Jan 032020
 

In previous articles, we have seen how to decrypt user blobs and system blobs.

Lets now have a look at machine blobs : a blob which can be decrypted by any user provided it is decrypted on the same machine – as opposed to user blobs which can only be decrypted by the user.

5 steps:
-lets encrypt a blob
-lets decode the encrypted machine blob
-lets retrieve the dpapy system key & decrypt the masterkey
-lets decrypt the encrypted machine blob
-conclusion

1/lets encrypt a blob

Lets encrypt a string = password

NTHASH-win64.exe /cryptprotectdata /input:password /mode:MACHINE

2/lets decode the encrypted machine blob

NTHASH-win64.exe /decodeblob /data.blob

->note dwflags=4=machine

3/lets retrieve the dpapy system key & decrypt the masterkey

NTHASH-win64.exe /dumpsecret /input:dpapi_system /system
NTHASH 1.7 x64 by erwan2212@gmail.com
Impersonate:Syst?me
Full:xx3CA961B1DCExxDF06CB359D981C1A3EB1D47xxxx398A7D34786F8DxxC152F318A4EDFFAxx
2F73F
Machine:xx3CA961B1DCExxDF06CB359D981C1A3EB1D47xx
User:xx398A7D34786F8DxxC152F318A4EDFFAF02F7xx

NTHASH-win64.exe /decodemk
/binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52
/input:xx398A7D34786F8DxxC152F318A4EDFFAF02F7xx

**** Unprotecting MasterKey ****
KEY:xx99D247D53699114CA06378DB77E4xxDD08A6BABBDB5277EB59C8309DBA8AA8B2D4C7990052
5F2FEE3909AC3894931093DxxD4BED96484791E2DCF512EB38E7
SHA1:xx017C46F5651Bxx27831F87050694FAD1B4DBxx

4/lets decrypt the encrypted machine blob

nthash-win64 /decodeblob /binary:data.blob /input:54017C46F5651B9627831F87050694FAD1B4DB31
NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting Blob ****
Blob:70617373776F7264

70617373776F7264 is hexa form of password

5/conclusion

Similar to system blobs, once you have the dpapi system key, it is rather trivial to decrypt such blob.
Furthermore, it is not recommanded to use machine blobs to store secrets as any user on that machine will be able to decrypt it.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.