"Secrets" DPAPI. Look at the donkey

    In addition to our last article on decrypting DPAPI blobs, we’ll tell you about two more cases we had to face. It will be about saved passwords in MS IE11 and Edge browsers.

    The strategy remains the same - we will decipher everything in offline mode. For this you need to pick up the necessary files.

    Depending on the operating system (Windows 7 or higher), saved passwords should be searched in two places:

    In the case of Windows 7, this is the registry branch

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

    In the case of Windows 8 and higher - the storage of Windows Vault.

    It should also be noted that on Windows 7, http basic authorization passwords are also stored in the Windows Vault, so it will not hurt to pick it up anyway.

    Well, according to the good old tradition - all this is of course encrypted through DPAPI mechanisms.

    Now consider the decryption algorithm in more detail.

    Windows 7 + IE11 (Edge)

    As mentioned above, passwords are stored in the registry of the current user and are DPAPI blobs encrypted with the user's master key.

    But there is an important difference - when encrypting a password, entropy is applied. Entropy is the URL by which the password is entered in the format ("https://url"+"\x00").lower().encode("utf-16-le").

    To decrypt the password you need to know the full URL! No other way.

    But so that IE himself knows how to decrypt the password - this URL is hashed and stored in the registry as the key name with the DPAPI-blob.

    Consider a small example. For the site, the https://rdot.org/forum/saved password will look like this:

    A88E21329B5372B856CE238B79D1F28D8EA1FD359D    REG_BINARY    01000000D08C9DDF0115D1118C7A00C......BC310C51EE0F9B05D

    A88 ... is the hashed URL https://rdot.org/forum/
    01000000D08C ... - DPAPI blob containing the username and password

    The URL hashing algorithm is straightforward. More information about him can be read in the CIA-shnyh developments Vault7 .

    On python, it looks like this:

    import hashlib
    url = "https://rdot.org/Forum/".lower() + "\x00"
    url_utf_16_le = url.encode("utf-16-le")
    sha1obj = hashlib.sha1(url_utf_16_le)
    urldigest = sha1obj.digest()
    checksum = 0
    for abyte in urldigest:
       checksum = (checksum + (ord(abyte))) & 0xFF
    hash = sha1obj.hexdigest().upper()
    cksum = "%02X" % checksum
    reg_value_name = "%s%s" % (hash, cksum)
    print reg_value_name

    The list of the last 50 entered URLs can also be found in the registry:

     HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\typedurls 

    Let's go back to the example. Suppose we need to find in the registry a saved password from https://rdot.org/forum/.

    Substituting the value of the URL in the conversion script - we get the value


    The key with this name we need to find in the registry

    req query "HKEY_USERS\<SID>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2"

    If such a key is found, it must be copied to the file as hex values ​​(that is, interpreted as the key value as hex blob) and decrypted as DPAPI-blob using entropy: To decrypt, you can use dpapick, making the appropriate changes to account for entropy in decoding. In the examples / filegeneric.py file, the function call("https://rdot.org/forum/".lower() + "\x00").encode("utf-16-le")

     probe.try_decrypt_with_password(options.password, mkp, options.sid)

    replaced by

    probe.try_decrypt_with_password(options.password, mkp, options.sid, entropy=("https://rdot.org/forum/".lower() + "\x00").encode("utf-16-le"))

    and then call dpapick as usual:

     ./filegeneric.py --sid <SID> --masterkey <mkdir> --password <..> --inputfile <dpapiblobfromregistry>

    If the master key is decrypted correctly, then at the output we will get the saved login and password (after a certain amount of service binary data).

    Windows 8.1 and above

    In the case of saving passwords on Win8 and higher, passwords from http forms, as well as http basic authorization, are stored in Windows Vault. And what is good - along with the password, the full URL of the site to which it fits is saved.

    Vault itself is encrypted in two steps - first, the entire data block is encrypted with AES, and the symmetric key for decryption is encrypted with DPAPI and saved to a file. The full encryption-decryption algorithm is described in the article by the guys from Zena Forensics .

    They also developed special decryptors for Windows Vault based on dpapick (dpapilab). You can take them on the ZF gith or download the fork from our github .

    The Vault repository is located in the user profile:


    Inside a .vpol file is a DPAPI blob, encrypted with a user's key, and storing an AES-key to decrypt .vcrd

    To decrypt the Vault, you need to run:

    ./vaultdec.py --masterkey <mk dir> --sid <SID> --password <pass>  <VAULT DIR>

    Instead of a password, you can use a domain key, as shown in the previous article . It should also be noted that if the Credential Roaming policy is enabled on the machine in the domain, then the Windows Vault data will be stored in ldap. You can read about this in our first article about DPAPI.

    A small addition: for the script to work correctly, you will most likely need to install the old Python libs:

    apt install python-construct.legacy


    To decrypt passwords from IE, Edge and passwords stored in Windows, you need to pick up: a

    directory with Vault


    directory with master keys


    registry key contents

    HKEY_USERS\<SID>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 
    HKEY_USERS>\<SID>\Software\Microsoft\Internet Explorer\typedurls

    In addition, you need to know the user's password or domain dpapi backup-key to decrypt without a password.

    Also popular now: