Reading DPAPI Encrypted Secrets with Mimikatz and C++
This lab is based on the article posted by harmj0y https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/. The aim is to get a bit more familiar with DPAPI, explore some of the mimikatz capabilities related to DPAPI and also play around with DPAPI in Windows development environment in C++.
Big shout out to @harmj0y for that I constantly find myself landing on his amazing blog posts and @gentilkiwi for giving this world mimikatz.
Overview
DPAPI stands for Data Protection API.
DPAPI for the sake of this lab contains 2 functions - for encrypting (
CryptProtectData
) and decrypting (CryptUnprotectData
) data.Created to help developers that know little about cryptography make their programs better at securing users' data.
Encrypts secrets like wifi passwords, vpn, IE, Chrome, RDP, etc.
Transparent to end users - programs (i.e Chrome use the two APIs) with user's master key which is based on the user's actual logon password.
Reading Chrome Cookies and Login Data
If you have compromised as system and run under a particular user's context, you can decrypt their DPAPI secrets without knowing their logon password easily with mimikatz.
In this case - let's check user's Google Chrome cookies for a currently logged on user:
Or Chrome's saved credentials:
Protecting and Unprotecting Data
Using mimikatz, we can easily encrypt any data that will only be accessible to currently logged on user (unless a bad admin comes by - more on this later):
Let's copy/paste the blob into a new file in HxD and save it as spotless.bin
. To decrypt it while running under mantvydas
user context:
Decrypting Other User's Secrets
If you compromised a system and you see that there are other users on the system, you can attempt reading their secrets, but you will not be able to do so since you do not have their DPAPI master key, yet.
Let's try reading user's spotless
chrome secrets while running as a local admin:
As mentioned, we see an error message suggesting CryptUnprotectData
is having some issues decrypting the requested secrets:
If you escalated privilges, you can try looking for the master key in memory:
We see there is the master key for user spotless
:
Let's now use that master key for spotless
to decrypt those Chrome secrets we could not earlier:
Additionally, note that if the user is not logged on, but you have their password, just spawn a process with their creds and repeat the above steps to retrieve their secrets.
Retrieving MasterKey with User's Password
Same could be achieved if user's SID, their logon password and master key's GUIDs are known:
Extracting DPAPI Backup Keys with Domain Admin
It's possible to extract DPAPI backup keys from the Domain Controller that will enable us to decrypt any user's master key which in turn will allow us to decrypt users' secrets.
While running as a Domain Admin
, let's dump the DPAPI backup keys:
Using the retrieved backup key, let's decrypt user's spotless
master key:
We can now decrypt user's spotless
chrome secrets using their decrypted master key:
Using DPAPIs to Encrypt / Decrypt Data in C++
CryptProtectData
The below code will use CryptProtectData
to encrypt a set of bytes that represent a string spotless
and write the encrypted blob to the file on the disk:
Below is a comparison between the blobs for the data spotless
created with mimikatz and my c++:
We can now try to decrypt our binary blob file using mimikatz as we did earlier with:
We can see the decryption produced the following output:
...which is spotless
, represented in bytes.
CryptUnprotectData
We can now try to decrypt the data blob we created with mimikatz earlier when we encrypted the string spotless
We will use the updated code :
We can see that the decryption was successful:
Decrypting Remote Desktop Connection Manager Passwords from .rdg
It's possible to decrypt passwords from an .rdg file that is used by Remote Desktop Connection Manager and below shows the process.
I have saved one connection to DC01.offense.local
using credentials offense\administrator
with a password 123456
(RDCMan for security reasons show a more than 6 start in the picture) into a file spotless.rdg
:
If we look at he spotless.rdg
, we can see one our admin credentials stored (username in plaintext) and the password in base64:
Let's decode the base64:
Below shows a binary blob from spotless.bin
we played with earlier (top screen) and the decoded base64 string (bottom screen). Note how the first 62 bytes match - this is a clear giveaway that the .rdg password is encrypted using DPAPI:
Let's copy the hex bytes of the decoded base64 string found in spotless.rdg
and save it as a binary file spotless.rdg.bin
and try to decode it using the code we played with earlier:
We can see that we were able to successfully decrypt the RDP password stored in spotless.rdg
:
Same technique could be used to decrypt Chrome's cookies/logins, wifi passwords and whatever else Windows stores encrypted with DPAPI.
Note that this exercise using C++ was possible because DPAPI uses currently logged on user's credentials to encrypt/decrypt the data. If we wanted to decrypt a blob encrypted by another user, we would need to revert to the previous tactics (using mimikatz) since this C++ code does not deal with other users' master keys.
A good way to enumerate DPAPI goodies on a compromised system is to use harmj0y's SeatBelt.
References
Last updated