killchain-compendium/Exploits/Windows/DPAPI.md

28 lines
1.7 KiB
Markdown
Raw Normal View History

2022-11-13 22:38:01 +01:00
# DPAPI
* [Jarno Baselier](https://jarnobaselier-nl.translate.goog/crack-dpapi-met-cqure-cqtools/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui)
* [Insecurity's take](https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/#The_DPAPILAB-NG_Toolset)
* [tinyapps' replace and recover domian cached credentials](https://tinyapps.org/docs/domain-cached-credentials.html)
* [ired's reading dpapi encrypted secrets with mimikatz and c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++)
## Tools
* [tjldeneut's dpaping-lab](https://github.com/tijldeneut/dpapilab-ng.git)
* [BlackDiverX's unpacked cqtools]( https://github.com/BlackDiverX/cqtools)
* Use [CQTools](https://github.com/paulacqure/CQTools.git) with care, __CQMasterKeyAD.exe__ does not work correctly. It will drive you mad. Here is the workaround
Pressuposition is, you want to decrypt a blob with a masterkey, e.g. Keepass which is saved with windows logon DPAPI
* Get the pvk backup key from the DC via mimikatz
* Get the entropy via `CQTools/CQDPAPIKeePassDecryptor/CQDPAPIKeePassDBDecryptor.exe`
* Get the encrypted blob
* Get the user's Masterkey under `C:\users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\`
* Use dpapilab-ng's `keepassdec.py`
```sh
./keepassdec.py --masterkey=path/to/masterkey/ -k /path/to/backup/key/ntds_capi_0_07ea03b4-3b28-4270-8862-0bc66dacef1a.keyx.rsa.pvk --entropy_hex=<found entropy> --sid=S-1-5-21-555431066-3599073733-176599750-1125 path/to/blob.bin
```
* Use the decrypted blob to
```sh
CQDPAPIKeePassDBDecryptor.exe /k <key> /f <file>.kdbx
```
* Open the `*.kdbx` file