Not an issue...just a curiosity

[Papotito123]

Hello: I used a tool bypass Windows user login(local and Microsoft user) that works well.

While inside the OS after the bypass I ran some tools including mimikatz and lazagne to compare which info/passwords can be retrieved even in "bypass" mode that are the real ones.

Most of the passwords linked-attached to DPAPI were failed to be grabbed.

lazagne was the only tool that, although Pypykatz module captures the "bypassed hashes" , the HashDump module still catched the real NTLM hash of the real user.

Just a curious thing.

I forgot to mention.. Chrome(85.0.4183.102 (Official Build) (64-bit) passwords were not retrieved. But still Firefox(79.0 (64-bit)) can be.

[AlessandroZ]

Try to check how theses passwords are decrypted and how other tools decrypted it.

For windows credentials, Lazagne use 2 mechanisms:

• The Windows API (CryptUnprotectData function): https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/winstructure.py#L615
• Using the Windows passwords account: https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/winstructure.py#L626

So maybe the user password account has been found and all passwords are retrieved using it and all tools calls only the CryptUnprotectData function. I don't know.