{"id":2247,"date":"2019-12-31T20:02:26","date_gmt":"2019-12-31T19:02:26","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2247"},"modified":"2020-01-03T22:47:52","modified_gmt":"2020-01-03T21:47:52","slug":"nthash-and-dpapi-secrets-2","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2247","title":{"rendered":"nthash and dpapi secrets #2"},"content":{"rendered":"

In previous article, we have decrypted user blob\/credentials.
\nThis time lets decrypt system credentials.<\/p>\n

5 steps:
\n-look at the encrypted blob\/credential
\n-look at the encrypted masterkey
\n-retrieve dpapi system key used
\n-decrypt the encrypted masterkey
\n-decrypt the encrypted blob\/credential
\n-conclusion<\/p>\n

1\/look at the encrypted blob\/credential<\/p>\n

System credentials are located here:
\nC:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials<\/p>\n

nthash-win64 \/decodeblob
\n\/binary:C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D<\/strong><\/p>\n

->note the dwFlags:20000000 = system<\/p>\n

\"\"<\/p>\n

2\/look at the encrypted masterkey<\/p>\n

Masterkeys are located here:
\nC:\\Windows\\System32\\Microsoft\\Protect<\/p>\n

NTHASH-win64.exe \/decodemk
\n\/binary:C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\085027a7-b332-4d46-b9d1-743b668d378d<\/strong><\/p>\n

\"\"<\/p>\n

3\/retrieve dpapi system key used<\/p>\n

Because we are dealing with system blobs\/credentials, and because \u00ab\u00a0system\u00a0\u00bb is not a user, we wont be fetching the sha1 password.
\nRather, we will be using the dpapi system key to decrypt the masterkey.
\nBecause we do this offline, you need the security.sav hive in the same folder as nthash.<\/p>\n

NTHASH-win64.exe \/dumpsecret \/input:dpapi_system \/offline
\nNTHASH 1.7 x64 by erwan2212@gmail.com<\/strong>
\nOffline=true
\nFull:XX3CA961B1DCEB7DF0XXB359D981C1A3EB1D472FXX398A7D34786F8D5FXX52F318A4EDFFAF0
\n2F7XX
\nMachine:XX3CA961B1DCEB7DF0XXB359D981C1A3EB1D472F
\nUser:xx398A7D34786F8D5FXX52F318A4EDFFAF02F7XX<\/p>\n

4\/decrypt the encrypted masterkey<\/p>\n

NTHASH-win64.exe \/decodemk
\n\/binary:C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\085027a7-b332-4d46-b9d1-743b668d378d
\n\/input:8B398A7D34786F8D5FXX52F318A4EDFFAF02F7XX<\/strong>
\n**** Unprotecting MasterKey ****
\nKEY:4136467C1A3CC9C4BB0495BF639ED57269D10E47A333D6C8E21855E39B697FA1DAEB27EE2B80
\n0CD79362676D5AB79073EC642ADA0FB4E732B82E817812E75C26
\nSHA1:XX9042755B4CA2XX55FFB1F41CEDE6CD17116FXX<\/p>\n

5\/decrypt the encrypted blob\/credential<\/p>\n

nthash-win64 \/decodeblob
\n\/binary:C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D \/input:XX9042755B4CA2XX55FFB1F41CEDE6CD17116FXX<\/strong>
\n**** Decoding Cred Blob ****
\ncredFlags:48
\ncredSize:3170
\nType:1
\nFlags:0
\nLastWritten:31\/10\/2019 16:56:52
\nTargetName:WindowsLive:target=virtualapp\/didlogical
\nunkdata:
\ncomment:PersistedCredential
\ntargetalias:
\nusername:somerandomuser
\nCredentialBlob:somerandomblob<\/p>\n

6\/Conclusion?<\/p>\n

Retrieving the dpapi system is even more trivial compared to retrieving the user password (cleartext or sha1) as it is stored in the registry.
\nAll you need is the blob, the associated masterkey and the dpapi system key stored in the registry.<\/p>\n","protected":false},"excerpt":{"rendered":"

In previous article, we have decrypted user blob\/credentials. This time lets decrypt system credentials. 5 steps: -look at the encrypted blob\/credential -look at the encrypted masterkey -retrieve dpapi system key used -decrypt the encrypted masterkey -decrypt the encrypted blob\/credential -conclusion 1\/look at the encrypted blob\/credential System credentials are located here: C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials nthash-win64 \/decodeblob \/binary:C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D ->note […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2247","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2247"}],"version-history":[{"count":10,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2247\/revisions"}],"predecessor-version":[{"id":2272,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2247\/revisions\/2272"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}