DPAPI stands for Data Protection API and was introducted by microsoft in Windows 2000 and since then it is used heavily by windows even if you aren’t aware of it. Simply put, DPAPI lets you encrypt/decrypt data. You don’t need to worry about encryption keys at all.
DPAPI has 2 simple API:
As you might already guessed it:
For encryption you use
For decryption you use
Windows operating system takes care of everything. for encryption it uses your password hash when you are in local user context. Different story is when you are part of a Active Directory domain. This post will be about local user context.
Credential Manager is windows feature which contains all your passwords safe. You can keep RDP, web, Chrome, github passwords and etc. It is like password manager.
You can see on screenshot that I have 2 RDP password saved (TERMSRV service means I have RDP credentials saved). Also I have github password. It is useful when you push new commits and don’t have to type credentials everytime. git commandline utility decrypts this password behind the scenes and uses it to authenticate remotely.
Web Credentials is for passwords related to web. You can also manually add new creds via such feature.
All of this is done via DPAPI. It uses something like
Master Key which encrypts and decrypts your data. Master Keys are stored in user’s
AppData directory. For testing purposes create test credentials:
My master key which was used to encrypt my data.
b625df90-d6ad-4528-a3c1-0c3beb58df34 is our key file and we will see proof of that when we open it via
interested what happens when we saved test credentials via Credential Manager? We can get that via
procmon from sysinternals tools:
process in charge here was
lsass.exe which took care of this. It opened
Prefered file which points to recent masterkey in use. Takes that and uses it to encrypt our data and encrypted blob is put into
A5FEB27BE0210EF5E455C689AAC6802B data blob.
Time to mimikatz
Let’s open this in
mimikatz and see what is in it:
Mimikatz module for this is
dpapi::cred which takes
/in:<path> argument as a encrypted data blob. We can see from above picture that
guidMasterKey or simply
Master key used is
pbData is our actual encrypted credential
Now, use our master key and decrypt it. Because we are in a user context there is no need to decrypt master key and then decrypt encrypted data blob
Command is following:
mimikatz # dpapi::cred /in:"C:\Users\Higgsx\AppData\Roaming\Microsoft\Credentials\A5FEB27BE0210EF5E455C689AAC6802B" /unprotect
Password is visible below:
So as I said it was current user context. What happens when we log in via other account?
transfer master key and encrypted data blob to
C:\Users\Public so that I can access them from another account:
we see that this data blob is expecting master key
b625df90-d6ad-4528-a3c1-0c3beb58df34 as we expected.
Try to decrypt:
but we failed:
we failed because we need SID and password of the user who encrypted that.
First decrypt master key:
below we see key value and sha1 value. any of them is applicable But in this case lets use key value (long one)
Use that decrypted masterkey to unprotect data blog
This was part 1. In the next post I will try to explain the way Chrome web browser uses DPAPI to store its Cookies and ways to decrypt them. Sorry for small images here.