DPAPI offline decryption utility

1 note &

DPAPIck v0.3 release notes

Well, I have to admit that it’s been a long time since I wrote here.

Lot of people complained during the past years that DPAPIck was only supporting Windows XP and Vista and basically wanted to know if one day we were going to support newer versions of Microsoft Windows.

Thanks to Francesco Picasso (@dfirfpi), this project now supports Windows versions from XP to the latest Windows 8.1 (sorry, we haven’t tested it on Windows 10 yet). He did the work and sent me a patch that allowed DPAPIck to run against Windows 7 blobs but it was also breaking XP support at the same time. So I took some extra time to give that a bit of polish and to improve a few things on how the tool was processing data.

As a side note, I wish to say that DPAPIck is an opensource project that currently relies on the amount of spare time I can dedicate to it (and being involved in other projects, this amount will not magically increase). But contributions are more than welcome, just like Francesco did.

So, let’s talk a bit on the changes/improvements that we made for v0.3 release:

  • Windows 7, 8 and 8.1 support (long story short, it seems that Microsoft learned how to read an RFC and changed one function on which DPAPI relies and which was not RFC compliant)
  • unit tests ; it was something I wanted to add for a long time to help me avoid stupid bugs and also to be able to extend this tool without experiencing functional regressions
  • iCloud probe (Francesco contribution)
  • Dropbox probe (again, thanks to Francesco for his contributions)
  • Serialization support of internal structures ; at the moment it may seem useless but this feature was needed for the upcoming next release, DPAPIck v0.4
  • PIP compliant installation so, hopefully, one would just have to type “pip install dpapick”
  • LSA secrets extraction supports newer Windows versions; here also Microsoft changed the underlying algorithms so I upgraded this part too (nothing fancy here, I just looked at the code of mimikatz)
  • LSA secrets now extracts both old and current values (previously, only the current value was extracted) and it can display also the timestamps associated with those values
  • Give the ability to add already decrypted masterkeys as well as their hash in the masterkeypool (the goal here is to provide ways of using DPAPIck with stuff that may be extracted at some point from memory dumps using volatility or from a live machine using mimikatz)
  • Improved the decryption algorithm to also test NTLM hash of the password (used for Windows 2000 backward compatible structures)

Is that it?

Well, we are already working with Francesco on DPAPIck v0.4 that is going to includes other big changes that we weren’t able to finish for this release.

Here is a rough overview of what to expect for v0.4:

  • bin/dpapidec tool will disappear for a better frontend (bin/dpapick) that can use the probes
  • Probes API will be upgraded to support the new frontend
  • leverage the serialization of internal structures (v0.3) to save/restore a state
  • Interactive shell as well as scripting support (something pretty similar to what volatility does)
  • Probably some new probes too
  • Python3 readiness (some dependencies such as M2Crypto might not be available in Python3)

On a bigger picture (i.e. features that I want to be there for DPAPIck v1.0), we are probably going to:

  • have a look at DPAPI-ng (used for connected Live accounts),
  • try to have a look on DPAPI related data that mimikatz can export to make them usable with DPAPIck.
  • try to add blob/masterkey creation capability
  • improve the inline documentation
  • provide some documention / guides on the wiki (specially for probes writing)

Leveraging that, DPAPIck would be able to act as a migration tool to import data from a computer A into a computer B, even if they don’t share the same Windows version. Another scenario would be to re-encrypt all the masterkeys with the current password to clear the CREDHIST file.

Again, if you want to contribute to this project, I’d be happy to integrate your patches/files in this project.

You can also use the bug tracker to ask for a feature request that we have not thought about. If you are requesting for additional, please, try to provide some test data for that.

Where to get it?

As usual, you can get the tool on Bitbucket either through mercurial or through the download section (click on the “Tags” tab).

If I didn’t screw up the installation system, you can also try “pip install dpapick" to get it on your computer and benefit from the upgrade capability that it provides :-)

Filed under dpapi dfir roadmap python release

0 notes &

Just in case

As I really get not enough time to finish some stuff to release DPAPIck v0.3 I decided to push to the public repository all I have done so far, including RSA private key handling (and thus EFS certificates recovery).

Many thanks to everyone that gave me some feedback and bugfixes. Everything should be included in the repository. And do not forget that the main channel to report bugs should be the bugtracker that goes along with the Bitbucket repository. It helps me keeping track of things and putting priority in bugfixes.
As soon as I got time to do that, all the small scripts in /bin should be all merged in /bin/dpapick. That will prevent doing some mess in the operating system :-)

Enjoy !

0 notes &

Quick update

The bad news is that I really do not have enough spare time to work on the v0.3 since months ! EFS is done and works well as far as I have tested. Some bugs were also reported by users (thanks for that) and I spotted few others ; they all are corrected in my working copy. I am still trying to have DPAPIck work for win7 blobs but no luck so far and I don’t have enough time to start reversing the corresponding DLL files to finish that part. The /bin tools rewriting is in progress but a bit stale. I may backport all the patches to the public mercurial so everyone can at least have things working.

0 notes &

kkskkksk asked: And I cann't Decrypt it with DPAPIck.exe(v 0.1). But call CryptUnprotect() to decrypt it,sucessed.

Well, the answer is pretty easy for that : don’t use v0.1 anymore :-)
The exact reason of the failure is simply that this version is only taking the first Masterkey in the hard drive into account. We did not implement a lookup back then for the demo.
v0.2 should be fine decrypting your blob.

0 notes &

kleo148 asked: When I looked through debugger bin\chrome, if I add --credhist option, I have a problem in line mkp(.)addCredhistFile(options(.)credhist), because it needs 3 parametrs, but gives only 2. It solve easy) I write missing parametr - mkp(.)addCredhistFile (options(.)sid,options(.)credhist). Next problem is passwords unable to decrypt, because keys didn't add to MasterKeyPool. What is wrong? Sorry for my bad English.

Hi kleo and thanks for your interest in DPAPIck.

bin/chrome has not been thoroughly tested as the corresponding probe has been written primarily for our other project, OWADE.

By the way, such glitches will be corrected in the next release of DPAPIck as I am currently rewritting the whole bin/ folder for easier use and integration.

Regarding the other issue you mention, could you please open a ticket in the bugtracker ? I will be easier to ivnestigate and talk about it, though I already have my idea : I think you are using DPAPIck under Windows. By default masterkeys are hidden files so Python might no see them. Not sure I can change that behavior.

0 notes &

slehoux asked: Hello! I've just read your white paper "Recovering Windows Secrets and EFS Certificates Offline" and I was wondering. As related to SQL Server and database encryption: If one uses "Extensible Key Management" to manage encryption keys through a "Hardware Security Modules", would it plus the security hole described in you whitepaper? Any help would be greatly appreciated!

Hi !

Unfortunately, your question goes beyond my current knowledge :-)

In addition, I have never seen DPAPI using HSM so I’m not sure that SQL Server relies on DPAPI for that stuff. The only enhancement of DPAPI I am aware of is the use of Smartcard for storing EFS certificates (and I think Microsoft even improved the security with Seven by using the certificate to protect the masterkeys when the certificate is used for strong account authentication). But I have not studied those kind of configurations yet although I will have to do so in a near future.

1 note &

Let’s talk about roadmap

I recently discovered that Bitbucket is not duplicating the issue tracker while forking a repository. Thus you don’t have any visibility on what’s going on for DPAPIck and that’s why I’m writing this post.

So, as far as we are going, this is why we planned to release for version 0.3:

  • EFS Certificate recovery
  • Inline documentation
  • bin tools rewriting to keep only one binary and link it to the probes (usage should be similar to volatility for those who are familiar)
  • Okteta support but low priority for this one…

Inline documentation is already done, EFS private decryption is done too but we need to add a PKCS#12 export function to keep the certificate with its private key and make it easy to work on EFS from Linux.

The bin tools rewriting is stale for the moment as I need to focus on another project. But as soon as I have time to go back on DPAPIck, I will finish this part and release a new version. Okteta support may be for a further version.

If you have any suggestion, any wish-list to add to our roadmap, feel free to leave a comment ! This blog is here for that kind of stuff too :-)

0 notes &

joshuanath asked: Maybe I just don't know or understand enough about this tool. Where is the MasterKey or Credhist stored in windows?

Don’t worry, there is no stupid question :)

You have a masterkey directory and one CREDHIST file per user account. For each user account, they are both located under Application Data\Microsoft\Protect (for XP) or AppData\Roaming\Microsoft\Protect (Vista & Seven). SYSTEM account also has masterkeys (but no CREDHIST), located under Windows\System32\Microsoft\Protect

Be aware that they are hidden and system files so they are not displayed by default on Windows (could be configured in explorer).

4 notes &

It’s out !!!

As promised, today we are releasing the source code of DPAPIck v0.2 !

The project is hosted at Bitbucket and you can freely check it out to play with it.

You can also report bugs/issues on the tracker and see part of the roadmap for our tool.

A wiki will also be put online as soon as we take time to write documentation.

But no more waiting, here is the URL to have a look at DPAPIck : http://bitbucket.org/jmichel/dpapick

Filed under BlackHat Release