DPAPI (Data Protection API)
Overview #
- Perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy
- Can be stored on xml files but may also be stored on
.bin
files - Typically starts at this set of standard bytes
01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB
Relationship between different Windows security mechanism #
Decryption Overview #
Decrypting DPAPI Blob using passcape #
Enter the blob. I got the blob by converting the content of xml file into a bin file then transfer it to windows 10 vm.
# From attacker
cat admin-pass.xml | xxd -r -p > blob.bin
At this point, the software automatically detects the master key GUI to use. I also transferred the CREDHIST
file of victim to my windows 10 vm.
Then I needed to get the user SID from mimikatz output. The password, well, I got it from registry.
Unfortunately, I only have a trial version of the program so It only showed 1st 10 characters of the decrypted data.
But this is a good thing, because atleast now I know there is a way to recover some data from dpapi blob. And also, I was able to validate what master key GUID and CREDHIST corresponds to the blob.
Next quesion is, what alternative tool I can use?
- blob - The Hacker Tools - this doesn’t work
- Gotcha! from here
.\SharpDPAPI.exe blob /target:blob.bin '{98fafef2-d8a0-4b4f-917d-d8a1f5889c81}:DB6A7CB1AE10BFD70EA9BD8A4D10608A08D0969F'
Mimikatz Commands #
# Shows structure of blob
dpapi::blob /in:blob.bin
Master Key Characteristics #
Here is an example from HTB helpline mimikatz output
# This is also the filenames that you can see under
# `AppData\Roaming\Microsoft\Protect`
* GUID : {98fafef2-d8a0-4b4f-917d-d8a1f5889c81}
# The actual key in long format.
* MasterKey : daae4d9c34452f4bc6a17ccf4d87c369a15fcd5f81be5fc7211721a321f309392578ec1c225647cc2048d
90854c7d94224cde619e23e04a0dbbaddb19efdf305
# Key in SHA1 format.
* sha1(key) : db6a7cb1ae10bfd70ea9bd8a4d10608a08d0969f
Tools #
- GitHub - login-securite/DonPAPI: Dumping DPAPI credz remotely - looks like unstable, i always get
EAccessViolation
erorr - GitHub - GhostPack/SharpDPAPI: SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
- GitHub - jordanbtucker/dpapick: DPAPI offline decryption utility
- GitHub - AlessandroZ/LaZagne: Credentials recovery project