module ~ dpapi

Benjamin DELPY edited this page Oct 8, 2017 · 8 revisions

A basic introduction

A blob

  • contains: encrypted raw data, secret, by example Vault, Credential, CAPI/CNG Private Key, Chrome password, WiFi/WWAN key, ...
  • is used to: what you want!, this is the final data
  • is protected by: a masterkey and optionally entropy data AND/OR aditionnal password
  • is linked to: a masterkey

A masterkey

  • contains: multiple versions of the encrypted raw key
  • is used to: decrypt blob
  • is protected by: a key that depends on the situation
    • non-domain context: SID AND (user password SHA1 hash OR previous password SHA1 hash (by knowledge or from CREDHIST))
    • domain context:
      • SID AND (user password NTLM hash OR previous password NTLM hash (by knowledge))
      • domain backup key (RPC or RSA private key)
    • local computer: DPAPI_SYSTEM secret (COMPUTER or USER part)
  • is linked to: a credhist entry

A credhist

Only useful in non-domain context

  • contains: previous encrypted credentials of the user (SHA1 & NTLM)
  • is used to: decrypt masterkey
  • is protected by: the most recent user password SHA1 hash used by the user on the system
    • each entry is protected by the previous key, etc.

Remarks

You can find the location of these files: https://1drv.ms/x/s!AlQCT5PF61KjmCAhhYO0flOcZE4e
When the user is a protected user, it's NOT the NTLM hash of the password, but another derived hash from it.

Commands:

Commands: blob, protect, masterkey, credhist, cache, capi, cng, cred, vault, wifi, wwan, chrome

blob

Arguments:

  • /in -
  • /out - optional -

Generic arguments (all are optional) :

  • /unprotect -
  • /masterkey -
  • /password -
  • /entropy -
  • /prompt -
  • /machine -

protect

Arguments:

  • /data -
  • /description - optional -
  • /entropy - optional -
  • /machine - optional -
  • /system - optional -
  • /prompt - optional -
  • /out - optional -

masterkey

Arguments:

  • /in -
  • /sid - optional -
  • /hash - optional -
  • /system - optional -
  • /password - optional -
  • /protected - optional -
  • /pvk - optional -
  • /rpc - optional -
  • /dc - optional -
  • /domain - optional -

credhist

Arguments:

  • /in -
  • /sid - optional -
  • /password - optional -
  • /hash - optional -

cache

Display the credential cache of the DPAPI module

mimikatz # dpapi::cache

CREDENTIALS cache
=================
SID:S-1-5-21-1982681256-1210654043-1600862990-1000;GUID:{a62828b1-b384-408c-8c78-90607b9c6e53};MD4:cc36cf7a8514893efccd332446158b1a;SHA1:a299912f3dc7cf0023aef8e4361abfc03e9a8c30;
SID:S-1-5-21-1982681256-1210654043-1600862990-1000;GUID:{4a108cb4-6080-4ac3-a76a-bb738c98b212};MD4:31d6cfe0d16ae931b73c59d7e0c089c0;SHA1:da39a3ee5e6b4b0d3255bfef95601890afd80709;

MASTERKEYS cache
================
GUID:{6fc9a9bb-e99f-4030-8fdc-fcce59373509};KeyHash:91e886dc63db8d343e9c3d95b849dd4ee2517362
GUID:{8d2c893f-73a7-4874-bf35-af4876ef68d1};KeyHash:a4cd97b9250543d32ef088be396b9471922cffc3

DOMAINKEYS cache
================
GUID:{945680db-66ad-49bb-a44d-26d2a3480578};TYPE:RSA
GUID:{a0d107d2-eb19-4460-98a8-142e836a19e3};TYPE:LEGACY

capi

cng

cred

vault

wifi

wwan

chrome

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.