"Secrets" DPAPI. Look at the donkey
In addition to our last article on decrypting DPAPI blobs, we’ll tell you about two more cases we had to face. It will be about saved passwords in MS IE11 and Edge browsers.
The strategy remains the same - we will decipher everything in offline mode. For this you need to pick up the necessary files.
Depending on the operating system (Windows 7 or higher), saved passwords should be searched in two places:
In the case of Windows 7, this is the registry branch
In the case of Windows 8 and higher - the storage of Windows Vault.
It should also be noted that on Windows 7, http basic authorization passwords are also stored in the Windows Vault, so it will not hurt to pick it up anyway.
Well, according to the good old tradition - all this is of course encrypted through DPAPI mechanisms.
Now consider the decryption algorithm in more detail.
As mentioned above, passwords are stored in the registry of the current user and are DPAPI blobs encrypted with the user's master key.
But there is an important difference - when encrypting a password, entropy is applied. Entropy is the URL by which the password is entered in the format
To decrypt the password you need to know the full URL! No other way.
But so that IE himself knows how to decrypt the password - this URL is hashed and stored in the registry as the key name with the DPAPI-blob.
Consider a small example. For the site, the
where
A88 ... is the hashed URL
01000000D08C ... - DPAPI blob containing the username and password
The URL hashing algorithm is straightforward. More information about him can be read in the CIA-shnyh developments Vault7 .
On python, it looks like this:
The list of the last 50 entered URLs can also be found in the registry:
Let's go back to the example. Suppose we need to find in the registry a saved password from
Substituting the value of the URL in the conversion script - we get the value
The key with this name we need to find in the registry
If such a key is found, it must be copied to the file as hex values (that is, interpreted as the key value as hex blob) and decrypted as DPAPI-blob using entropy: To decrypt, you can use dpapick, making the appropriate changes to account for entropy in decoding. In the examples / filegeneric.py file, the function call
replaced by
and then call dpapick as usual:
If the master key is decrypted correctly, then at the output we will get the saved login and password (after a certain amount of service binary data).
In the case of saving passwords on Win8 and higher, passwords from http forms, as well as http basic authorization, are stored in Windows Vault. And what is good - along with the password, the full URL of the site to which it fits is saved.
Vault itself is encrypted in two steps - first, the entire data block is encrypted with AES, and the symmetric key for decryption is encrypted with DPAPI and saved to a file. The full encryption-decryption algorithm is described in the article by the guys from Zena Forensics .
They also developed special decryptors for Windows Vault based on dpapick (dpapilab). You can take them on the ZF gith or download the fork from our github .
The Vault repository is located in the user profile:
Inside a .vpol file is a DPAPI blob, encrypted with a user's key, and storing an AES-key to decrypt .vcrd
To decrypt the Vault, you need to run:
Instead of a password, you can use a domain key, as shown in the previous article . It should also be noted that if the Credential Roaming policy is enabled on the machine in the domain, then the Windows Vault data will be stored in ldap. You can read about this in our first article about DPAPI.
A small addition: for the script to work correctly, you will most likely need to install the old Python libs:
To decrypt passwords from IE, Edge and passwords stored in Windows, you need to pick up: a
directory with Vault
directory with master keys
registry key contents
In addition, you need to know the user's password or domain dpapi backup-key to decrypt without a password.
The strategy remains the same - we will decipher everything in offline mode. For this you need to pick up the necessary files.
Depending on the operating system (Windows 7 or higher), saved passwords should be searched in two places:
In the case of Windows 7, this is the registry branch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2In the case of Windows 8 and higher - the storage of Windows Vault.
It should also be noted that on Windows 7, http basic authorization passwords are also stored in the Windows Vault, so it will not hurt to pick it up anyway.
Well, according to the good old tradition - all this is of course encrypted through DPAPI mechanisms.
Now consider the decryption algorithm in more detail.
Windows 7 + IE11 (Edge)
As mentioned above, passwords are stored in the registry of the current user and are DPAPI blobs encrypted with the user's master key.
But there is an important difference - when encrypting a password, entropy is applied. Entropy is the URL by which the password is entered in the format
("https://url"+"\x00").lower().encode("utf-16-le"). To decrypt the password you need to know the full URL! No other way.
But so that IE himself knows how to decrypt the password - this URL is hashed and stored in the registry as the key name with the DPAPI-blob.
Consider a small example. For the site, the
https://rdot.org/forum/saved password will look like this:A88E21329B5372B856CE238B79D1F28D8EA1FD359D REG_BINARY 01000000D08C9DDF0115D1118C7A00C......BC310C51EE0F9B05Dwhere
A88 ... is the hashed URL
https://rdot.org/forum/01000000D08C ... - DPAPI blob containing the username and password
The URL hashing algorithm is straightforward. More information about him can be read in the CIA-shnyh developments Vault7 .
On python, it looks like this:
import hashlib
url = "https://rdot.org/Forum/".lower() + "\x00"
url_utf_16_le = url.encode("utf-16-le")
sha1obj = hashlib.sha1(url_utf_16_le)
urldigest = sha1obj.digest()
checksum = 0
len(urldigest)
for abyte in urldigest:
checksum = (checksum + (ord(abyte))) & 0xFF
hash = sha1obj.hexdigest().upper()
cksum = "%02X" % checksum
reg_value_name = "%s%s" % (hash, cksum)
print reg_value_nameThe list of the last 50 entered URLs can also be found in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\typedurls Let's go back to the example. Suppose we need to find in the registry a saved password from
https://rdot.org/forum/. Substituting the value of the URL in the conversion script - we get the value
A88E21329B5372B856CE238B79D1F28D8EA1FD359DThe key with this name we need to find in the registry
req query "HKEY_USERS\<SID>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2"If such a key is found, it must be copied to the file as hex values (that is, interpreted as the key value as hex blob) and decrypted as DPAPI-blob using entropy: To decrypt, you can use dpapick, making the appropriate changes to account for entropy in decoding. In the examples / filegeneric.py file, the function call
("https://rdot.org/forum/".lower() + "\x00").encode("utf-16-le")
probe.try_decrypt_with_password(options.password, mkp, options.sid)replaced by
probe.try_decrypt_with_password(options.password, mkp, options.sid, entropy=("https://rdot.org/forum/".lower() + "\x00").encode("utf-16-le"))and then call dpapick as usual:
./filegeneric.py --sid <SID> --masterkey <mkdir> --password <..> --inputfile <dpapiblobfromregistry>If the master key is decrypted correctly, then at the output we will get the saved login and password (after a certain amount of service binary data).
Windows 8.1 and above
In the case of saving passwords on Win8 and higher, passwords from http forms, as well as http basic authorization, are stored in Windows Vault. And what is good - along with the password, the full URL of the site to which it fits is saved.
Vault itself is encrypted in two steps - first, the entire data block is encrypted with AES, and the symmetric key for decryption is encrypted with DPAPI and saved to a file. The full encryption-decryption algorithm is described in the article by the guys from Zena Forensics .
They also developed special decryptors for Windows Vault based on dpapick (dpapilab). You can take them on the ZF gith or download the fork from our github .
The Vault repository is located in the user profile:
C:\Users\<user>\AppData\Local\Microsoft\Vault\<GUID>\Inside a .vpol file is a DPAPI blob, encrypted with a user's key, and storing an AES-key to decrypt .vcrd
To decrypt the Vault, you need to run:
./vaultdec.py --masterkey <mk dir> --sid <SID> --password <pass> <VAULT DIR>Instead of a password, you can use a domain key, as shown in the previous article . It should also be noted that if the Credential Roaming policy is enabled on the machine in the domain, then the Windows Vault data will be stored in ldap. You can read about this in our first article about DPAPI.
A small addition: for the script to work correctly, you will most likely need to install the old Python libs:
apt install python-construct.legacyCrib
To decrypt passwords from IE, Edge and passwords stored in Windows, you need to pick up: a
directory with Vault
c:\Users\<user>\AppData\Local\Microsoft\Vault\<GUID>\directory with master keys
c:\Users\<user>\AppData\roaming\microsoft\Protect\<SID>\registry key contents
HKEY_USERS\<SID>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_USERS>\<SID>\Software\Microsoft\Internet Explorer\typedurlsIn addition, you need to know the user's password or domain dpapi backup-key to decrypt without a password.