{"id":2267,"date":"2020-01-03T22:22:40","date_gmt":"2020-01-03T21:22:40","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2267"},"modified":"2020-01-03T22:37:40","modified_gmt":"2020-01-03T21:37:40","slug":"nthash-and-dpapi-secrets-bonus","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2267","title":{"rendered":"nthash and dpapi secrets : bonus"},"content":{"rendered":"

In previous articles we have seen how to decrypt dpapi blobs.<\/p>\n

What about chrome?
\nIt uses user dpapi blobs to encrypt password in a sqlite db.
\nSo following previous articles, nothing prevents one to decrypt a chrome db offline.<\/p>\n

3 steps:
\n-retrieve the scrambled passwords along with the masterkey guid
\n-decrypt the masterkey
\n-retrieve the decrypted passwords with the decrypted masterkey<\/p>\n

1\/retrieve the scrambled passwords along with the masterkey guid<\/p>\n

nthash-win64 \/chrome \/binary:C:\\temp\\login data \/input:0000000000000000000000000000000000000000<\/strong><\/p>\n

2\/decrypt the masterkey (identified by its guid in previous steps)
\nSee previous article<\/a> for more details about this steps.<\/p>\n

NTHASH-win64.exe \/decodemk \/binary:C:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-242
\n7513087-2265021005-1965656450-1001\\ae222549-867a-4269-b29f-49500e8842c8 \/input:xxE0CExx8C9903BxxDC5F1D8190xx33CF7C3DBxx<\/strong>
\nNTHASH 1.7 x64 by erwan2212@gmail.com
\n**** Unprotecting MasterKey ****
\nKEY:83D3D812E50FABxx83DA070D6C566DxxE3248A1AD873AxxD222F6B41342xx0EEBD790388FE2A
\n21680A081723AA0C7B39EFxx5B16BB5xx48B94714xx38F1F5383
\nSHA1:xx920930CFB2A1CExxF9CB52153025535F548Fxx<\/p>\n

3\/retrieve the decrypted passwords with the decrypted masterkey<\/p>\n

nthash-win64 \/chrome \/binary:C:\\temp\\login data \/input:xx920930CFB2A1CExxF9CB52153025535F548Fxx<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

In previous articles we have seen how to decrypt dpapi blobs. What about chrome? It uses user dpapi blobs to encrypt password in a sqlite db. So following previous articles, nothing prevents one to decrypt a chrome db offline. 3 steps: -retrieve the scrambled passwords along with the masterkey guid -decrypt the masterkey -retrieve the […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2267","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2267"}],"version-history":[{"count":2,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2267\/revisions"}],"predecessor-version":[{"id":2271,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2267\/revisions\/2271"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}