DPAPI - Extracting Passwords
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
What is DPAPI
The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the symmetric encryption of asymmetric private keys, leveraging either user or system secrets as a significant source of entropy. This approach simplifies encryption for developers by enabling them to encrypt data using a key derived from the user's logon secrets or, for system encryption, the system's domain authentication secrets, thus obviating the need for developers to manage the protection of the encryption key themselves.
Protected Data by DPAPI
Among the personal data protected by DPAPI are:
Internet Explorer and Google Chrome's passwords and auto-completion data
E-mail and internal FTP account passwords for applications like Outlook and Windows Mail
Passwords for shared folders, resources, wireless networks, and Windows Vault, including encryption keys
Passwords for remote desktop connections, .NET Passport, and private keys for various encryption and authentication purposes
Network passwords managed by Credential Manager and personal data in applications using CryptProtectData, such as Skype, MSN messenger, and more
List Vault
Credential Files
The credentials files protected could be located in:
Get credentials info using mimikatz dpapi::cred, in the response you can find interesting info such as the encrypted data and the guidMasterKey.
You can use mimikatz module dpapi::cred with the appropiate /masterkey to decrypt:
Master Keys
The DPAPI keys used for encrypting the user's RSA keys are stored under %APPDATA%\Microsoft\Protect\{SID} directory, where {SID} is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it usingdir from the cmd, but you can list it from PS).
This is what a bunch of Master Keys of a user will looks like:
Usually each master keys is an encrypted symmetric key that can decrypt other content. Therefore, extracting the encrypted Master Key is interesting in order to decrypt later that other content encrypted with it.
Extract master key & decrypt
Check the post https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++ for an example of how to extract the master key and decrypt it.
SharpDPAPI
SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project.
HEKATOMB
HEKATOMB is a tool that automates the extraction of all users and computers from the LDAP directory and the extraction of domain controller backup key through RPC. The script will then resolve all computers ip address and perform a smbclient on all computers to retrieve all DPAPI blobs of all users and decrypt everything with domain backup key.
python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp
With extracted from LDAP computers list you can find every sub network even if you didn't know them !
"Because Domain Admin rights are not enough. Hack them all."
DonPAPI
DonPAPI can dump secrets protected by DPAPI automatically.
References
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Last updated
