Reverse of DPAPI - BlackHat DC 2010

119
Decrypting DPAPI data Jean-Michel Picod, Elie Bursztein EADS, Stanford University 1 Wednesday, February 3, 2010

description

Talk I did for BlackHat DC 2010 with DPAPI reverse engineering and a tool to decrypt things related to DPAPI

Transcript of Reverse of DPAPI - BlackHat DC 2010

Page 1: Reverse of DPAPI - BlackHat DC 2010

Decrypting DPAPI dataJean-Michel Picod, Elie Bursztein

EADS, Stanford University

1Wednesday, February 3, 2010

Page 2: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Data Protection API

• Introduced in Windows 2000

• Aim to be an easy way for application to store safely data on disk

• Tie encryption key to user password and the account SID

2Wednesday, February 3, 2010

Page 3: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Developer point of view

Application

DPAPIDPAPI

3Wednesday, February 3, 2010

Page 4: Reverse of DPAPI - BlackHat DC 2010

GTalkWIFI keys

4Wednesday, February 3, 2010

Page 5: Reverse of DPAPI - BlackHat DC 2010

DPAPI is a simple API*

*http://msdn.microsoft.com/en-us/library/ms995355.aspx

5Wednesday, February 3, 2010

Page 6: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Why digging deeper ?

• Offline forensic

• EFS on Linux

• Security / cool things ?

6Wednesday, February 3, 2010

Page 7: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Previous work

• Multiples attempts to analyze DPAPI

• Some incomplete (Wine)

• Some close source (Nir Sofer - NirSoft)

7Wednesday, February 3, 2010

Page 8: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Take away

• Decrypt offline sensitive data

• Recover user previous passwords (Yes all of them)

• Do a key escrow attack

8Wednesday, February 3, 2010

Page 9: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Outline

9Wednesday, February 3, 2010

Page 10: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Outline

• DPAPI overview

9Wednesday, February 3, 2010

Page 11: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Outline

• DPAPI overview

• Decryption process

9Wednesday, February 3, 2010

Page 12: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Outline

• DPAPI overview

• Decryption process

• Security design implications

9Wednesday, February 3, 2010

Page 13: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Outline

• DPAPI overview

• Decryption process

• Security design implications

• DPAPIck demo

9Wednesday, February 3, 2010

Page 14: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Crypto 911 HMAC

• HMAC (Message authentication code)

• Usually used to detect data tampering

• Used here to derive encrypt key and IV

ipad = 0x36 xor key

opad = 0x5c xor key

HMAC= (opad . SHA1(ipad.data))

10Wednesday, February 3, 2010

Page 15: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Crypto 911: PBKDF2

• PBKDF2 = Password based key derivation function

• Basically it is a hash function (SHA1 for us) applied n times to slow down the computation.

• Used to defend against brute-force

• Salt is used against rainbow tables attacks.

11Wednesday, February 3, 2010

Page 16: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Crypto 911 : 3DES

• 3DES : Triple DES encryption

• Encrypt, Decrypt, Encrypt

• Exist in two flavor : 2 keys or 3 keys (64 bits each)

• Windows use the strong version with 3 keys

12Wednesday, February 3, 2010

Page 17: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

How the system interacts with DPAPI

13Wednesday, February 3, 2010

Page 18: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

How the system interacts with DPAPI

DPAPIcryptoAPIcrypt32.dll

13Wednesday, February 3, 2010

Page 19: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

How the system interacts with DPAPI

DPAPIcryptoAPIcrypt32.dll

Local Security AuthoritycryptoAPIcrypt32.dll

13Wednesday, February 3, 2010

Page 20: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

How the system interacts with DPAPI

EFS Encrypted file

DPAPIcryptoAPIcrypt32.dll

Local Security AuthoritycryptoAPIcrypt32.dll

13Wednesday, February 3, 2010

Page 21: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

How the system interacts with DPAPI

EFS Encrypted file

DPAPIcryptoAPIcrypt32.dll

EFS

Local Security AuthoritycryptoAPIcrypt32.dll

13Wednesday, February 3, 2010

Page 22: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

How the system interacts with DPAPI

EFS Encrypted file

EFSuser private

key

DPAPIcryptoAPIcrypt32.dll

EFS

Local Security AuthoritycryptoAPIcrypt32.dll

13Wednesday, February 3, 2010

Page 23: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

How the system interacts with DPAPI

EFS Encrypted file

EFSuser private

key

DPAPIcryptoAPIcrypt32.dll

EFS

Local Security AuthoritycryptoAPIcrypt32.dll

13Wednesday, February 3, 2010

Page 24: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

DPAPI CryptUnprotecData Function

BOOL WINAPI CryptUnprotectData (

*pDataIn,

*ppszDataDescr,

*pOptionalEntropy,

pvReserved,

*pPromptStruct,

dwFlags,

*pDataOut

14Wednesday, February 3, 2010

Page 25: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

DPAPI CryptUnprotecData Function

BOOL WINAPI CryptUnprotectData (

*pDataIn,

*ppszDataDescr,

*pOptionalEntropy,

pvReserved,

*pPromptStruct,

dwFlags,

*pDataOut

Encrypted data aka data blob

14Wednesday, February 3, 2010

Page 26: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

DPAPI CryptUnprotecData Function

BOOL WINAPI CryptUnprotectData (

*pDataIn,

*ppszDataDescr,

*pOptionalEntropy,

pvReserved,

*pPromptStruct,

dwFlags,

*pDataOut

Optional description

14Wednesday, February 3, 2010

Page 27: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

DPAPI CryptUnprotecData Function

BOOL WINAPI CryptUnprotectData (

*pDataIn,

*ppszDataDescr,

*pOptionalEntropy,

pvReserved,

*pPromptStruct,

dwFlags,

*pDataOut

Optional entropy (salt)

14Wednesday, February 3, 2010

Page 28: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

DPAPI CryptUnprotecData Function

BOOL WINAPI CryptUnprotectData (

*pDataIn,

*ppszDataDescr,

*pOptionalEntropy,

pvReserved,

*pPromptStruct,

dwFlags,

*pDataOut

Optional password

14Wednesday, February 3, 2010

Page 29: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

DPAPI CryptUnprotecData Function

BOOL WINAPI CryptUnprotectData (

*pDataIn,

*ppszDataDescr,

*pOptionalEntropy,

pvReserved,

*pPromptStruct,

dwFlags,

*pDataOut Decrypted data

14Wednesday, February 3, 2010

Page 30: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Derivation scheme

User

15Wednesday, February 3, 2010

Page 31: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Derivation scheme

User

Pre keySHA1(password)

15Wednesday, February 3, 2010

Page 32: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Derivation scheme

User

Pre keySHA1(password)

Master Key

15Wednesday, February 3, 2010

Page 33: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Derivation scheme

User

Pre keySHA1(password)

Master Key

Blob key Blob key Blob key

15Wednesday, February 3, 2010

Page 34: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Derivation scheme

User

Pre keySHA1(password)

Master Key

Blob key Blob key Blob key

15Wednesday, February 3, 2010

Page 35: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Blob structure

• Returned to the application (opaque structure)

• Store user encrypted data

• Contains decryption parameters

16Wednesday, February 3, 2010

Page 36: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

key subtleties

• SHA1 password are in UTF-16LE

• SID for HMAC are also in UTF-16LE (don’t forget the \0 !)

• Windows 2000 do not use SHA1/3DES. We think it uses SHA1/RC4 (Anyone want to try ?).

17Wednesday, February 3, 2010

Page 37: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

18Wednesday, February 3, 2010

Page 38: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Nb of crypto providers

18Wednesday, February 3, 2010

Page 39: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Crypto providers GUID

18Wednesday, February 3, 2010

Page 40: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Nb of masters keys

18Wednesday, February 3, 2010

Page 41: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Masters keys GUID

18Wednesday, February 3, 2010

Page 42: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Optional description

18Wednesday, February 3, 2010

Page 43: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Encryption algorithm ID

18Wednesday, February 3, 2010

Page 44: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Salt generated by DPAPI

18Wednesday, February 3, 2010

Page 45: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Hash algorithm ID

18Wednesday, February 3, 2010

Page 46: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Unknown data

18Wednesday, February 3, 2010

Page 47: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC;

Encrypted data

18Wednesday, February 3, 2010

Page 48: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

data blob structure key fields

DWORD cbProviders;

GUID *arrProviders;

DWORD cbKeys;

GUID *arrKeys;

WCHAR *ppszDataDescr;

DWORD idCipherAlgo;

BYTE *pbSalt;

DWORD idHashAlgo;

BYTE *pbUnknown;

BYTE *pbCipher;

BYTE *pbHMAC; Blob HMAC

18Wednesday, February 3, 2010

Page 49: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key structure

• Store the key used to decrypt blob

• Encrypted with the user password

• Renewed every 3 months

19Wednesday, February 3, 2010

Page 50: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

The master key file

Header

20Wednesday, February 3, 2010

Page 51: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

The master key file

Header

Keys infos

20Wednesday, February 3, 2010

Page 52: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

The master key file

Header

Keys infos

Master key

20Wednesday, February 3, 2010

Page 53: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

The master key file

Header

Keys infos

Master key

Key ?

20Wednesday, February 3, 2010

Page 54: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

The master key file

Header

Keys infos

Master key

Key ?

Footer

20Wednesday, February 3, 2010

Page 55: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Header structure

dwVersion;

nullPad1;

szKeyGUID[36];

nullPad2;

Header

Keys infos

Master key

Key ?

Footer

21Wednesday, February 3, 2010

Page 56: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Header structure

dwVersion;

nullPad1;

szKeyGUID[36];

nullPad2;

Header

Keys infos

Master key

Key ?

Footer

File version

21Wednesday, February 3, 2010

Page 57: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Header structure

dwVersion;

nullPad1;

szKeyGUID[36];

nullPad2;

Header

Keys infos

Master key

Key ?

Footer

Master key GUID

21Wednesday, February 3, 2010

Page 58: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Key infos structure

dwUnknown;

cbMasterKey;

cbMysteryKey;

dwHMACLen;

nullPad3;

Header

Keys infos

Master key

Key ?

Footer

22Wednesday, February 3, 2010

Page 59: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Key infos structure

dwUnknown;

cbMasterKey;

cbMysteryKey;

dwHMACLen;

nullPad3;

Header

Keys infos

Master key

Key ?

Footer

Master Key struct length

22Wednesday, February 3, 2010

Page 60: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Key infos structure

dwUnknown;

cbMasterKey;

cbMysteryKey;

dwHMACLen;

nullPad3;

Header

Keys infos

Master key

Key ?

Footer

Key ? struct length

22Wednesday, February 3, 2010

Page 61: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Key infos structure

dwUnknown;

cbMasterKey;

cbMysteryKey;

dwHMACLen;

nullPad3;

Header

Keys infos

Master key

Key ?

Footer

HMAC length

22Wednesday, February 3, 2010

Page 62: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key structure

dwMagic;

pbSalt[16];

cbIteration;

idMACAlgo;

idCipherAlgo;

pbCipheredKey[];

Header

Keys infos

Master key

Key ?

Footer

23Wednesday, February 3, 2010

Page 63: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key structure

dwMagic;

pbSalt[16];

cbIteration;

idMACAlgo;

idCipherAlgo;

pbCipheredKey[];

Header

Keys infos

Master key

Key ?

Footer

Key salt

23Wednesday, February 3, 2010

Page 64: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key structure

dwMagic;

pbSalt[16];

cbIteration;

idMACAlgo;

idCipherAlgo;

pbCipheredKey[];

Header

Keys infos

Master key

Key ?

Footer

PBKDF2 nb rounds

23Wednesday, February 3, 2010

Page 65: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key structure

dwMagic;

pbSalt[16];

cbIteration;

idMACAlgo;

idCipherAlgo;

pbCipheredKey[];

Header

Keys infos

Master key

Key ?

Footer

HMAC algorithm ID

23Wednesday, February 3, 2010

Page 66: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key structure

dwMagic;

pbSalt[16];

cbIteration;

idMACAlgo;

idCipherAlgo;

pbCipheredKey[];

Header

Keys infos

Master key

Key ?

Footer Encryption Algo id

23Wednesday, February 3, 2010

Page 67: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key structure

dwMagic;

pbSalt[16];

cbIteration;

idMACAlgo;

idCipherAlgo;

pbCipheredKey[];

Header

Keys infos

Master key

Key ?

Footer

Encrypted key

23Wednesday, February 3, 2010

Page 68: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting the Master key

DPAPIDecryptKey(sha1, encKey) {

tmp-key = HMAC(sha1, SID)

pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration)

3desKey = pre-key[0 - 23]

3desIV = [24 - 31]

(hmac[0-35], DWORD[36-39], master-key[40-104]) = 3des-cbc(3desKey, iv, encKey)

}

24Wednesday, February 3, 2010

Page 69: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

key structure

• Seems to have the same structure than the master key

• One round of derivation (XP not Seven)

• 256 bits (half size of the real master-key)

Header

Keys infos

Master key

Key ?

Footer

25Wednesday, February 3, 2010

Page 70: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Possible explanation

• The documentation state a compatibility mode for windows 2000 exist.

• The registry key to trigger it is unknown

• If we are correct and W2k uses RC4 then the mystery key is possibly a RC4 key (256bits is the correct size).

• PBKDF2 used to compute the IV ??

Header

Keys infos

Master key

Key ?

Footer

26Wednesday, February 3, 2010

Page 71: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Possible explanation continued

• We know that RC4 have a weak key scheduling algorithm (remember WEP ?)

• Might be a potential weakness (or not)

Header

Keys infos

Master key

Key ?

Footer

27Wednesday, February 3, 2010

Page 72: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Header structure

dwMagic;

credHist[16];

Header

Keys infos

Master key

Key ?

Footer

28Wednesday, February 3, 2010

Page 73: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Header structure

dwMagic;

credHist[16];

Header

Keys infos

Master key

Key ?

Footer

Password GUID

28Wednesday, February 3, 2010

Page 74: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Differences between windows version

XP Vista Seven

PBKDF2rounds 4000 24000

Variable (factor ?)

Symmetricalgorithm 3DES 3DES AES

Hash algorithm SHA1 SHA1 SHA512

29Wednesday, February 3, 2010

Page 75: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob

30Wednesday, February 3, 2010

Page 76: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

30Wednesday, February 3, 2010

Page 77: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

30Wednesday, February 3, 2010

Page 78: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

User SID

30Wednesday, February 3, 2010

Page 79: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

User SID

Master key

30Wednesday, February 3, 2010

Page 80: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

User SID

Master key

Cipher + Key

30Wednesday, February 3, 2010

Page 81: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

User SID

Master key

Blob key

Cipher + Key

30Wednesday, February 3, 2010

Page 82: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

User SID

Master key

Blob key

Salt + IV

Cipher + Key

30Wednesday, February 3, 2010

Page 83: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

User SID

Master key

Additio

nal p

asswor

d

Blob key

Salt + IV

Cipher + Key

30Wednesday, February 3, 2010

Page 84: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

User SID

Master key

Additio

nal p

asswor

d

Blob key

Salt + IV

Additional entropy

Cipher + Key

30Wednesday, February 3, 2010

Page 85: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypt blob aka the strange HMAC

DecryptBlob() {

kt = SHA1(masterkey)

opad = 0x5c xor kt

ipad = 0x36 xor kt

i = SHA1(opad.SHA1(ipad . salt).entropyCond)

kd = CryptDeriveKey(i) //not reversed (yet)

CryptDecrypt(data, kd)

}

31Wednesday, February 3, 2010

Page 86: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Did I miss something ?

32Wednesday, February 3, 2010

Page 87: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Did I miss something ?

• How the OS knows the current master key ?

32Wednesday, February 3, 2010

Page 88: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Did I miss something ?

• How the OS knows the current master key ?

• How the OS decides to renew the master key ?

32Wednesday, February 3, 2010

Page 89: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Did I miss something ?

• How the OS knows the current master key ?

• How the OS decides to renew the master key ?

• What happen when the user changes his password ?

32Wednesday, February 3, 2010

Page 90: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Key renewal process

• Renewed every 3 months automatically

• Passive process: executed when CryptProtect called

• Hardcoded limit (location unknown)

• Possibly in psbase.dll (MS crypto provider)

• Can be reduced by using registry override

33Wednesday, February 3, 2010

Page 91: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Master key selection

• All master keys are kept because Windows can’t tell if a key is still used

• Keys are stored in %APPDATA%/Microsoft/Protect/[SID]

• Current master key is specified in the Preferred file

34Wednesday, February 3, 2010

Page 92: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

The Preferred file

• Simply contains :

“GUID master key” . “timestamp”

• The key is renewed when

current time > timestamp

35Wednesday, February 3, 2010

Page 93: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

The Preferred file

• Simply contains :

“GUID master key” . “timestamp”

• The key is renewed when

current time > timestamp

➡Key escrow attack : Plant a key and update the Preferred file every 3 months (e.g using the task scheduler)

35Wednesday, February 3, 2010

Page 94: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

User password renewal

• Master keys are re-encrypted when the password change

• Experimentally not all of them, just the last few ones

36Wednesday, February 3, 2010

Page 95: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

Master key

Additio

nal p

asswor

d

Blob key

Salt + IV

Additional entropy

Cipher + Key

37Wednesday, February 3, 2010

Page 96: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decrypting a blob

Data blob Master key file CREDHIST

Master key GUID

Pre key

Salt, Nb iterations

SHA1(password)

Master key

Additio

nal p

asswor

d

Blob key

Salt + IV

Additional entropy

Cipher + Key

CREDHIST GUID

37Wednesday, February 3, 2010

Page 97: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST overview

SHA1(password)

38Wednesday, February 3, 2010

Page 98: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST overview

Structurepass n-1 SHA1(password)

Decrypt

38Wednesday, February 3, 2010

Page 99: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST overview

Structurepass n-1

Structurepass n-2

Decrypt

SHA1(password)Decrypt

38Wednesday, February 3, 2010

Page 100: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST overview

Structurepass n-1

Structurepass n-2

Structurepass n- 3

Decrypt

Decrypt

SHA1(password)Decrypt

38Wednesday, February 3, 2010

Page 101: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST overview

Structurepass n-1

Structurepass n-2

Structurepass n- 3

Structurepass 1

Structurepass 2

...

Decrypt

Decrypt

Decrypt

SHA1(password)Decrypt

38Wednesday, February 3, 2010

Page 102: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

39Wednesday, February 3, 2010

Page 103: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

Hash algo ID

39Wednesday, February 3, 2010

Page 104: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

Nb rounds

39Wednesday, February 3, 2010

Page 105: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

Encryption Algorithm ID

39Wednesday, February 3, 2010

Page 106: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

User USID

39Wednesday, February 3, 2010

Page 107: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

Computer SID

39Wednesday, February 3, 2010

Page 108: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

Account ID

39Wednesday, February 3, 2010

Page 109: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16]

Encrypted password SHA1

39Wednesday, February 3, 2010

Page 110: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

CREDHIST entry structure main fields

idHashAlgo;

dwRounds;

dwCipherAlgo;

bSID[12];

dwComputerSID[3];

dwAccountID;

bData[28];

bPasswordID[16] Password GUID

39Wednesday, February 3, 2010

Page 111: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Decryption algorithm overview

DecryptCredhist{

SID = (USID-ComputerID-AccountID)

tmp-key = HMAC(sha1, SID)

pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration)

3desKey = pre-key[0 - 23]

3desIV = [24 - 31]

(SHA1[0-19], HMAC[20-39]) = 3des-cbc(3desKey, iv, encKey)

40Wednesday, February 3, 2010

Page 112: Reverse of DPAPI - BlackHat DC 2010

DPAPIck demo

41Wednesday, February 3, 2010

Page 113: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Warning

• DPAPIck is in ALPHA stage. Use it at your own risk ! You have been warned. It is just a POC

• Know bugs :

• No HMAC checks -> No key check.

• No Seven support, tested only on XP

• No conditional entropy / strong password in UI

• Don’t choose the correct master key by itself

• Buffer overflows :)

42Wednesday, February 3, 2010

Page 114: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

DPAPIck future

• We made the choice to release early so you know we are telling the truth and everyone can start playing.

• We will provide a more robust version and eventually open the source code so one day Linux will read EFS files :)

• It just too soon for this.

43Wednesday, February 3, 2010

Page 115: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

LSA

• LSASS secret contains a DPAPI_SYSTEM value

• Length == 2 * SHA1

• Usage are unknown

• We think that 1 of them is used as a SYSTEM account “password”

• Need to be confirmed

44Wednesday, February 3, 2010

Page 116: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

EFS

• Certificate private key is encrypted with DPAPI

• Key are stored in

• To read EFS file offline, we just need to import the user certificate and its private keys in our key store.

• Work in progress in DPAPIck

45Wednesday, February 3, 2010

Page 117: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

What is next

• Can we build a rogue crypto provider ?

• What are the two SHA1 stored in the LSA ?

• Where is stored the renewal hard lime ?

• CryptDeriveKey needed to be reversed to have a fully portable implementation (Everything else is already portable)

46Wednesday, February 3, 2010

Page 118: Reverse of DPAPI - BlackHat DC 2010

Jean-Michel Picod, Elie Bursztein http://www.dpapick.com

Conclusion

• Open the door to offline forensic

• First step toward EFS on alternative systems

• CREDHIST allows to recover previous passwords

• DPAPIck : http://dpapick.com

• Some things remain unknown

47Wednesday, February 3, 2010

Page 119: Reverse of DPAPI - BlackHat DC 2010

Questions ?Thanks to the nightingale team

48Wednesday, February 3, 2010