How to reverse DPAPI-protected credentials
What is DPAPI?
The Data Protection Application Programming Interface is a simple crypto API used to store data in a secure way. It is used by multiple applications (such as web browsers like Chrome or the Credential Manager) to store credentials. It uses a MasterKey, which is a key derived from the user´s password and a BLOB object. If you want dig into the process of data protection check: https://docs.microsoft.com/en-us/previous-versions/ms995355(v%3Dmsdn.10)
These are all the functions the dpapi.h header has. But we will focus today on CryptProtectData and CryptUnprotectData, which are the most commonly used ones. First of all, we must check which credentials are stored. There are various ways to do this:
- 1)Via the Credential Manger
- 2)Via the cmdkey /list command or the vaultcmd /listcreds one.
- 3)Via Rundll: rundll32.exe keymgr.dll, KRShowKeyMgr
All these credentials have been encrypted with the CryptProtectData function of the DPAPI. There are various ways this can be useful during an engagement, for example, if there are interactive logon credentials we can just execute runas with the /savedcred flag and spawn any process with that user´s privileges.
We could invoke Get-WebCredentials method from Nishang if there were any web credentials stored (https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1)
Or even use the Windows Credential Manager dump module from peewpw (https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.ps1)
SharpDPAPI from GhostPack as well as SeatBelt are also very useful for this task,:
It is noticeable from the output of the SeatBelt executable that is telling us to use dpapi::cred
This is because mimikatz has a module specially designed for this, whose methods are:
Of course we will need the masterkey to unprotect the stored credentials
So, hope you have understood what DPAPI is and what is used for, as well as how to abuse it. If you have any doubt or anything reach me out in the comments ;)