Data Protection Application Programming Interface滥用攻击


除了用户密码登录到Windows,如下列表中的密码都存储在操作系统上,可以看到有IE浏览器的密码 vpn密码 谷歌浏览器密码等等...

In addition to the user password for logging into Windows (which, incidentally, may not be set), other passwords are stored in the OS:

Credential Manager
Windows Vault
IE browser passwords
Passwords for connecting to Wi-Fi networks
VPN passwords
SSH keys
Google Chrome browser passwords
Google Talk, Skype, Dropbox, iCloud, Safari credentials

All these passwords are stored encrypted. To encrypt the listed passwords and credentials, DPAPI (the Data Protection Application Programming Interface) is used. For the end user, all processes of encryption and decryption of data are transparent, that is, they do not require any action on their part.

The user password is used to encrypt this data. More precisely, master keys are generated, with the help of which the data is encrypted and decrypted, and the user password is used to decrypt the master keys. One user can have many master keys. A mechanism is provided in case the user password is changed: in fact, hashes from all old passwords are stored and an attempt is made to decrypt the master key until a suitable hash is found.

This is an important consequence: in the system for the current user it is possible to decrypt, for example, passwords from the Google Chrome web browser. But if you copy the file where the passwords of this browser are stored to another computer without the necessary master key, you will not be able to decrypt these passwords.


2、每个用户都会有相关的Master key(不止一个)
4、对服务器密码的解密需要用到Master key

Google Chrome web browser 解密测试

dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data"

可以发现此时提示:ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption,则需要提供相关的AES密钥

dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect,这样的话就发现可以进行解密




DPAPI for the sake of this lab contains 2 functions - for encrypting (CryptProtectData) and decrypting (CryptUnprotectData) data.


The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer


The CryptUnprotectData function decrypts and does an integrity check of the data in a DATA_BLOB structure. Usually, the only user who can decrypt the data is a user with the same logon credentials as the user who encrypted the data. In addition, the encryption and decryption must be done on the same computer

而DPAPI在加密与解密的时候会用到两个函数,分别是 CryptProtectData 与 CryptUnprotectData


dpapi::protect /data:"123456"

保存Blob到文件,然后模拟进行解密操作 执行命令dpapi::blob /in:"test.bin" /unprotect



直接看下面的文章就好了 写的肯定比我好 我就记录记录


posted @ 2020-12-11 02:44  zpchcbd  阅读(121)  评论(0编辑  收藏  举报