Skip to content

A C# tool to output crackable DPAPI hashes from user MasterKeys

License

Notifications You must be signed in to change notification settings

leftp/DPAPISnoop

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DPAPISnoop

A C# tool to output crackable DPAPI hashes from user MasterKeys.

MasterKeys are encrypted with the domain password of the user. Cracking such a key can lead to the compromise of other domain accounts.

Based on DPAPImk2john for hash generation (https://github.com/openwall/john/blob/6ed33a7f10f4fa19a4a995cf0fa099d6169fdcbf/run/DPAPImk2john.py) Based on SharpDPAPI for masterkey extraction (https://github.com/GhostPack/SharpDPAPI)

Info

DPAPISnoop once run, it will iterate through every user folder, grab the most recent MasterKey under C:\Users\User\AppData\Roaming\Microsoft\Protect\{SID}\{GUID} and output a hashcat/JtR crackable hash.

The tool can be run either in a local or remote context (SMB) after having admin privileges.

The hash can then be attempted to be cracked with Hashcat / JtR.

Depending on the operating system, we have different type of hashes, where preWin7 DES3 was in use.

  • Version 1 = des3 + sha1 (<=Vista)
  • Version 2 = aes256 + sha512 (>=Win7)

Depending if the user a local account or domain account, the context changes, with:

  • Context 1: Local User
  • Context 2: Domain User domain1607-
  • Context 3: Domain User domain1607+

Generated hash is in the form of:

$"{username}:$DPAPImk${version}*{Context}*{sid}*{cipherAlgo}*{hmacAlgo}*{rounds}*{iv}*{cipher.Length}*{cipher}");

CAVEAT

There is no programatic way to differentiate between domain1607- / domain1607+ although it appears that Context 3 was introduced after Windows 10 version 1607 (build 14393). The tool currently outputs only Context 3 but feel free to uncomment L#83

Hashcat supports the following hashes:

  • -m 15300 for masterkey file v1 (context 1 / 2)
  • -m 15310 for masterkey file v1 (context 3)
  • -m 15900 for masterkey file v2 (context 1 / 2)
  • -m 15910 for masterkey file v2 (context 3)

Usage

DPAPISnoop.exe [\\server\C$]

Useful References

www.synacktiv.ninja/ressources/univershell_2017_dpapi.pdf

hashcat/hashcat#1238

openwall/john#3419

hashcat/hashcat#3208

hashcat/hashcat#1365

hashcat/hashcat#3189

https://github.com/openwall/john/blob/6ed33a7f10f4fa19a4a995cf0fa099d6169fdcbf/run/DPAPImk2john.py

https://github.com/dfirfpi/dpapilab

https://github.com/jordanbtucker/dpapick https://github.com/GhostPack/SharpDPAPI

Author

Lefteris (lefty) Panos / @lefterispan / 2023

Shouts to @eks_perience & Nettitude RT

About

A C# tool to output crackable DPAPI hashes from user MasterKeys

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages