DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud,...
Transcript of DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud,...
![Page 1: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/1.jpg)
Présenté 07/04/2017
Pour STHACK 2017 – rump session
Par Jean-Christophe Delaunay
DPAPI exploitation during pentest
![Page 2: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/2.jpg)
2 / 17
whoami /groups Jean-Christophe Delaunay – @Fist0urs Jiss/Fist0urs on IRC Synacktiv – www.synacktiv.ninja
Microsoft Windows Active Directory (kerberom)
Passcracking – User and contributor to John The Ripper and hashcat (krb5tgs, axcrypt, keepass, etc.)
![Page 3: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/3.jpg)
3 / 17
What is DPAPI – a bit of history
Data Protection Application Programming Interface
Helps protect secrets (passwords, certificates, etc.)
Exists since Windows 2000! Evolved a lot but core is globally the same Invisible for the end-users
![Page 4: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/4.jpg)
4 / 17
What is DPAPI – wtfbbq?
Cryptography based on user’s password (not exactly in fact) Easy to implement for developpers:
CryptProtectData CryptUnprotectData
Widely used: Credential Manager, Windows Vault, IE, Wifi, Certificates,
VPN, etc. Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari,
etc.
![Page 5: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/5.jpg)
5 / 17
DPAPI Internals – developpers view
![Page 6: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/6.jpg)
6 / 17
DPAPI Internals – crypto
Secret based on user’s password…
… but this is not secure enough, let’s use master keys, stored in undocumented blobs structures
![Page 7: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/7.jpg)
7 / 17
DPAPI Internals – crypto
![Page 8: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/8.jpg)
8 / 17
DPAPI Internals – overview
![Page 9: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/9.jpg)
9 / 17
DPAPI Internals – masterkeys stored… ?
In the user’s profile (%APPDATA%/Roaming/Microsoft)
Protect/SID GUID1 GUID2 … Preferred
![Page 10: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/10.jpg)
10 / 17
DPAPI – pentests
2 possibilities: I can execute some code on the remote host I can’t...
![Page 11: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/11.jpg)
11 / 17
DPAPI – existing tools
Passcape: shareware + Windows only [1] impacket: does not decrypt DPAPI protected secrets
directly [2] mimikatz: extracts secrets online and offline but
Windows only [3] dpapick: extracts secrets offline! First tool published
to manage DPAPI offline, incredible work! [4] dpapilab: an extension of dpapick [5]
![Page 12: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/12.jpg)
12 / 17
DPAPI – pentests
But wait, you told us that secrets are protected by user’s password?...
...and master keys are also protected by user’s password?
…
Profit!
![Page 13: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/13.jpg)
13 / 17
DPAPI – pentests
Fist0urs@jordy:~/sthack$ python DPAPImk2john.py S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1001 2dbd2e3b-XXXX-XXXX-XXXX-519c78c48397
$DPAPImk$*2*local*S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1001*aes256*sha512*8000*1d52563XXXXXXXXXXXXXXXXXa0665d79*288*0049e65595bbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX7e3b70539567d80afea5168d31c6ccd48b07b8328eb969295611c850f8cf25f06e7f9aede0f5fb4e
![Page 14: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/14.jpg)
14 / 17
DPAPI – useful?
Created in the roaming profile in an Active Directory environnment
Alternative to MSCashvX if computer is hardened (no or only one cached logon hash)
No need to inject in memory, all you need is a masterkey file from the filesystem and the user’s SID: much more reliable
Hard to detect compared to existing attacks… Difficult to prevent this kind of attack :-/
![Page 15: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/15.jpg)
15 / 17
DPAPI – roadmap
Finish the implementation within John The Ripper
Add the implementation within hashcat
Some more things I keep for myself for the moment ;-)
![Page 16: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/16.jpg)
THANK YOU FOR YOUR ATTENTION
ANY QUESTIONS?
![Page 17: DPAPI exploitation during pentest - Synacktiv · Google Chrome, GTalk, Skype, Dropbox, iCloud, Safari, etc. 5 / 17 DPAPI Internals – developpers view. 6 / 17 DPAPI Internals –](https://reader036.fdocuments.us/reader036/viewer/2022081402/5f22d1744a6a600496683316/html5/thumbnails/17.jpg)
17 / 17
Bibliography
[1] https://www.passcape.com/
[2] https://github.com/CoreSecurity/impacket
[3] http://blog.gentilkiwi.com/mimikatz [4] http://dpapick.com/ [5] https://github.com/dfirfpi/dpapilab