SlideShare a Scribd company logo

DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017

Paula Januszkiewicz
Paula Januszkiewicz

This document discusses various methods for protecting secrets and passwords in Windows operating systems. It covers how DPAPI (Data Protection API) works to encrypt secrets using keys derived from user credentials and machine keys. It also describes how IIS application pools store encrypted passwords and how offline password changes are handled. The document provides technical details on algorithms and key derivation functions used in different versions of Windows.

Education
1 of 30
Download to read offline
@paulacqure @CQUREAcademy
Class names for keys from HKLMSYSTEMCCSControlLsa HKLMSECURITYCache HKLMSECURITYPolicySecrets HKLMSECURITYPolicySecrets
Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion:OS greatlyhelpsus to protectsecrets
DPAPI (classic) A. MasterKey 1. pwdhash = MD4(password) or SHA1(password) 2. pwdhash_key = HMACSHA1(pwdhash, user_sid) 3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512, AES-256, 8000 rounds 4. Control – HMACSHA512 B. CREDHIST 1. pwdhash = MD4(password) or SHA1(password) 2. pwdhash_key = HMACSHA1(pwdhash, user_sid) 3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512, AES-256, 8000 rounds 4. Control – HMACSHA512 C. DPAPI blob Algorithms are written in the blob itself.
Used to group one or more Web Applications Purpose: Assign resources, serve as a security sandbox Use Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Process requests to the applications Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)
DPAPI-PROTECTED BLOB CLIENT Local LSASS process (local masterkey can’t be decrypted) CryptUnprotectData() DPAPI AD SERVER LSASS process RPC Call BackupKey(masterkey) Decrypted masterkey 01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 00 ...... G$BCKUPKEY_PREFERRED G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855 Scenario: offline changed user password or local masterkey can’t be decrypted
There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
Getting the: cached data MSDCC2 1.bootkey: classes from HKLMSYSTEMCCSControlLsa + [class names for: Data, GBG, JD, Skew1] (+arrays’ permutations) int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 }; 2.PolEKList: HKLMSECURITYPolicyPolEKList [default value] 3.lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList) 4.NL$KM secret: HKLMSECURITYPolicySecretsNL$KM 5.nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret) 6.Cache_Entry{id} -> HKLMSECURITYCacheNL${id} 7.cache_entry_decrypted -> AES_DECRYPT(nlkm_decrypted, Cache_Entry{id})
DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16) Legend
LSASS.EXE MEMORY LSASRV.DLL G$BCKUPKEY_PREFERRED G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855 GoldenKey.pfx LSASRV.DLL, LSASS.EXE, etc. PATTERNS (for different versions of modules)
LSASS.EXE MEMORY LSASRV.DLL G$BCKUPKEY_PREFERRED G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855 AD secret? HOW?! CQLsassSecretsDumper GoldenKey.pfx ? ? ? ? ? ? ?
DomainKey contains some GUID and 256-byte len secret – RSA?? Dude, look in the AD...
Legend The master password for KeePass files encrypted & stored as cipherText (80 bytes)
Getting the: DPAPI-NG Secrets DPAPI-NG A. RootKey Algorithms Key derivation function: SP800_108_CTR_HMAC (SHA512) Secret agreement: Diffie-Hellman B. DPAPI blob Key derivation: KDF_SP80056A_CONCAT After getting the key, there is a need for decryption: Key wrap algorithm: RFC3394 (KEK -> CEK) Decryption: AES-256-GCM (CEK, Blob)
SID-PROTECTED BLOB CLIENT Local LSASS processNCryptUnprotectSecret() CNGDPAPI AD SERVER LSASS process RPC Call GetKey(SID, L0, L1, L2 params) ACTIVE DIRECTORY RootKey RootKeyData? Group key
Looks familiar? It should! It’s DPAPI blob! Protection descriptor: LOCAL=user • KEK (Key Encryption Key) stored as DPAPI blob • Forced by protection descriptor LOCAL=user • Key Wrap (RFC3394) contains encrypted CEK (Content Encryption Key) • Data encrypted by CEK
Tool Description CQMasterKeyAD DPAPIBlobCreator CQDPAPIKeePassDBDecryptor DPAPINGDecrypter CQDPAPIEncDec CQAspNetCoreDecryptData. CQDPAPIExportPFXFromAD CQAspNetCoreMasterKeyCreate CQRDCManDecrypter CQAspNetCoreEncryptData CQDPAPINGPFXDecrypter CQDPAPINGDNCoreMasterKeyDecrypter *CQImpersonateWithSeTcb
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017

Recommended

Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Microsoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password SolutionMicrosoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password Solution
Int64 Software Ltd
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 

Recommended

Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Microsoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password SolutionMicrosoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password Solution
Int64 Software Ltd
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
Sqlmap
SqlmapSqlmap
Sqlmap
Institute of Information Security (IIS)
 
Active Directory のおさらいをしましょう!~グループポリシー編~
Active Directory のおさらいをしましょう!~グループポリシー編~Active Directory のおさらいをしましょう!~グループポリシー編~
Active Directory のおさらいをしましょう!~グループポリシー編~
Mari Miyakawa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
Rahmat Nurfauzi
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
Clean architectures with fast api pycones
Clean architectures with fast api pyconesClean architectures with fast api pycones
Clean architectures with fast api pycones
Alvaro Del Castillo
 
Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策
Yurika Kakiuchi
 
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
jmichel.p
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
Robert Crane
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
Hitachi ID Systems, Inc.
 
Trace File Analyzer - Usage and Features
Trace File Analyzer - Usage and Features Trace File Analyzer - Usage and Features
Trace File Analyzer - Usage and Features
Sandesh Rao
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexing
Yoshinori Matsunobu
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Paula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 

More Related Content

What's hot

Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
Sqlmap
SqlmapSqlmap
Sqlmap
Institute of Information Security (IIS)
 
Active Directory のおさらいをしましょう!~グループポリシー編~
Active Directory のおさらいをしましょう!~グループポリシー編~Active Directory のおさらいをしましょう!~グループポリシー編~
Active Directory のおさらいをしましょう!~グループポリシー編~
Mari Miyakawa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
Rahmat Nurfauzi
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
Clean architectures with fast api pycones
Clean architectures with fast api pyconesClean architectures with fast api pycones
Clean architectures with fast api pycones
Alvaro Del Castillo
 
Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策
Yurika Kakiuchi
 
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
jmichel.p
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
Robert Crane
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
Hitachi ID Systems, Inc.
 
Trace File Analyzer - Usage and Features
Trace File Analyzer - Usage and Features Trace File Analyzer - Usage and Features
Trace File Analyzer - Usage and Features
Sandesh Rao
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexing
Yoshinori Matsunobu
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 

What's hot (20)

Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Active Directory のおさらいをしましょう!~グループポリシー編~
Active Directory のおさらいをしましょう!~グループポリシー編~Active Directory のおさらいをしましょう!~グループポリシー編~
Active Directory のおさらいをしましょう!~グループポリシー編~
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
Clean architectures with fast api pycones
Clean architectures with fast api pyconesClean architectures with fast api pycones
Clean architectures with fast api pycones
 
Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策
 
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Trace File Analyzer - Usage and Features
Trace File Analyzer - Usage and Features Trace File Analyzer - Usage and Features
Trace File Analyzer - Usage and Features
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexing
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
 

Similar to DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017

Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Paula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka
 
Postgresql 12 streaming replication hol
Postgresql 12 streaming replication holPostgresql 12 streaming replication hol
Postgresql 12 streaming replication hol
Vijay Kumar N
 
No more (unsecure) secrets, Marty
No more (unsecure) secrets, MartyNo more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty
Mathias Herberts
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
Chema Alonso
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
ScyllaDB
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
introduction to jsrsasign
introduction to jsrsasignintroduction to jsrsasign
introduction to jsrsasign
Kenji Urushima
 
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
PROIDEA
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
How to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentHow to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla Deployment
ScyllaDB
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]
Devon Bernard
 
DOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon SecurityDOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon Security
Loopback.ORG
 
(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014
(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014
(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014
Amazon Web Services
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scale
Claudio Criscione
 
9 password security
9 password security9 password security
9 password securitydrewz lin
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010
Matthew McCullough
 

Similar to DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017 (20)

Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Postgresql 12 streaming replication hol
Postgresql 12 streaming replication holPostgresql 12 streaming replication hol
Postgresql 12 streaming replication hol
 
No more (unsecure) secrets, Marty
No more (unsecure) secrets, MartyNo more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
introduction to jsrsasign
introduction to jsrsasignintroduction to jsrsasign
introduction to jsrsasign
 
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
How to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentHow to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla Deployment
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]
 
DOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon SecurityDOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon Security
 
(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014
(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014
(SDD402) Amazon ElastiCache Deep Dive | AWS re:Invent 2014
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scale
 
9 password security
9 password security9 password security
9 password security
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010
 

More from Paula Januszkiewicz

rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
Paula Januszkiewicz
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hacked
Paula Januszkiewicz
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Paula Januszkiewicz
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
Paula Januszkiewicz
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
Paula Januszkiewicz
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Paula Januszkiewicz
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
Paula Januszkiewicz
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
Paula Januszkiewicz
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Paula Januszkiewicz
 

More from Paula Januszkiewicz (14)

rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hacked
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
 

Recently uploaded

The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
goswamiyash170123
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionExecutive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
TechSoup
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 

Recently uploaded (20)

The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionExecutive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 

DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017

  • 1.
  • 3.
  • 4.
  • 5. Class names for keys from HKLMSYSTEMCCSControlLsa HKLMSECURITYCache HKLMSECURITYPolicySecrets HKLMSECURITYPolicySecrets
  • 6. Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion:OS greatlyhelpsus to protectsecrets
  • 7. DPAPI (classic) A. MasterKey 1. pwdhash = MD4(password) or SHA1(password) 2. pwdhash_key = HMACSHA1(pwdhash, user_sid) 3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512, AES-256, 8000 rounds 4. Control – HMACSHA512 B. CREDHIST 1. pwdhash = MD4(password) or SHA1(password) 2. pwdhash_key = HMACSHA1(pwdhash, user_sid) 3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512, AES-256, 8000 rounds 4. Control – HMACSHA512 C. DPAPI blob Algorithms are written in the blob itself.
  • 8.
  • 9. Used to group one or more Web Applications Purpose: Assign resources, serve as a security sandbox Use Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Process requests to the applications Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)
  • 10. DPAPI-PROTECTED BLOB CLIENT Local LSASS process (local masterkey can’t be decrypted) CryptUnprotectData() DPAPI AD SERVER LSASS process RPC Call BackupKey(masterkey) Decrypted masterkey 01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 00 ...... G$BCKUPKEY_PREFERRED G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855 Scenario: offline changed user password or local masterkey can’t be decrypted
  • 11. There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
  • 12. Getting the: cached data MSDCC2 1.bootkey: classes from HKLMSYSTEMCCSControlLsa + [class names for: Data, GBG, JD, Skew1] (+arrays’ permutations) int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 }; 2.PolEKList: HKLMSECURITYPolicyPolEKList [default value] 3.lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList) 4.NL$KM secret: HKLMSECURITYPolicySecretsNL$KM 5.nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret) 6.Cache_Entry{id} -> HKLMSECURITYCacheNL${id} 7.cache_entry_decrypted -> AES_DECRYPT(nlkm_decrypted, Cache_Entry{id})
  • 13. DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16) Legend
  • 14.
  • 17. DomainKey contains some GUID and 256-byte len secret – RSA?? Dude, look in the AD...
  • 18.
  • 19. Legend The master password for KeePass files encrypted & stored as cipherText (80 bytes)
  • 20.
  • 21. Getting the: DPAPI-NG Secrets DPAPI-NG A. RootKey Algorithms Key derivation function: SP800_108_CTR_HMAC (SHA512) Secret agreement: Diffie-Hellman B. DPAPI blob Key derivation: KDF_SP80056A_CONCAT After getting the key, there is a need for decryption: Key wrap algorithm: RFC3394 (KEK -> CEK) Decryption: AES-256-GCM (CEK, Blob)
  • 22. SID-PROTECTED BLOB CLIENT Local LSASS processNCryptUnprotectSecret() CNGDPAPI AD SERVER LSASS process RPC Call GetKey(SID, L0, L1, L2 params) ACTIVE DIRECTORY RootKey RootKeyData? Group key
  • 23. Looks familiar? It should! It’s DPAPI blob! Protection descriptor: LOCAL=user • KEK (Key Encryption Key) stored as DPAPI blob • Forced by protection descriptor LOCAL=user • Key Wrap (RFC3394) contains encrypted CEK (Content Encryption Key) • Data encrypted by CEK
  • 24.
  • 25.
  • 26. Tool Description CQMasterKeyAD DPAPIBlobCreator CQDPAPIKeePassDBDecryptor DPAPINGDecrypter CQDPAPIEncDec CQAspNetCoreDecryptData. CQDPAPIExportPFXFromAD CQAspNetCoreMasterKeyCreate CQRDCManDecrypter CQAspNetCoreEncryptData CQDPAPINGPFXDecrypter CQDPAPINGDNCoreMasterKeyDecrypter *CQImpersonateWithSeTcb