounds):
     """Internal use. Decrypts data stored in DPAPI structures."""
     hname = {"HMAC": "sha1"}.get(hashAlgo.name, hashAlgo.name)
-    derived = pbkdf2(encKey, iv, cipherAlgo.keyLength + cipherAlgo.ivLength, rounds, hname)
+    derived = pbkdf2_ms(encKey, iv, cipherAlgo.keyLength + cipherAlgo.ivLength, rounds, hname)
     key, iv = derived[:cipherAlgo.keyLength], derived[cipherAlgo.keyLength:]
     key = key[:cipherAlgo.keyLength]
     iv = iv[:cipherAlgo.ivLength]
@@ -398,13 +417,24 @@ def jhash(self):
         else:
             return "Unsupported combination of cipher '%s' and hash algorithm '%s' found!" % (self.cipherAlgo, self.hashAlgo)
         context = 0
+
         if self.context == "domain":
             context = 2
-        elif self.context == "local":
-            context = 1
-
-        s = "$DPAPImk$%d*%d*%s*%s*%s*%d*%s*%d*%s" % (version, context, self.SID, cipher_algo, hmac_algo, self.rounds, self.iv.encode("hex"),
+            s = "$DPAPImk$%d*%d*%s*%s*%s*%d*%s*%d*%s" % (version, context, self.SID, cipher_algo, hmac_algo, self.rounds, self.iv.encode("hex"),
                                      len(self.ciphertext.encode("hex")), self.ciphertext.encode("hex"))
+            context = 3
+            s += "\n$DPAPImk$%d*%d*%s*%s*%s*%d*%s*%d*%s" % (version, context, self.SID, cipher_algo, hmac_algo, self.rounds,
+                                     self.iv.encode("hex"), len(self.ciphertext.encode("hex")), self.ciphertext.encode("hex"))
+        else:
+            if self.context == "local":
+                context = 1
+            elif self.context == "domain1607-":
+                context = 2
+            elif self.context == "domain1607+":
+                context = 3
+
+            s = "$DPAPImk$%d*%d*%s*%s*%s*%d*%s*%d*%s" % (version, context, self.SID, cipher_algo, hmac_algo, self.rounds, self.iv.encode("hex"),
+                                         len(self.ciphertext.encode("hex")), self.ciphertext.encode("hex"))
         return s
 
     def setKeyHash(self, h):
@@ -513,11 +543,22 @@ def decryptWithHash(self, userSID, h):
     def decryptWithPassword(self, userSID, pwd, context):
         """See MasterKey.decryptWithPassword()"""
         algo = None
-        if context == "domain":
-            algo = "md4"
-        elif context == "local":
-            algo = "sha1"
-        self.decryptWithHash(userSID, hashlib.new(algo, pwd.encode('UTF-16LE')).digest())
+        if context == "domain1607-" or context == "domain":
+            self.decryptWithHash(userSID, hashlib.new("md4", pwd.encode('UTF-16LE')).digest())
+            if self.decrypted:
+                print "Decrypted succesfully as domain1607-"
+                return
+        if context == "domain1607+" or context == "domain":
+            SIDenc = userSID.encode("UTF-16LE")
+            NTLMhash = hashlib.new("md4", pwd.encode('UTF-16LE')).digest()
+            derived = pbkdf2(NTLMhash, SIDenc, 32, 10000, digest='sha256')
+            derived = pbkdf2(derived, SIDenc, 16, 1, digest='sha256')
+            self.decryptWithHash(userSID, derived)
+            if self.decrypted:
+                print "Decrypted succesfully as domain1607+"
+                return
+        if context == "local":
+            self.decryptWithHash(userSID, hashlib.new("sha1", pwd.encode('UTF-16LE')).digest())
 
     def __repr__(self):
         s = ["\n#### MasterKeyFile %s ####" % self.guid]
@@ -605,7 +646,7 @@ def __repr__(self):
     parser.add_argument('-S', '--sid', required=False, help="SID of account owning the masterkey file.")
     parser.add_argument('-mk', '--masterkey', required=False, help="masterkey file (usually in %%APPDATA%%\\Protect\\<SID>).")
     parser.add_argument('-d', '--debug', default=False, action='store_true', dest="debug")
-    parser.add_argument('-c', '--context', required=False, help="context of user account. Only 'domain' and 'local' are possible.")
+    parser.add_argument('-c', '--context', required=False, help="context of user account. 1607 refers to Windows 10 1607 update.", choices=['domain', 'domain1607+', 'domain1607-', 'local'])
     parser.add_argument('-P', '--preferred', required=False, help="'Preferred' file containing GUID of masterkey file in use (usually in %%APPDATA%%\\Protect\\<SID>). Cannot be used with any other command.")
     parser.add_argument("--password", metavar="PASSWORD", dest="password", help="password to decrypt masterkey file.")
 
@@ -624,9 +665,6 @@ def __repr__(self):
         Preferred.close()
         sys.exit(1)
     else:
-        if options.context != "local" and options.context != "domain":
-            "context must be whether 'local' or 'domain', exiting."
-            sys.exit(1)
         mkp = MasterKeyPool()
         masterkeyfile = open(options.masterkey,'rb')
         mkdata = masterkeyfile.read()

diff --git a/src/dpapimk_fmt_plug.c b/src/dpapimk_fmt_plug.c
@@ -45,6 +45,7 @@ john_register_one(&fmt_DPAPImk);
 
 #include "pbkdf2_hmac_sha512.h"
 #include "pbkdf2_hmac_sha1.h"
+#include "pbkdf2_hmac_sha256.h"
 
 #define FORMAT_LABEL            "DPAPImk"
 #define FORMAT_TAG              "$DPAPImk$"
@@ -95,6 +96,7 @@ static struct fmt_tests dpapimk_tests[] = {
 	{"$DPAPImk$1*2*S-15-21-458698633-447735394-485599537-1788*des3*sha1*24000*96b957d9bf0f8846399e70a84431b595*208*0ee9fa2baf2cf0efda81514376aef853c6c93a5776fa6af66a869f44c50ac80148b7488f52b4c52c305e89a497a583e17cca4a9bab580668a8a5ce2eee083382c98049e481e47629b5815fb16247e3bbfa62c454585aaaf51ef15555a355fcf925cff16c0bb006f8", "jordifirstcredit"},
 	{"$DPAPImk$2*1*S-15-21-417226446-481759312-475941522-1494*aes256*sha512*8000*1e6b7a71a079bc12e71c75a6bcfd865c*288*5b5d651e538e5185f7d6939ba235ca2d8a2b9726a6e95b59844320ba1d1f22282527210bc784d22075e596d113927761a644ad4057cb4dbb497bd64ee6c630930a4ba388eadb59484ec2be7fb4cc79299a87f341d002d25b5b187c71fa19417ec9d1b65568a79c962cb3b5bcb1b8df5f968669af35eec5a24ed5dcee46deef42bfee5ad665dd4de56ccd9c6ba26b2acd", "PaulSmiteSuper160"},
 	{"$DPAPImk$2*2*S-15-21-402916398-457068774-444912990-1699*aes256*sha512*17000*4c51109a901e4be7f1e208f82a56e690*288*bb80d538ac4185eb0382080fda0d405bb74da3a6b98e96f222292b819fa9168cf1571e9bc9c698ad10daf850ab34de1a1765cfd5c0fb8a63a413a767d241dfe6355804af259d24f6be7282daac0a9e02d7fbe20675afb3733141995990a6d11012edfb7e81b49c0e1132dbc4503dd2206489e4f512e4fe9d573566c9d8973188b8d1a87610b8bef09e971270a376a52b", "Juan-Carlos"},
+	{"$DPAPImk$1*3*S-1-5-21-1857904334-2267218879-1458651445-1123*des3*sha1*18000*e4c529ba8975e4ed56f5fb8b1e85be43*208*af96b391f1d6e2d37a4de3b4c412ce78f032d446d77ea1fb6a0782f47c390c844349c2bcaeba9fd570b39def6f67a369aa2e266e8d017689d8a09667fdfb640feb3e19ca22067cc5704644c1dcc43d4cccac667391f4918d0de77f36569fd2e104ef0619a46edcfc", "LaKuckaracha42"},
 	/* old samples, with less iterations, preserved for backward compatibiliy */
 	{"$DPAPImk$1*1*S-1-5-21-1482476501-1659004503-725345543-1003*des3*sha1*4000*b3d62a0b06cecc236fe3200460426a13*208*d3841257348221cd92caf4427a59d785ed1474cab3d0101fc8d37137dbb598ff1fd2455826128b2594b846934c073528f8648d750d3c8e6621e6f706d79b18c22f172c0930d9a934de73ea2eb63b7b44810d332f7d03f14d1c153de16070a5cab9324da87405c1c0", "openwall"},
 	{"$DPAPImk$1*1*S-1-5-21-1482476501-1659004503-725345543-1005*des3*sha1*4000*c9cbd491f78ea6d512276b33f025bce8*208*091a13443cfc2ddb16dcf256ab2a6707a27aa22b49a9a9011ebf3bb778d0088c2896de31de67241d91df75306e56f835337c89cfb2f9afa940b4e7e019ead2737145032fac0bb34587a707d42da7e00b72601a730f5c848094d54c47c622e2f8c8d204c80ad061be", "JtRisthebest"},
@@ -311,12 +313,16 @@ static int crypt_all(int *pcount, struct db_salt *salt)
 #endif
 	for (index = 0; index < count; index += MIN_KEYS_PER_CRYPT) {
 		unsigned char *passwordBuf;
-		int passwordBufSize, digestlen = 20;
+		int passwordBufSize;
+		unsigned char *sidBuf;
+		int sidBufSize;
 		unsigned char out[MIN_KEYS_PER_CRYPT][KEY_LEN2 + IV_LEN2];
 		unsigned char out2[MIN_KEYS_PER_CRYPT][KEY_LEN2 + IV_LEN2];
 		SHA_CTX ctx;
 		MD4_CTX ctx2;
 		int i;
+
+		int digestlens[MIN_KEYS_PER_CRYPT];
 
 #if defined(SIMD_COEF_64) && defined(SIMD_COEF_32)
 		int lens[MIN_KEYS_PER_CRYPT];
@@ -325,14 +331,15 @@ static int crypt_all(int *pcount, struct db_salt *salt)
 			unsigned char *pout[MIN_KEYS_PER_CRYPT];
 			unsigned char *poutc;
 		} x;
-		int loops = MIN_KEYS_PER_CRYPT;
+		int sha256loops = MIN_KEYS_PER_CRYPT / SSE_GROUP_SZ_SHA256, loops = MIN_KEYS_PER_CRYPT;
 
 		if (cur_salt->version == 1)
 			loops = MIN_KEYS_PER_CRYPT / SSE_GROUP_SZ_SHA1;
 		else if (cur_salt->version == 2)
 			loops = MIN_KEYS_PER_CRYPT / SSE_GROUP_SZ_SHA512;
 #endif
 		for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
+			digestlens[i] = 16;
 			passwordBuf = (unsigned char*)saved_key[index+i];
 			passwordBufSize = strlen16((UTF16*)passwordBuf) * 2;
 
@@ -341,24 +348,62 @@ static int crypt_all(int *pcount, struct db_salt *salt)
 				SHA1_Init(&ctx);
 				SHA1_Update(&ctx, passwordBuf, passwordBufSize);
 				SHA1_Final(out[i], &ctx);
-				digestlen = 20;
+				digestlens[i] = 20;
 			}
 			/* domain credentials */
-			else if (cur_salt->cred_type == 2) {
+			else if (cur_salt->cred_type == 2 || cur_salt->cred_type == 3) {
 				MD4_Init(&ctx2);
 				MD4_Update(&ctx2, passwordBuf, passwordBufSize);
 				MD4_Final(out[i], &ctx2);
-				digestlen = 16;
+				digestlens[i] = 16;
 			}
+		}
+
+		/* 1607+ domain credentials */
+		/* The key derivation algorithm is hardcoded in NtlmShared.dll!MsvpDeriveSecureCredKey */
+		if(cur_salt->cred_type == 3) {
+			sidBuf = (unsigned char*)cur_salt->SID;
+			sidBufSize = (strlen16(cur_salt->SID) * 2);
+#if defined(SIMD_COEF_64) && defined(SIMD_COEF_32)
+			for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
+				lens[i] = 16;
+				pin[i] = (unsigned char*)out[i];
+				x.pout[i] = out2[i];
+			}
+
+			for (i = 0; i < sha256loops; i++) {
+				pbkdf2_sha256_sse((const unsigned char**)(pin + i * SSE_GROUP_SZ_SHA256), &lens[i * SSE_GROUP_SZ_SHA256], sidBuf, sidBufSize, 10000, x.pout + (i * SSE_GROUP_SZ_SHA256), 32, 0);
+			}
+
+			for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
+				lens[i] = 32;
+				pin[i] = (unsigned char*)out2[i];
+				x.pout[i] = out[i];
+			}
+
+			for (i = 0; i < sha256loops; i++) {
+				pbkdf2_sha256_sse((const unsigned char**)(pin + i * SSE_GROUP_SZ_SHA256), &lens[i * SSE_GROUP_SZ_SHA256], sidBuf, sidBufSize, 1, x.pout + (i * SSE_GROUP_SZ_SHA256), 16, 0);
+			}
+#else
+			for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
+				pbkdf2_sha256(out[i], 16, sidBuf, sidBufSize, 10000, out2[i], 32, 0);
+				pbkdf2_sha256(out2[i], 32, sidBuf, sidBufSize, 1, out[i], 16, 0);
+			}
+#endif
+		}
+
+
+		for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
 			passwordBuf = (unsigned char*)cur_salt->SID;
 			passwordBufSize = (strlen16(cur_salt->SID) + 1) * 2;
-			hmac_sha1(out[i], digestlen, passwordBuf, passwordBufSize, out2[i], 20);
+			hmac_sha1(out[i], digestlens[i], passwordBuf, passwordBufSize, out2[i], 20);
 #if defined(SIMD_COEF_64) && defined(SIMD_COEF_32)
 			lens[i] = 20;
 			pin[i] = (unsigned char*)out2[i];
 			x.pout[i] = out[i];
 #endif
 		}
+
 #if defined(SIMD_COEF_64) && defined(SIMD_COEF_32)
 		if (cur_salt->version == 1)
 			for (i = 0; i < loops; i++)