Data Protection Application Programming Interface滥用攻击

DPAPI简介

除了用户密码登录到Windows,如下列表中的密码都存储在操作系统上,可以看到有IE浏览器的密码 vpn密码 谷歌浏览器密码等等...

In addition to the user password for logging into Windows (which, incidentally, may not be set), other passwords are stored in the OS:

Credential Manager
Windows Vault
IE browser passwords
Passwords for connecting to Wi-Fi networks
Certifications
VPN passwords
SSH keys
Google Chrome browser passwords
Google Talk, Skype, Dropbox, iCloud, Safari credentials

All these passwords are stored encrypted. To encrypt the listed passwords and credentials, DPAPI (the Data Protection Application Programming Interface) is used. For the end user, all processes of encryption and decryption of data are transparent, that is, they do not require any action on their part.

The user password is used to encrypt this data. More precisely, master keys are generated, with the help of which the data is encrypted and decrypted, and the user password is used to decrypt the master keys. One user can have many master keys. A mechanism is provided in case the user password is changed: in fact, hashes from all old passwords are stored and an attempt is made to decrypt the master key until a suitable hash is found.

This is an important consequence: in the system for the current user it is possible to decrypt, for example, passwords from the Google Chrome web browser. But if you copy the file where the passwords of this browser are stored to another computer without the necessary master key, you will not be able to decrypt these passwords.

上面的翻译主要说明了几点

1、DPAPI被使用作为一个数据保护应用程序接口
2、每个用户都会有相关的Master key(不止一个)
3、如果需要对某些数据进行加密或加密需要DPAPI的加密解密函数
4、对服务器密码的解密需要用到Master key

Google Chrome web browser 解密测试

dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data"

可以发现此时提示:ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption,则需要提供相关的AES密钥

dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect,这样的话就发现可以进行解密

注意:读取的时候稍微注意下,如果想在mimikatz控制台进行读取的话直接上命令就可以,但是如果是想要一句话实现读取的话,那么自己需要注意路径的问题!

DPAPI中的两个API函数

看到这里的时候,你已经发现了解密的时候通过关键词/unprotect就能成功的进行解密,原因就是此时用到了相关AES密钥来进行解密与DPAPI中的解密函数CryptUnprotectData

DPAPI for the sake of this lab contains 2 functions - for encrypting (CryptProtectData) and decrypting (CryptUnprotectData) data.

CryptProtectData:https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata

The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer

CryptUnprotectData:https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata

The CryptUnprotectData function decrypts and does an integrity check of the data in a DATA_BLOB structure. Usually, the only user who can decrypt the data is a user with the same logon credentials as the user who encrypted the data. In addition, the encryption and decryption must be done on the same computer

而DPAPI在加密与解密的时候会用到两个函数,分别是 CryptProtectData 与 CryptUnprotectData

模拟数据加密解密

dpapi::protect /data:"123456"

保存Blob到文件,然后模拟进行解密操作 执行命令dpapi::blob /in:"test.bin" /unprotect

读取密码的局限性

之后慢慢补...

直接看下面的文章就好了 写的肯定比我好 我就记录记录

参考文章:https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++

posted @ 2020-12-11 02:44  zpchcbd  阅读(121)  评论(0编辑  收藏  举报