I believe that with a little tweak your bruteforce-script can also become compatible with a CacheData file from a Microsoft Online Account.
During my testing I noticed that the "decrypted_blob" (for Azure and MOA cachedata files) always starts with \x00\x00\x00\x00\x01\x00\x00\x00
So, at line 36 of https://github.com/synacktiv/CacheData_decrypt/blob/main/scripts/bruteforce_password.py we can maybe add the following:
if decrypted_blob[:8] == b'\x00\x00\x00\x00\x01\x00\x00\x00':
print(f'[+] Success! Given password '{password}' is correct!')
Afterwards we can exit if condition not met:
version, flags, dword3, raw_dpapi_cred_key_size = struct.unpack("<IIII", decrypted_blob[0:0x10])
if version == 0x00:
decrypted_prt = decrypted_blob[0x70:]
if not decrypted_prt.startswith(b'{"Version"'):
sys.exit("[+] Further parsing stopped because no Azure/EntraID CacheData detected")
What do you think?
The output would look like this:
python CacheData_decrypt-main\decrypt_cachedata.py password -C CacheData_MOA -P wordlist.txt
[+] Parsing CacheData file CacheData_MOA
[+] CacheData file version is 0x2
[+] CacheData expected sha256: 2fbc74390fab3eae48dfa396b64e98c460db33a2697a1b6fb2420cd1ddaf0d5d
[+] CacheData computed sha256: 2fbc74390fab3eae48dfa396b64e98c460db33a2697a1b6fb2420cd1ddaf0d5d
[+] Parsing Cache node headers
[+] Found CacheNode of type 0x5, CryptoBlobSize = 0x3d7, EncryptedPRTSize = 0xa10
[+] Found CacheNode of type 0x1, CryptoBlobSize = 0x30, EncryptedPRTSize = 0xa10
[+] Parsing raw blob
[+] Found blob of size 0x3d7 (offset = 0x80/0x18b4)
[+] Found blob of size 0xa10 (offset = 0x45c/0x18b4)
[+] Found blob of size 0x30 (offset = 0xe70/0x18b4)
[+] Found blob of size 0xa10 (offset = 0xea4/0x18b4)
[+] CacheData node of type password (0x1) has been found
[+] Success! Given password 'fake_password' is correct!
[+] Further parsing stopped because no Azure/EntraID CacheData detected
I believe that with a little tweak your bruteforce-script can also become compatible with a CacheData file from a Microsoft Online Account.
During my testing I noticed that the "decrypted_blob" (for Azure and MOA cachedata files) always starts with
\x00\x00\x00\x00\x01\x00\x00\x00So, at line 36 of https://github.com/synacktiv/CacheData_decrypt/blob/main/scripts/bruteforce_password.py we can maybe add the following:
Afterwards we can exit if condition not met:
What do you think?
The output would look like this: