DPAPI offline decryption utility

0 notes &

Just in case

As I really get not enough time to finish some stuff to release DPAPIck v0.3 I decided to push to the public repository all I have done so far, including RSA private key handling (and thus EFS certificates recovery).

Many thanks to everyone that gave me some feedback and bugfixes. Everything should be included in the repository. And do not forget that the main channel to report bugs should be the bugtracker that goes along with the Bitbucket repository. It helps me keeping track of things and putting priority in bugfixes.
As soon as I got time to do that, all the small scripts in /bin should be all merged in /bin/dpapick. That will prevent doing some mess in the operating system :-)

Enjoy !

0 notes &

Quick update

The bad news is that I really do not have enough spare time to work on the v0.3 since months ! EFS is done and works well as far as I have tested. Some bugs were also reported by users (thanks for that) and I spotted few others ; they all are corrected in my working copy. I am still trying to have DPAPIck work for win7 blobs but no luck so far and I don’t have enough time to start reversing the corresponding DLL files to finish that part. The /bin tools rewriting is in progress but a bit stale. I may backport all the patches to the public mercurial so everyone can at least have things working.

0 notes &

kkskkksk asked: And I cann't Decrypt it with DPAPIck.exe(v 0.1). But call CryptUnprotect() to decrypt it,sucessed.

Well, the answer is pretty easy for that : don’t use v0.1 anymore :-)
The exact reason of the failure is simply that this version is only taking the first Masterkey in the hard drive into account. We did not implement a lookup back then for the demo.
v0.2 should be fine decrypting your blob.

0 notes &

kleo148 asked: When I looked through debugger bin\chrome, if I add --credhist option, I have a problem in line mkp(.)addCredhistFile(options(.)credhist), because it needs 3 parametrs, but gives only 2. It solve easy) I write missing parametr - mkp(.)addCredhistFile (options(.)sid,options(.)credhist). Next problem is passwords unable to decrypt, because keys didn't add to MasterKeyPool. What is wrong? Sorry for my bad English.

Hi kleo and thanks for your interest in DPAPIck.

bin/chrome has not been thoroughly tested as the corresponding probe has been written primarily for our other project, OWADE.

By the way, such glitches will be corrected in the next release of DPAPIck as I am currently rewritting the whole bin/ folder for easier use and integration.

Regarding the other issue you mention, could you please open a ticket in the bugtracker ? I will be easier to ivnestigate and talk about it, though I already have my idea : I think you are using DPAPIck under Windows. By default masterkeys are hidden files so Python might no see them. Not sure I can change that behavior.

0 notes &

slehoux asked: Hello! I've just read your white paper "Recovering Windows Secrets and EFS Certificates Offline" and I was wondering. As related to SQL Server and database encryption: If one uses "Extensible Key Management" to manage encryption keys through a "Hardware Security Modules", would it plus the security hole described in you whitepaper? Any help would be greatly appreciated!

Hi !

Unfortunately, your question goes beyond my current knowledge :-)

In addition, I have never seen DPAPI using HSM so I’m not sure that SQL Server relies on DPAPI for that stuff. The only enhancement of DPAPI I am aware of is the use of Smartcard for storing EFS certificates (and I think Microsoft even improved the security with Seven by using the certificate to protect the masterkeys when the certificate is used for strong account authentication). But I have not studied those kind of configurations yet although I will have to do so in a near future.

1 note &

Let’s talk about roadmap

I recently discovered that Bitbucket is not duplicating the issue tracker while forking a repository. Thus you don’t have any visibility on what’s going on for DPAPIck and that’s why I’m writing this post.

So, as far as we are going, this is why we planned to release for version 0.3:

  • EFS Certificate recovery
  • Inline documentation
  • bin tools rewriting to keep only one binary and link it to the probes (usage should be similar to volatility for those who are familiar)
  • Okteta support but low priority for this one…

Inline documentation is already done, EFS private decryption is done too but we need to add a PKCS#12 export function to keep the certificate with its private key and make it easy to work on EFS from Linux.

The bin tools rewriting is stale for the moment as I need to focus on another project. But as soon as I have time to go back on DPAPIck, I will finish this part and release a new version. Okteta support may be for a further version.

If you have any suggestion, any wish-list to add to our roadmap, feel free to leave a comment ! This blog is here for that kind of stuff too :-)

0 notes &

joshuanath asked: Maybe I just don't know or understand enough about this tool. Where is the MasterKey or Credhist stored in windows?

Don’t worry, there is no stupid question :)

You have a masterkey directory and one CREDHIST file per user account. For each user account, they are both located under Application Data\Microsoft\Protect (for XP) or AppData\Roaming\Microsoft\Protect (Vista & Seven). SYSTEM account also has masterkeys (but no CREDHIST), located under Windows\System32\Microsoft\Protect

Be aware that they are hidden and system files so they are not displayed by default on Windows (could be configured in explorer).

4 notes &

It’s out !!!

As promised, today we are releasing the source code of DPAPIck v0.2 !

The project is hosted at Bitbucket and you can freely check it out to play with it.

You can also report bugs/issues on the tracker and see part of the roadmap for our tool.

A wiki will also be put online as soon as we take time to write documentation.

But no more waiting, here is the URL to have a look at DPAPIck : http://bitbucket.org/jmichel/dpapick

Filed under BlackHat Release

4 notes &

D-6 ?

Next week, DPAPIck will finally became the first opensource tool (GPLv3 licence) which is able to deal with DPAPI structures as well as the first tool that can do so from another operating system than Microsoft’s !

It has been entirely re-written in Python and only requires OpenSSL for decryption to be fully cross-platform. It is coming along with several applicative probes that embeds the decryption logic specific to each application that uses DPAPI (eg. Google Talk, Skype, Wireless keys, Internet Explorer, etc.).

And we are not releasing DPAPIck v0.2 alone ! It comes along with other surprises that we let you discover on August :-)

Until the public release, you will be able to meet us, for the lucky ones who are attending BlackHat USA 2011 or DefCon 19. And if you are attending BlackHat, do not forget to go and see our presentation of OWADE, our new advanced forensic tool !

Filed under DPAPI BlackHat python OWADE