If you store your password in the KeePass, is it safe? What about the browser? How are we able to get access to it?
It is very important because as long as we use passwords and we still do, we save them in different places and your head, in most cases it’s a worse idea because things will get repeated.
When we’ve got a lot of different types of accesses to different kinds of systems, we need to keep our passwords complex and store them in different locations.
That’s the first thing.
Secondly, sometimes for some of the services, we store the password in the browser and that’s another question I would like to answer in this video: is it safe to store your password in the browser?
We’ve been doing a forensic investigation for one of the companies and because we were able to get access to administrator’s profile, we were able to also extract his passwords that he use and were able to get into some of the systems he was storing information in and this was something that allowed us to solve forensic case.
So, this was a very practical usage of what I would like to show you today.
But the most important thing on the top of everything is that when we store the password like this, is it safe or not?
I’ll be showing you what does it mean where you store the password in the browser, what does it mean where you store the password in the KeePass. And we will discuss a very interesting subject which is data protection API. This is something that, again, everybody talks about, but it’s so difficult that it’s quite hard to explain well so I will do my best.
And also good use is that our team with a lot of discoveries in data protection API, as not many teams in this world, I think I can say that. I would like to show you one of our tools that are allowing us to extract this secret, maybe passwords, maybe just an access to something like KeePass database, so that you’re able to use them as a matter of some recovery maybe or maybe not.
This tutorial is divided into two parts: Part 1 is about the KeePass, in Part 2, we will focus on browsers. Stay tuned!
I am logged on over here as an administrator as you see and this is a workstation of a user. If we go into C:\, users, Freddie Kruger, AppData, roaming, that’s the place where we’ve got KeePass and this is the place where we’ve got to keep our settings for the user, including a ProtectedUserKeyBin file. That’s the encrypted key by using Data Protection API that encrypts the KeePass database.
What are we going to do? From the user’s data, so from desktop, I have already copied to my analysis folder, CQbase.kdbx KeePass file. We will try to get access to it, but first of all, we need to specify the password. The password I am trying to use is “cqure” and you can see it is not the correct one.
How to decrypt master key to the KeePass?
What will be our job? Our job will be to get access to the KeePass database by having access to decrypted master key of the user. If you watch my video regarding cache log on data and data protection API, that’s basically one of the keys from master key containers, so this is a decrypted master key of the user, which we can, for example, decrypt by having access to a private key that we can find in the domain controller’s memory. It’s more a question about who the user is and how user protects the KeePass database.
If we do “dir”, we’ve got over here a bunch of different types of tools. One of those, it’s a CQURE Data Protection API Blob Decrypter (CQDPAPIBlobDecrypter) and CQURE Data Protection API KeePass DB Decrypter.
>>Download the CQDPAPIBlobDecrypter tool
These are our tools that we wrote and these are the ones that we’re going to be using to get access to user’s KeePass database. If you have a look, this is something that is critical: entropy for KeePass, we’re going to need it in order to get access to user’s database.
First step: use the CQURE Data Protection API Blob Decrypter
But first, we’re going to use the CQURE Data Protection API Blob Decrypter, I’m going to copy the entropy as one of the values. Here, we need the master key, so that’s something that I’ve got, entropy and blob.
We’re going to copy the user’s master key, and use it with /master parameter. Then we’ve got /blob and the blob, it’s this file that I was talking about which is in the user’s profile, which is C: Analysis, in our case that will be the ProtectedUserKey.bin.
Step 2: use the CQURE Data Protection API KeePass DB Decrypter
Perfect, we’ve got over here this key. This is the decrypted blob, that’s they key that decrypts the KeepPass database, so next tool to use will be the KeePass DB decrypter. Let’s get into it. What we have over here: -k for the key, that’s exactly what we have right now. -f for the file to specify where the database is and eventually create a new database.
We have just successfully decrypted the KeePass database, let’s have a look at the analysis folder. This is the one that is created right now, so I’m going to just try to open it.
Step 3: get the master key password for the KeePass
I will try to get access using the master password. I’m going to specify the one that we actually put through the tool.
That is the way how we’re able to get access to a KeePass database of a user if, very important to remember, user chooses, for example, protect the database by using Windows credentials. As long as rely on Windows credentials, that’s what we got. If we are a member of the domain, so if you want to keep your data secret what you need to use in KeePass is the master key, a password.
So, is it safe to store your password in the KeePass?
Of course, the case when the user is using the workstation that is not a member of the domain, it’s a little bit different because the way how we’re using data protection API, it’s a little bit different. But, we either rely on the user’s password, that is when the workstation is not connected to the domain. But when it’s connected to the domain, then basically we are at that stage relying on a user’s password or we are relying on the private key that is in the domain controller’s memory. We are able to eventually present these keys from AppData Protect. That is the public key of the domain that encrypts user’s secrets. This is how it looks in the KeePass. KeePass is a very good solution as long as of course, we rely on a master key and, for example, we can combine it also with something else.
This was a lot of information. We have discussed Data Protection API on the basics. We have used this in the practical terms like getting access to the user’s secrets: can we do it or we cannot do it? And upon what kind of conditions? I’ve also shown you how we’re able to get access to KeePass database when it’s relaying its protections on Windows Credentials.
A lot of information, but maybe you need more? Learn how to extract cybersecurity data in this intensive CyberBytes training.