Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dpapi masterkey v2 (15900) on Domain joined Win10 #3189

Closed
virusvfv opened this issue Feb 19, 2022 · 6 comments
Closed

dpapi masterkey v2 (15900) on Domain joined Win10 #3189

virusvfv opened this issue Feb 19, 2022 · 6 comments
Labels
bug

Comments

@virusvfv
Copy link

When I trying to bruteforce masterkey of domain joined Windows 10 I get "Exhausted" message from hashcat.
So hashcat can't find correct password.
This is because (I suppose) hashcat does not do correct computing pre-key for masterkeys.

With domain joined win10 there are additional PBKDFs rounds for password as we can see in DPAPImk2john.py:
if context == "domain1607-" or context == "domain": self.decryptWithHash(userSID, hashlib.new("md4", pwd.encode('UTF-16LE')).digest()) if self.decrypted: print("Decrypted succesfully as domain1607-") return if context == "domain1607+" or context == "domain": #domain windows 10 SIDenc = userSID.encode("UTF-16LE") NTLMhash = hashlib.new("md4", pwd.encode('UTF-16LE')).digest() derived = pbkdf2(NTLMhash, SIDenc, 32, 10000, digest='sha256') derived = pbkdf2(derived, SIDenc, 16, 1, digest='sha256') self.decryptWithHash(userSID, derived)

to reproduce that U can just extract hash from domain-joined Win10 masterkey with DPAPImk2john.py and give this hash to hascat...
@virusvfv virusvfv added the bug label Feb 19, 2022
@virusvfv
Copy link
Author

Example:
Windows 10 masterkey extracted by DPAPImk2john.py

DPAPImk2john.py -d -S S-1-5-21-744344963-2494446924-3180816502-226263 -mk 3d8c8945-04b7-4e5f-ac48-9a66c6d4f7d5 -c domain1607+ --password <redacted but very simple>
$DPAPImk$1*3*S-1-5-21-744344963-2494446924-3180816502-226263*des3*sha1*18000*c4b27a3eb35a205a18773d9540ad227d*208*208e80589f86f63e6bc6530d0b39eddaafad22068009cff2c4e434f5f4cf40868f0e07bc076534c3571d94e862954df56d3a01171f86488bc38baa53feb099e7e6d5c86422df0a735d16e377b488ae1b1136069dc4e64e457a68ff87eb4a9e1d8cbd143432b5cec0
[
#### MasterKeyFile 3d8c8945-04b7-4e5f-ac48-9a66c6d4f7d5 ####
	version   = 2
	Policy    = 0x0
	MasterKey = 136
	BackupKey = 104
	DomainKey = 372
    + Master Key: Masterkey block
	cipher algo  = DES3 [0x6603]
	hash algo    = HMAC [0x8009]
	rounds       = 18000
	IV           = c4b27a3eb35a205a18773d9540ad227d
	ciphertext   = 208e80589f86f63e6bc6530d0b39eddaafad22068009cff2c4e434f5f4cf40868f0e07bc076534c3571d94e862954df56d3a01171f86488bc38baa53feb099e7e6d5c86422df0a735d16e377b488ae1b1136069dc4e64e457a68ff87eb4a9e1d8cbd143432b5cec0
    + Backup Key: Masterkey block
	cipher algo  = DES3 [0x6603]
	hash algo    = HMAC [0x8009]
	rounds       = 18000
	IV           = 9c7ad87b57ff61fa65be460ddec97ff4
	ciphertext   = 6bff3addd6400a5ec4754afe598860e2a4f56e8e3eea0a366ff48a1579d8d48453248be990da1d509e0be3f268db24a33e16c262f18f699c4448f34f93ef8c7b74bf715fd0ebe581]
Decrypted succesfully as domain1607+
1

Then we execute hashcat:
hashcat-6.2.5>hashcat.exe -m 15900 dpapi.txt dicts\spec.txt

hashcat (v6.2.5) starting

Successfully initialized NVIDIA CUDA library.

Failed to initialize NVIDIA RTC library.

* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
             CUDA SDK Toolkit required for proper device support and utilization.
             Falling back to OpenCL runtime.

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL API (OpenCL 1.2 CUDA 11.0.140) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: GeForce GTX 1060, 5056/6144 MB (1536 MB allocatable), 10MCU

OpenCL API (OpenCL 2.1 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) UHD Graphics 630, 4832/9772 MB (1023 MB allocatable), 24MCU
* Device #3: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, skipped
....
..bla-bla..
....
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 15900 (DPAPI masterkey file v2)
Hash.Target......: $DPAPImk$2*3*S-1-5-21-744344963-2494446924-31808165...b5cec0
Time.Started.....: Tue Feb 22 13:02:49 2022 (3 secs)
Time.Estimated...: Tue Feb 22 13:02:52 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (dicts\spec.txt)
Guess.Queue......: 1/1 (100.00%)

We see that hashcat failed to compute password.
In additional, we see that according hashcat example hashes masterkey v2 (15900) suppose that encryption is AES256. However in win10 domain masterkey encryption is DES3 !!!

@mrnewgirl
Copy link

mrnewgirl commented Feb 28, 2022
edited

As I have understood HashCat doesn't support so-called "context=3" for MasterKey DPAPI blob encryption. In your example you have: $DPAPImk$1"3"... - it means that you have version=1 and context=3.
Looking in source files we can assume that if version=1 then des3+sha1(sha1 in pbkdf2 hmac - "des3"sha1"18000") is used for dpapi blob decryption, if version=2 then aes256+sha512(sha512 in pbkdf2 hmac - "aes256"sha512"12900"). If context=1 (so-called "local") then sha1(password) is going to pbkdf2 rounds, if context=2(so-called "domain1607-") then md4(password) is going to pbkdf2 rounds and if context=3(so-called "domain1607+") then as you have mentioned:
derived = pbkdf2(md4(password), SID, 32, 10000, digest='sha256')
derived = pbkdf2(derived, SID, 16, 1, digest='sha256')
this derived is going to pbkdf2 rounds in decryptWithHash(userSID, derived).
So, dear HashCat developers, please add the support of context=3 for DPAPImk modules: m15300 and m15900.

@matrix
Copy link
Member

matrix commented Mar 5, 2022
edited

Example: Windows 10 masterkey extracted by DPAPImk2john.py

DPAPImk2john.py -d -S S-1-5-21-744344963-2494446924-3180816502-226263 -mk 3d8c8945-04b7-4e5f-ac48-9a66c6d4f7d5 -c domain1607+ --password <redacted but very simple>
$DPAPImk$1*3*S-1-5-21-744344963-2494446924-3180816502-226263*des3*sha1*18000*c4b27a3eb35a205a18773d9540ad227d*208*208e80589f86f63e6bc6530d0b39eddaafad22068009cff2c4e434f5f4cf40868f0e07bc076534c3571d94e862954df56d3a01171f86488bc38baa53feb099e7e6d5c86422df0a735d16e377b488ae1b1136069dc4e64e457a68ff87eb4a9e1d8cbd143432b5cec0
[
#### MasterKeyFile 3d8c8945-04b7-4e5f-ac48-9a66c6d4f7d5 ####
	version   = 2
	Policy    = 0x0
	MasterKey = 136
	BackupKey = 104
	DomainKey = 372
    + Master Key: Masterkey block
	cipher algo  = DES3 [0x6603]
	hash algo    = HMAC [0x8009]
	rounds       = 18000
	IV           = c4b27a3eb35a205a18773d9540ad227d
	ciphertext   = 208e80589f86f63e6bc6530d0b39eddaafad22068009cff2c4e434f5f4cf40868f0e07bc076534c3571d94e862954df56d3a01171f86488bc38baa53feb099e7e6d5c86422df0a735d16e377b488ae1b1136069dc4e64e457a68ff87eb4a9e1d8cbd143432b5cec0
    + Backup Key: Masterkey block
	cipher algo  = DES3 [0x6603]
	hash algo    = HMAC [0x8009]
	rounds       = 18000
	IV           = 9c7ad87b57ff61fa65be460ddec97ff4
	ciphertext   = 6bff3addd6400a5ec4754afe598860e2a4f56e8e3eea0a366ff48a1579d8d48453248be990da1d509e0be3f268db24a33e16c262f18f699c4448f34f93ef8c7b74bf715fd0ebe581]
Decrypted succesfully as domain1607+
1

Then we execute hashcat: hashcat-6.2.5>hashcat.exe -m 15900 dpapi.txt dicts\spec.txt

hashcat (v6.2.5) starting

Successfully initialized NVIDIA CUDA library.

Failed to initialize NVIDIA RTC library.

* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
             CUDA SDK Toolkit required for proper device support and utilization.
             Falling back to OpenCL runtime.

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL API (OpenCL 1.2 CUDA 11.0.140) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: GeForce GTX 1060, 5056/6144 MB (1536 MB allocatable), 10MCU

OpenCL API (OpenCL 2.1 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) UHD Graphics 630, 4832/9772 MB (1023 MB allocatable), 24MCU
* Device #3: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, skipped
....
..bla-bla..
....
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 15900 (DPAPI masterkey file v2)
Hash.Target......: $DPAPImk$2*3*S-1-5-21-744344963-2494446924-31808165...b5cec0
Time.Started.....: Tue Feb 22 13:02:49 2022 (3 secs)
Time.Estimated...: Tue Feb 22 13:02:52 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (dicts\spec.txt)
Guess.Queue......: 1/1 (100.00%)

We see that hashcat failed to compute password. In additional, we see that according hashcat example hashes masterkey v2 (15900) suppose that encryption is AES256. However in win10 domain masterkey encryption is DES3 !!!

@virusvfv, whether it's simple or not, can you share the password? I'd like to avoid wasting time searching for it. Thanks :)

edit: found another example online, I don't need your password anymore

@matrix
Copy link
Member

matrix commented Mar 5, 2022
edited

15910 done

bash-3.2$ ./tools/test.sh -m 15910 -a all -t all
[ test_1646520111 ] > Init test for hash type 15910.
[ test_1646520111 ] [ Type 15910, Attack 0, Mode single, Device-Type Gpu, Kernel-Type Optimized, Vector-Width 1 ] > OK : 0/8 not found, 0/8 not matched, 0/8 timeout, 0/8 skipped
[ test_1646520111 ] [ Type 15910, Attack 0, Mode multi,  Device-Type Gpu, Kernel-Type Optimized, Vector-Width 1 ] > OK : 0/1 not found, 0/1 not matched, 0/1 timeout, 0/1 skipped
[ test_1646520111 ] [ Type 15910, Attack 0, Mode single, Device-Type Gpu, Kernel-Type Optimized, Vector-Width 4 ] > OK : 0/8 not found, 0/8 not matched, 0/8 timeout, 0/8 skipped
[ test_1646520111 ] [ Type 15910, Attack 0, Mode multi,  Device-Type Gpu, Kernel-Type Optimized, Vector-Width 4 ] > OK : 0/1 not found, 0/1 not matched, 0/1 timeout, 0/1 skipped

bash-3.2$ ./hashcat -m 15900 --hash-info
hashcat (v6.2.5-296-g5867cd735+) starting in hash-info mode

Hash Info:
==========

Hash mode #15900
  Name................: DPAPI masterkey file v2 (context 1 and 2)
  Category............: Operating System
  Slow.Hash...........: Yes
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure
  Example.Hash.Format.: plain
  Example.Hash........: $DPAPImk$2*1*S-15-21-439882973-489230393-482956683-1522*aes256*sha512*12900*79f7ca399f2626e21aad108c3922af7c*288*c47bc8a985ca6aa708b01c97b004bff20cc52379dc2635b4acf59ce17970a2cb47ace98c7e8de977f265243c5c03d0a97e4b954b494d9e38d9158d0c1e729d16a28ba69e2e7c6c3bc0e3afc9c9b6306b83372ccb35d89b98925728fd36315b8ee95b4d4eccdcb31564769f9a4b9ee10828184e16d4af336675d5e31d987dd87233d34fbbb98880c5e1f64cbb9b043ad8
  Example.Pass........: hashcat
  Benchmark.Mask......: ?b?b?b?b?b?b?b
  Autodetect.Enabled..: Yes
  Self.Test.Enabled...: Yes
  Potfile.Enabled.....: Yes
  Plaintext.Encoding..: ASCII, HEX

bash-3.2$ ./hashcat -m 15900 -b --backend-ignore-opencl
hashcat (v6.2.5-296-g5867cd735+) starting in benchmark mode

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

METAL API (Metal 258.18)
========================
* Device #1: Apple M1, 5408/10922 MB, 8MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable

---------------------------------------------------------------------------------
* Hash-Mode 15900 (DPAPI masterkey file v2 (context 1 and 2)) [Iterations: 12899]
---------------------------------------------------------------------------------

Speed.#1.........:     2320 H/s (68.97ms) @ Accel:64 Loops:32 Thr:128 Vec:1

Started: Sat Mar  5 23:44:01 2022
Stopped: Sat Mar  5 23:44:09 2022

bash-3.2$ ./hashcat -m 15910 --hash-info
hashcat (v6.2.5-296-g5867cd735+) starting in hash-info mode

Hash Info:
==========

Hash mode #15910
  Name................: DPAPI masterkey file v2 (context 3)
  Category............: Operating System
  Slow.Hash...........: Yes
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure
  Example.Hash.Format.: plain
  Example.Hash........: $DPAPImk$2*3*S-15-21-464497560-472124119-475628788-1088*aes256*sha512*13450*685165fdb6d0627a15100215ec331ed8*288*7e1ea6f7ec3c2111f2a3903c73aefe66e524d8b241dc1482d0bd07cc1f3ccdadd8cebd4263b3b7c2496da48f40d2eb4890513e6624aeefbe6bbc6ea73f2f71fecf9cc5fef3891a2e697a4415ba7a069642069c142335d53cc750d42a4f4d2b0592956b4a0e57a5d5b1bfd27f0a8eac9d0d5fc5c5e5e23af18ce1a8eff442ed335e5db3bad6e89146f71aa9351e132fd9
  Example.Pass........: hashcat
  Benchmark.Mask......: ?b?b?b?b?b?b?b
  Autodetect.Enabled..: Yes
  Self.Test.Enabled...: Yes
  Potfile.Enabled.....: Yes
  Plaintext.Encoding..: ASCII, HEX

bash-3.2$ ./hashcat -m 15910 -b --backend-ignore-opencl
hashcat (v6.2.5-296-g5867cd735+) starting in benchmark mode

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

METAL API (Metal 258.18)
========================
* Device #1: Apple M1, 5408/10922 MB, 8MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable

--------------------------------------------------------------------------
* Hash-Mode 15910 (DPAPI masterkey file v2 (context 3)) [Iterations: 9999]
--------------------------------------------------------------------------

Speed.#1.........:     5071 H/s (69.55ms) @ Accel:512 Loops:64 Thr:32 Vec:1

Started: Sat Mar  5 23:45:45 2022
Stopped: Sat Mar  5 23:45:53 2022

@matrix matrix mentioned this issue Mar 6, 2022
Merged
@matrix
Copy link
Member

matrix commented Mar 6, 2022

@virusvfv could you try with your hash to see if it works correctly? Thanks

@virusvfv
Copy link
Author

virusvfv commented Mar 8, 2022

@matrix Yes. It works for my password! Great !
Thanks for your attention !

@matrix matrix closed this as completed Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matrix @virusvfv @mrnewgirl