"Secrets" DPAPI. Look at the donkey
In addition to our last article on decrypting DPAPI blobs, we’ll tell you about two more cases we had to face. It will be about saved passwords in MS IE11 and Edge browsers.
The strategy remains the same - we will decipher everything in offline mode. For this you need to pick up the necessary files.
Depending on the operating system (Windows 7 or higher), saved passwords should be searched in two places:
In the case of Windows 7, this is the registry branch.
In the case of Windows 8 and higher - the storage of Windows Vault.
It should also be noted that on Windows 7, http basic authorization passwords are also stored in the Windows Vault, so it will not hurt to pick it up anyway.
Well, according to the good old tradition - all this is of course encrypted through DPAPI mechanisms.
Now consider the decryption algorithm in more detail.
As mentioned above, passwords are stored in the registry of the current user and are DPAPI blobs encrypted with the user's master key.
But there is an important difference - when encrypting a password, entropy is applied. Entropy is the URL by which the password is entered in the format
To decrypt the password you need to know the full URL! No other way.
But so that IE himself knows how to decrypt the password - this URL is hashed and stored in the registry as the key name with the DPAPI-blob.
Consider a small example. For
Where
A88 ... is a hashed URL
01000000D08C ... - DPAPI blob containing username and password
URL hashing algorithm is straightforward. More information about him can be read in the CIA-shnyh developments Vault7 .
On python, it looks like this:
The list of the last 50 entered URLs can also be found in the registry:
Let's go back to the example. Suppose we need to find in the registry the saved password from
Substituting the value of the URL in the conversion script - we get the value
The key with this name we need to find in the registry
If such a key is found, it must be copied to the file as hex values (that is, interpreted as the key value as a hex blob) and decrypted as a DPAPI-blob using entropy:
For decoding, you can use dpapick, making the appropriate changes to account for the entropy in decoding.
In the examples / filegeneric.py file, the function call
replaced by
and then call dpapick as usual:
If the master key is decrypted correctly, then at the output we will get the saved login and password (after a certain amount of service binary data).
In the case of saving passwords on Win8 and higher, passwords from http forms, as well as http basic authorization, are stored in Windows Vault. And what is good - along with the password, the full URL of the site to which it fits is saved.
Vault itself is encrypted in two steps - first, the entire data block is encrypted with AES, and the symmetric key for decryption is encrypted with DPAPI and saved to a file. The full encryption-decryption algorithm is described in the article by the guys from Zena Forensics .
They also developed special decryptors for Windows Vault based on dpapick (dpapilab). You can take them on the ZF gith or download the fork from our github .
The Vault repository is located in the user profile:
Inside a .vpol file is a DPAPI blob, encrypted with a user's key, and storing an AES-key to decrypt .vcrd
To decrypt Vault you need to run:
Instead of a password, you can use a domain key, as shown in the previous article . It should also be noted that if the Credential Roaming policy is enabled on the machine in the domain, then the Windows Vault data will be stored in ldap. You can read about this in our first article about DPAPI.
A small addition: for the script to work correctly, you will most likely need to install the old Python libs:
To decrypt passwords from IE, Edge and passwords stored in Windows, you need to collect:
c Vault catalog
directory with master keys
registry key contents
In addition, you need to know the user's password or domain dpapi backup-key to decrypt without a password.
The strategy remains the same - we will decipher everything in offline mode. For this you need to pick up the necessary files.
Depending on the operating system (Windows 7 or higher), saved passwords should be searched in two places:
In the case of Windows 7, this is the registry branch.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 In the case of Windows 8 and higher - the storage of Windows Vault.
It should also be noted that on Windows 7, http basic authorization passwords are also stored in the Windows Vault, so it will not hurt to pick it up anyway.
Well, according to the good old tradition - all this is of course encrypted through DPAPI mechanisms.
Now consider the decryption algorithm in more detail.
Windows 7 + IE11 (Edge)
As mentioned above, passwords are stored in the registry of the current user and are DPAPI blobs encrypted with the user's master key.
But there is an important difference - when encrypting a password, entropy is applied. Entropy is the URL by which the password is entered in the format
("https://url"+"\x00").lower().encode("utf-16-le") .To decrypt the password you need to know the full URL! No other way.
But so that IE himself knows how to decrypt the password - this URL is hashed and stored in the registry as the key name with the DPAPI-blob.
Consider a small example. For
https://rdot.org/forum/ saved password will look like this: A88E21329B5372B856CE238B79D1F28D8EA1FD359D REG_BINARY 01000000D08C9DDF0115D1118C7A00C......BC310C51EE0F9B05D Where
A88 ... is a hashed URL
https://rdot.org/forum/01000000D08C ... - DPAPI blob containing username and password
URL hashing algorithm is straightforward. More information about him can be read in the CIA-shnyh developments Vault7 .
On python, it looks like this:
import hashlib url = "https://rdot.org/Forum/".lower() + "\x00" url_utf_16_le = url.encode("utf-16-le") sha1obj = hashlib.sha1(url_utf_16_le) urldigest = sha1obj.digest() checksum = 0 len(urldigest) for abyte in urldigest: checksum = (checksum + (ord(abyte))) & 0xFF hash = sha1obj.hexdigest().upper() cksum = "%02X" % checksum reg_value_name = "%s%s" % (hash, cksum) print reg_value_name The list of the last 50 entered URLs can also be found in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\typedurls Let's go back to the example. Suppose we need to find in the registry the saved password from
https://rdot.org/forum/ .Substituting the value of the URL in the conversion script - we get the value
A88E21329B5372B856CE238B79D1F28D8EA1FD359D The key with this name we need to find in the registry
req query "HKEY_USERS\<SID>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2" If such a key is found, it must be copied to the file as hex values (that is, interpreted as the key value as a hex blob) and decrypted as a DPAPI-blob using entropy:
("https://rdot.org/forum/".lower() + "\x00").encode("utf-16-le")
("https://rdot.org/forum/".lower() + "\x00").encode("utf-16-le")
For decoding, you can use dpapick, making the appropriate changes to account for the entropy in decoding.
In the examples / filegeneric.py file, the function call
probe.try_decrypt_with_password(options.password, mkp, options.sid) replaced by
probe.try_decrypt_with_password(options.password, mkp, options.sid, entropy=("https://rdot.org/forum/".lower() + "\x00").encode("utf-16-le")) and then call dpapick as usual:
./filegeneric.py --sid <SID> --masterkey <mk dir> --password <..> --inputfile <dpapi blob from registry> If the master key is decrypted correctly, then at the output we will get the saved login and password (after a certain amount of service binary data).
Windows 8.1 and above
In the case of saving passwords on Win8 and higher, passwords from http forms, as well as http basic authorization, are stored in Windows Vault. And what is good - along with the password, the full URL of the site to which it fits is saved.
Vault itself is encrypted in two steps - first, the entire data block is encrypted with AES, and the symmetric key for decryption is encrypted with DPAPI and saved to a file. The full encryption-decryption algorithm is described in the article by the guys from Zena Forensics .
They also developed special decryptors for Windows Vault based on dpapick (dpapilab). You can take them on the ZF gith or download the fork from our github .
The Vault repository is located in the user profile:
C:\Users\<user>\AppData\Local\Microsoft\Vault\<GUID>\ Inside a .vpol file is a DPAPI blob, encrypted with a user's key, and storing an AES-key to decrypt .vcrd
To decrypt Vault you need to run:
./vaultdec.py --masterkey <mk dir> --sid <SID> --password <pass> <VAULT DIR> Instead of a password, you can use a domain key, as shown in the previous article . It should also be noted that if the Credential Roaming policy is enabled on the machine in the domain, then the Windows Vault data will be stored in ldap. You can read about this in our first article about DPAPI.
A small addition: for the script to work correctly, you will most likely need to install the old Python libs:
apt install python-construct.legacy Crib
To decrypt passwords from IE, Edge and passwords stored in Windows, you need to collect:
c Vault catalog
c:\Users\<user>\AppData\Local\Microsoft\Vault\<GUID>\ directory with master keys
c:\Users\<user>\AppData\roaming\microsoft\Protect\<SID>\ registry key contents
HKEY_USERS\<SID>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_USERS>\<SID>\Software\Microsoft\Internet Explorer\typedurls In addition, you need to know the user's password or domain dpapi backup-key to decrypt without a password.
Source: https://habr.com/ru/post/437390/