Dumping DPAPI
DPAPI stands for Data Protection API. Which is used by windows to securely save credentials.
Configuring
Login to
DC03as theAdministratoruser with the passwordWelcome01!.Open the "Active Directory Users and Computers" management tool and open the "Users" directory. Right click the "Users" directory and click "New User"
Create a user with the name
sa_backupand the passwordLS6RV5o8T9. Make sure you deselect "User must change password at next logon" and select "Password never expires".
4. Add the user to the "Account operator" and "Backup Operator" groups via the interface, memberof section or run the following command:
5. Login with the sa_sql user and the password Iloveyou2 on DATA01.
6. Click start and open the "Credential Manager".
7. Click on the "Windows Credentials" tab and select "Add a Windows credential".
8. Fill in the following information:
Internet or network address:
secure.localUser Name:
sa_backupPassword:
LS6RV5o8T9
Attacking
How it works
When you have comprimised a system and if a user is currently logged in you can retrieve its DPAPI masterkey and decrypt the saved credentials. This is also possible if you have the password of a user. These saved credentials might give you access to other systems or higher privileges within the domain and can be used for lateral movement.
Tools
Executing the attack
One of the things I like to do when gaining access to a system is running Seatbelt. This tool will check many things like permissions, groups and for stored credentials. The tool describes itself as:
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
The tool is great for detecting DPAPI secrets.
2. To run Seatbelt and do some of it checks we can run the following command:
3. In the output of the section WindowsCredentialFiles we can see that the user sa_sql has some credentials saved:
4. We can find the master encryption key id and some information about the saved credentials with the following Mimikatz command using the previous path and FileName:
The pbData field contains the encrypted data and the guidMasterKey contains the GUID of the key needed to decrypt it.
The latest compiled version of Mimikatz doesn't work on server 2022. Compiling the latest commit with Visual Studio 2019 gave me some errors, but this https://github.com/matrix/mimikatz/tree/type_cast-pointer_truncation_x64 repostorie/pull request worked for me without errors! I really hate compiling tools like this, always errors 😢
5. The next step is to retrieve the masterkey with the password of the user. Luckily we had its password from the previous pages were we captured the NTLMV2 hash after doing a UNC path injection through the SQL Service and cracked it. The password of the sa_sql user was Iloveyou2. With the following Mimikatz command we can retrieve the masterkey:
6. We were able to retrieve the Masterkey, it it shown at the end of the output. Now we can read the saved credentials with the masterkey using the following Mimikatz command:
First we get the output of the first mimikatz command we ran, some information about the credentials. The output shows is the saved credential for the sa_backup user with the password LS6RV5o8T9.
7. With the help of PowerView we can quickly check if this user has any value:
In PowerView we can see that sa_backup is member of the Account Operators en Backup Operators groups. These groups are interesting!
Defending
Recommendations
Don't save RDP credentials in Windows.
Detection
References
Last updated
