User Secrets: How to Get Them Back Using Password Recovery Tools

Cybersecurity professionals know that they could be called on at any time to recover a user secret. For example, if an employee’s profile is corrupted or user secrets have to be decrypted offline (e.g. during analysis of the forensic image of the operating system).

Find out about some tools capable of decrypting secrets protected using DPAPI and get an outline of how to use them.

What is DPAPI?

Data Protection Application Programming Interface (DPAPI) is used in many Windows applications and subsystems. What is its purpose? For example:

  • Credentials of Microsoft Outlook accounts stored in the registry;
  • Credentials and encrypted cookies stored by Google Chrome;
  • Credentials stored by IE in the registry under HKCU\Software\Microsoft\Internet Explorer;
  • WiFi passwords saved in XML files under %ProgramData%\Microsoft\Wlansvc\Profiles\Interface
  • If EFS is used, DPAPI protects private keys associated with users’ certificates used by EFS

It seems to be popular. Why?

First of all, because DPAPI is secure way of protecting user secrets on single machine and it is quite simple to use by developers, as it consists of just a couple of functions for encrypting and decrypting data, CryptProtectData and CryptUnprotectData.

Find out how to use the tools to extract secrets protected by DPAPI

In this video, you’ll become familiar with data protection API tools. We are going to show you the most important tools that allow you to perform the recovery of user secrets.

Let’s analyze how we could get our hands on passwords stored in Google Chrome. You might be surprised to learn that Google stores this information also locally.

Kick off the process by finding out where Google Chrome passwords are stored. Fire up the CQURE tool CQDPAPIBlobSearcher and you will be able to list all the places where the operating system (or an application) might be storing secrets.

ChromePass is a handy password recovery tool that will quickly show you the username and password stored by the user in Google Chrome. It’s not a tool created by CQURE, but you can download it from NirSoft.

This tool will show you only passwords for currently signed-in user. If you need to access Google Chrome passwords for other users or from corrupted user’s profile you can use CQURE tools to modify DPAPI master keys based on DPAPI Backup Key extracted from AD DS database.
Watch the full video for more details and examples.

Download Tools Here

TIP-> The CQURE team is the first in the world to fully reverse engineer data protection API to bring you these tools. So, if you guys have any questions about that, send them to us at info@cqureacademy.com.

Comments