-
Notifications
You must be signed in to change notification settings - Fork 3.8k
module ~ dpapi
Benjamin DELPY edited this page Jun 26, 2016
·
8 revisions
- contains: encrypted raw data, secret, by example Vault, Credential, CAPI/CNG Private Key, Chrome password, WiFi/WWAN key, ...
- is used to: what you want!, this is the final data
- is protected by: a
masterkey
and optionallyentropy
data AND/OR aditionnalpassword
- is linked to: a
masterkey
- contains: multiple versions of the encrypted raw key
- is used to: decrypt
blob
- is protected by: a key that depends on the situation
- non-domain context: SID AND (user password SHA1 hash OR previous password SHA1 hash (by knowledge or from
CREDHIST
)) - domain context:
- SID AND (user password NTLM hash OR previous password NTLM hash (by knowledge))
- domain backup key (
RPC
or RSA private key)
- local computer:
DPAPI_SYSTEM
secret (COMPUTER
orUSER
part)
- non-domain context: SID AND (user password SHA1 hash OR previous password SHA1 hash (by knowledge or from
- is linked to: a
credhist
entry
Only useful in non-domain context
- contains: previous encrypted credentials of the user (SHA1 & NTLM)
- is used to: decrypt
masterkey
- is protected by: the most recent user password SHA1 hash used by the user on the system
- each entry is protected by the previous key, etc.
You can find the location of these files: https://onedrive.live.com/redir?resid=A352EBC5934F0254%213104
When the user is a protected user, it's NOT the NTLM hash of the password, but another derived hash from it.
Commands: blob, protect, masterkey, credhist, cache, capi, cng, cred, vault, wifi, wwan, chrome