-
Notifications
You must be signed in to change notification settings - Fork 363
dpapi
This wiki page will give you the bare minimum to get you going decrypting secrets protected by DPAPI.
You will find really good documentation on DPAPI on the internet,
You will encounter at least two types of keys during the decryption process, prekey and masterkey
Prekeys are needed to decrypt the masterkey files.
I'm not sure if this is the correct name for this but I cook with what I have.
Masterkeys are used to decrypt the actual secrets like securestring blob vault credentials vpol (eg. the juicy stuff)
You can find these as files on disk or in the LSASS process' memory.
Decrypting DPAPI secrets is a multi-step process, the generic process looks like this
│
SID + Password │
- or - │
SID + NT hash │ │
- or - │ ────► prekey + masterkey file ───►│
Registry hive │ │
- or - │ │ │
LSASS dump │ │ BLOB (file) │
│ │ masterkey │ - or - │
├────► - or - ──┼── Securestring │ ────► Secrets
- or - │ backupey │ - or - │
│ Credentials (file) │
LSASS dump ────────────────────────────► │ │
│ │
│
│
This diagram doesnt show the VPOL and VCRED files as there is one extra step to be taken.
AS YOU CAN SEE to get secrets you will need multiple things, just waving one file an expecting things to magically decrypt themselves will not work.