Fix DPAPI credential lookup: add lowercase username for dploot compatibility

[mverschu]

Description

Fixes DPAPI master key decryption when the username contains uppercase letters (e.g. Administrator).

dploot looks up credentials using user.lower() (e.g. "administrator"), but credentials were only stored under context.username (e.g. "Administrator"). Because Python dict lookups are case-sensitive, the credential lookup failed and master keys were not decrypted.

This change adds the lowercase username as an additional key in both plaintexts and nthashes so dploot can find the credentials regardless of casing.

No new dependencies.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

Please provide guidance on what setup is needed to test the introduced changes, such as your locally running machine Python version & OS, as well as the target(s) you tested against, including software versions.
In particular:

• Bug Fix: Run the DPAPI module against a Windows target using a username with uppercase letters (e.g. Administrator, DOMAIN\User). Before the fix, master keys for that user were not decrypted because the credential lookup failed. After the fix, credentials are found and master keys decrypt successfully.

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the bug fix PR! I'll take a look at it soon.

[NeffIsBack]

@mverschu any reason why you have not just added the .lower() to the original line? With that (but also your solution) i can decrypt my MasterKey file. However, it still doesn't show my saved chrome secret. @zblurx any idea why?

[zblurx]

I need to investigate on Chrome, maybe the DPAPI routine has changed again. Chances are it's not related to this issue

[zblurx]

I can now confirm Google Chrome has implemented a new encryption flag, which breaks Google Chrome (not the other Chromium browsers, only GC) secret decryption. Need to fix this, but it's unrelated to this issue.

[mverschu]

No not a reason did not test for changing the first line. So if it both works I think its all good.

[NeffIsBack]

LGTM:

[NeffIsBack]

I can now confirm Google Chrome has implemented a new encryption flag, which breaks Google Chrome (not the other Chromium browsers, only GC) secret decryption. Need to fix this, but it's unrelated to this issue.

Create an issue to track the missing chrome secrets: #1139