In previous articles about lateral movement, we have mostly used \u00ab\u00a0live\u00a0\u00bb scenarios where we would either run as the victim user or we would dump secrets from (lsass) memory.<\/p>\n
This time, lets look at dpapi secrets in \u00ab\u00a0offline\u00a0\u00bb scenarios.<\/p>\n
About DPAPI, see wikipedia<\/a>.<\/p>\n DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.<\/em><\/p>\n DPAPI secrets are made of : To decrypt a masterkey (and therefore a blob), you need the below: In the next 3 (+1) articles, we will see how to decrypt dpapi secrets.<\/p>\n Before doing so, I recommend reading this article<\/a>.<\/p>\n Also, most part of the knowledge and coding is greatly (understatement here) inspired by the excellent work (another understatement) from Gentilwiki and Mimikatz<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" In previous articles about lateral movement, we have mostly used \u00ab\u00a0live\u00a0\u00bb scenarios where we would either run as the victim user or we would dump secrets from (lsass) memory. This time, lets look at dpapi secrets in \u00ab\u00a0offline\u00a0\u00bb scenarios. About DPAPI, see wikipedia. DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2228","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2228"}],"version-history":[{"count":6,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2228\/revisions"}],"predecessor-version":[{"id":2270,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2228\/revisions\/2270"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n-a blob containing encrypted data, linked to a masterkey (used to decrypt the blob)
\n-a masterkey containing one (or several) encrypted key(s)<\/p>\n
\n-non-domain context: SID AND user password (when the masterkey was created) SHA1 hash
\n-domain context: SID AND user password (when the masterkey was created) NTLM hash
\n-local computer: DPAPI_SYSTEM secret (COMPUTER or USER part)<\/p>\n