Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to get account password? #135

Open
BubbleMaker2089 opened this issue Oct 25, 2023 · 3 comments
Open

Is it possible to get account password? #135

BubbleMaker2089 opened this issue Oct 25, 2023 · 3 comments

Comments

@BubbleMaker2089
Copy link

BubbleMaker2089 commented Oct 25, 2023
edited
Loading

I have persisted credentials for email account. pypykatz dpapi credential enables to decrypt it but it seems like it does not contain password. What commands should I use to get password for persistent creds like this?

PS C:\Users\docker\Downloads\helper> pypykatz dpapi credential C:\Users\<user>\Downloads\helper\keys_masterkeys C:\Users\<user>\AppData\Local\Microsoft\Credentials\DC65DDB8148C82FE4972A882BF336BB6
type : GENERIC (1)
last_written : 133426964164149642
target : LegacyGeneric:target=MicrosoftAccount:user=<email_account@outlook.com>
description : PersistedCredential
username : <email_account@outlook.com>
ATTRIBUTE
keyword: Microsoft_WindowsLive:authstate:0
<hex_data>
keyword: Microsoft_WindowsLive:authstate:1
<hex_data>
keyword: Microsoft_WindowsLive:authstate:2
<hex_data>
keyword: Microsoft_WindowsLive:authstate:3
<hex_data>
@octopwn
Copy link
Contributor

octopwn commented Oct 25, 2023

if decryption works, then the pw should be there, the problem is with pypykatz because I was not able to figure out which structure to use when parsing these credentials. Core problem is: these credential files can store data in many different formats, and I could find any documentation on the available formats to implement. As this was not on my priority list, I just left it be.
Summary: I'm afraid you won't get better results without actually touching the code.

@BubbleMaker2089
Copy link
Author

BubbleMaker2089 commented Oct 25, 2023
edited
Loading

I was analizying the code of mimikatz feature and for this type of credential it parses out blobSize = 0, for another one blobSize != 0 and the value exists. Other fields was parsed out without issues (for example, attributes which are the next after blob). Pypykatz has the same behaviour. For me, it seems like there is no password in this credential file because I checked offsets using FileCredentialsView and it shows NULLs where blobSize should be. Of course, this file can have different structure but everything before blob and after blob was parsed out without issues. I don't think it's coincidence because everything seems like it on its place. It just blobSize and blob which are NULL for this specific file and other files with other email accounts

@octopwn
Copy link
Contributor

octopwn commented Oct 25, 2023

Could it be that there is no password there?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BubbleMaker2089