In previous articles we have seen how to decrypt dpapi blobs.<\/p>\n
Dpapi blobs are not always stored in file blobs.
\nThey can be stored in different places like registry, config file, etc and in various formats such as hexadecimal string, but also base64 strings, etc.<\/p>\n
Lets have a look at how Windows stores wifi passwords.<\/p>\n
These are stored in xml files in C:\\ProgramData\\Microsoft\\Wlansvc\\Profiles\\Interfaces.
\nYou can easily be found with : dir %programdata% \/s \/a \/b | findstr \/i interfaces.<\/p>\n
When logged as the user, you can decrypt it with the below command :<\/p>\n
NTHASH-win64 \/wlansvc \/binary:C:\\ProgramData\\Microsoft\\Wlansvc\\Profiles\\Interfaces\\{2799BE4D-A2D4-417D-A774-481DBE1FF7FC}\\{98B3A77A-3A5A-44A1-81AE-DDB88A168B24}.xml \/system<\/strong><\/p>\n Good news is that we can also decrypt it these offline.<\/p>\n Run the above command. From there (and using the same steps as in this article<\/a>): In previous articles we have seen how to decrypt dpapi blobs. Dpapi blobs are not always stored in file blobs. They can be stored in different places like registry, config file, etc and in various formats such as hexadecimal string, but also base64 strings, etc. Lets have a look at how Windows stores wifi passwords. […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2276","post","type-post","status-publish","format-standard","hentry","category-uncategorized","category-1-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2276"}],"version-history":[{"count":8,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2276\/revisions"}],"predecessor-version":[{"id":2287,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2276\/revisions\/2287"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nNTHASH will tell you that it failed to decrypt it BUT it will dump the blob to data.blob.<\/p>\n
\n-use \/decodeblob<\/strong> to identify the masterkey guid
\n-use \/decodemk<\/strong> to decrypt the masterkey (locate it with dir %systemroot%\\System32\\Microsoft\\Protect \/s \/a \/b | findstr \/i myguid<\/em>) using the dpapi system key.
\n-use \/decodeblob<\/strong> again but this time supplying the SHA1 key obtained in previous step
\n-done \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"