Reading DPAPI Encrypted Secrets with Mimikatz and C++
Last updated
Last updated
This lab is based on the article posted by harmj0y https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/. The aim is to get a bit more familiar with DPAPI, explore some of the mimikatz capabilities related to DPAPI and also play around with DPAPI in Windows development environment in C++.
Big shout out to @harmj0y for that I constantly find myself landing on his amazing blog posts and @gentilkiwi for giving this world mimikatz.
DPAPI stands for Data Protection API.
DPAPI for the sake of this lab contains 2 functions - for encrypting (CryptProtectData) and decrypting (CryptUnprotectData) data.
Created to help developers that know little about cryptography make their programs better at securing users' data.
Encrypts secrets like wifi passwords, vpn, IE, Chrome, RDP, etc.
Transparent to end users - programs (i.e Chrome use the two APIs) with user's master key which is based on the user's actual logon password.
If you have compromised as system and run under a particular user's context, you can decrypt their DPAPI secrets without knowing their logon password easily with mimikatz.
In this case - let's check user's Google Chrome cookies for a currently logged on user:
Or Chrome's saved credentials:
Using mimikatz, we can easily encrypt any data that will only be accessible to currently logged on user (unless a bad admin comes by - more on this later):
Let's copy/paste the blob into a new file in HxD and save it as spotless.bin. To decrypt it while running under mantvydas user context:
If you compromised a system and you see that there are other users on the system, you can attempt reading their secrets, but you will not be able to do so since you do not have their DPAPI master key, yet.
Let's try reading user's spotless chrome secrets while running as a local admin:
As mentioned, we see an error message suggesting CryptUnprotectData is having some issues decrypting the requested secrets:
If you escalated privilges, you can try looking for the master key in memory:
We see there is the master key for user spotless:
Let's now use that master key for spotless to decrypt those Chrome secrets we could not earlier:
Additionally, note that if the user is not logged on, but you have their password, just spawn a process with their creds and repeat the above steps to retrieve their secrets.
Same could be achieved if user's SID, their logon password and master key's GUIDs are known:
It's possible to extract DPAPI backup keys from the Domain Controller that will enable us to decrypt any user's master key which in turn will allow us to decrypt users' secrets.
While running as a Domain Admin, let's dump the DPAPI backup keys:
Using the retrieved backup key, let's decrypt user's spotless master key:
We can now decrypt user's spotless chrome secrets using their decrypted master key:
The below code will use CryptProtectData to encrypt a set of bytes that represent a string spotlessand write the encrypted blob to the file on the disk:
Below is a comparison between the blobs for the data spotless created with mimikatz and my c++:
We can now try to decrypt our binary blob file using mimikatz as we did earlier with:
We can see the decryption produced the following output:
...which is spotless, represented in bytes.
We can now try to decrypt the data blob we created with mimikatz earlier when we encrypted the string spotless
We will use the updated code :
We can see that the decryption was successful:
It's possible to decrypt passwords from an .rdg file that is used by Remote Desktop Connection Manager and below shows the process.
I have saved one connection to DC01.offense.local using credentials offense\administrator with a password 123456 (RDCMan for security reasons show a more than 6 start in the picture) into a file spotless.rdg:
If we look at he spotless.rdg, we can see one our admin credentials stored (username in plaintext) and the password in base64:
Let's decode the base64:
Below shows a binary blob from spotless.bin we played with earlier (top screen) and the decoded base64 string (bottom screen). Note how the first 62 bytes match - this is a clear giveaway that the .rdg password is encrypted using DPAPI:
Let's copy the hex bytes of the decoded base64 string found in spotless.rdg and save it as a binary file spotless.rdg.bin and try to decode it using the code we played with earlier:
We can see that we were able to successfully decrypt the RDP password stored in spotless.rdg:
Same technique could be used to decrypt Chrome's cookies/logins, wifi passwords and whatever else Windows stores encrypted with DPAPI.
Note that this exercise using C++ was possible because DPAPI uses currently logged on user's credentials to encrypt/decrypt the data. If we wanted to decrypt a blob encrypted by another user, we would need to revert to the previous tactics (using mimikatz) since this C++ code does not deal with other users' master keys.
A good way to enumerate DPAPI goodies on a compromised system is to use harmj0y's SeatBelt.
