A C# tool to output crackable DPAPI hashes from user MasterKeys.
MasterKeys are encrypted with the domain password of the user. Cracking such a key can lead to the compromise of other domain accounts.
Based on DPAPImk2john for hash generation (https://github.com/openwall/john/blob/6ed33a7f10f4fa19a4a995cf0fa099d6169fdcbf/run/DPAPImk2john.py) Based on SharpDPAPI for masterkey extraction (https://github.com/GhostPack/SharpDPAPI)
DPAPISnoop once run, it will iterate through every user folder, grab the most recent MasterKey under C:\Users\User\AppData\Roaming\Microsoft\Protect\{SID}\{GUID}
and output a hashcat/JtR crackable hash.
The tool can be run either in a local or remote context (SMB) after having admin privileges.
The hash can then be attempted to be cracked with Hashcat / JtR.
Depending on the operating system, we have different type of hashes, where preWin7 DES3 was in use.
- Version 1 = des3 + sha1 (<=Vista)
- Version 2 = aes256 + sha512 (>=Win7)
Depending if the user a local account or domain account, the context changes, with:
- Context 1: Local User
- Context 2: Domain User domain1607-
- Context 3: Domain User domain1607+
Generated hash is in the form of:
$"{username}:$DPAPImk${version}*{Context}*{sid}*{cipherAlgo}*{hmacAlgo}*{rounds}*{iv}*{cipher.Length}*{cipher}");
CAVEAT
There is no programatic way to differentiate between domain1607- / domain1607+ although it appears that Context 3 was introduced after Windows 10 version 1607 (build 14393). The tool currently outputs only Context 3 but feel free to uncomment L#83
Hashcat supports the following hashes:
- -m 15300 for masterkey file v1 (context 1 / 2)
- -m 15310 for masterkey file v1 (context 3)
- -m 15900 for masterkey file v2 (context 1 / 2)
- -m 15910 for masterkey file v2 (context 3)
DPAPISnoop.exe [\\server\C$]
www.synacktiv.ninja/ressources/univershell_2017_dpapi.pdf
https://github.com/dfirfpi/dpapilab
https://github.com/jordanbtucker/dpapick https://github.com/GhostPack/SharpDPAPI
Lefteris (lefty) Panos / @lefterispan / 2023
Shouts to @eks_perience & Nettitude RT