In case you didn’t make it to her talk, we’re sharing the slides below so you can check them out.
Allows decryption of DPAPI protected data by leveraging usage of the private key stored as a LSA Secret on a domain controller (we have called it a ‘backup key,’ and it is a key corresponding to the backup public key stored in the domain user’s profile). The backup key allows decrypting literally all of the domain user’s secrets (passwords / private keys/information stored by the browser). In other words, someone who has the backup key is able to take over all of the identities and their secrets within the whole enterprise. Tool represents CQURE’s breakthrough DPAPI discovery.
Leverages DPAPI-NG used in the SID-protected PFX files and when with the previous tool CQURE Team is able to get access to user’s secrets, here it is a bit different! The tool allows to decrypt SID-protected PFX files even without access to user’s password but just by generating the SID and user’s token.
Allows to decrypt KeePass database by using DPAPI data that is possessed from the domain. It provides access to all users’ KeePass databases and it uses DPAPI data leveraged by CQMasterKeyAD. The tool uses decrypted Master Key of the user in order to decrypt key that encrypts KeePass database. Paula elaborates on how we do this in her talk!
Want the tools she talked about? You can download them below!
CQTools from Black Hat Europe 2017
If you would like to go more into this topic, we have a special Hacks Weekly episode that focuses on our important discovery within Data Protection API NG (New Generation). If you want to learn how to decrypt a password from PFX files and more… click for details!