erwan2212 / NTHASH-FPC

33 stars 8 forks source link

/decodemk in latest NTHASH #8

Closed Papotito123 closed 4 years ago

Papotito123 commented 4 years ago

Hello: Again. Just testing your latest downloaded now. Running some commands and works well.

But trying to use decodemk .I get this error(happens before and you talk about your cmd cache or a cache doesn't clears as expected in your side)

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC(29AGO2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\Users\TESTACCOUNT\AppData\Roaming\Microsoft\Protect\S-1-5-21-337365419-192549521-2618175838-1002\49EB10D7-31EF-422A-ABDD-E7F3703BC3DF /input:0991117653CDE77C443C5B0C632C2ACD782FDF11 NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey An unhandled exception occurred at $0000000100063C61: EAccessViolation: Access violation $0000000100063C61 $00000001000658AC $000000010000B09D $000000010000C306 $000000010001E010 $00000001000020F0 $00007FFA77507974 $00007FFA7987A271

An unhandled exception occurred at $00007FFA7984747D: EAccessViolation: Access violation $00007FFA7984747D $00007FFA79847AEA $00007FFA7672B09E $000000010005FC8F $0000000100060C0E $00000001000183F7 $00000001000186C2 $000000010001876A $0000000100018790 $000000010001E807 $00007FFA798B481F $00007FFA7981600C $000000010001E5D2 $00007FFA798B479F $00007FFA79814BEF $00007FFA798B350E $0000000100063C61

Thanks again.

Papotito123 commented 4 years ago

Hello: No worries.

I stretched my brain and finally(yes) I did and recovered Chrome logins from other users in same OS by direct approach and by offline(copying needed files). Also I recovered chrome login from other OS user y offline(copying needed files) method.

And made a document of this.

So much thanks.

Papotito123 commented 4 years ago

Hello: Last night I'm just playing with nthash and I get EAccessViolation: Access violation . My before post mention I have succesfully recover chrome logins also for other OS.

So I thought what can I did different.And I know it. I didn't turn OFF Avast , just let it do scan nthash(will happens first time only) and will declare as no harmfull.So will let nthash run and do its things.

Today I do as this and have no troubles.

Maybe turning OFF third-party AV will give some "partial wakeup" for Defender and block access to some memory addresses spaces.Maybe that's why at my beginnings I got some Access Denied error when running nthash.exe and I have to delete the whole folder and then re-download and re-extract to make it works.

Now I'm prety sure that Defender and/or amsi is doing troubles that are minimized when other AV is in charge.

Papotito123 commented 4 years ago

Hello: Testing latest nthash (erwan2212 Update NTHASH.zip e57c7e9)

Just the issues with /decodemk:

OFFLINE non-logged local account in same OS with guid_full_path:

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(11OCT2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\Users\FAKEACCOUNT\AppData\Roaming\Microsoft\Protect\S-1-5-21-337365419-192549521-2618175838-1004\c844db7b-9145-47ed-90f9-4ed5a6d2c5f5 /password:EFFDC15135F1863BB12FFF9686495F260C5B1647 = userpassword_SHA1 NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey dpapi_unprotect_masterkey_with_shaDerivedkey not ok

OFFLINE non-logged MicrosoftAccount user in same OS:

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(11OCT2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\PROBANDO\bb0fd3d0-3daa-4d06-aa93-a282eea027db /input:B46D14DBEBD3F288804BBA5F494F98C810DB4675 = gethmac NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey dpapi_unprotect_masterkey_with_shaDerivedkey not ok

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(11OCT2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\PROBANDO\bb0fd3d0-3daa-4d06-aa93-a282eea027db /password:EAD1AC3807B2D4DCB14962D71DADE9B8E756A437 = userpassword_SHA1 NTHASH 1.8 x64 by erwan2212@gmail.com cannot detect SID in path

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(11OCT2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\PROBANDO\S-1-5-21-337365419-192549521-2618175838-1003\bb0fd3d0-3daa-4d06-aa93-a282eea027db /password:EAD1AC3807B2D4DCB14962D71DADE9B8E756A437
= userpassword_SHA1 NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey dpapi_unprotect_masterkey_with_shaDerivedkey not ok

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(11OCT2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\PROBANDO\S-1-5-21-337365419-192549521-2618175838-1003\bb0fd3d0-3daa-4d06-aa93-a282eea027db /password:540072006F006D0065006C00740040006E007A00
= userpassword_SHA1_widestringtohexa NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey dpapi_unprotect_masterkey_with_shaDerivedkey not ok

/decodemk for local account in same OS, ONLINE and OFFLINE(guid copied) and allways using /input: hmac ,works fine. /decodemk for local account in other OS, OFFLINE(guid copied) and ONLINE(guid_full_path) using /input: hmac ,works fine.

/decodemk for local account in other OS, OFFLINE(guid copied) and ONLINE(guid_full_path) using /password:user_SHA1 , works fine.

/decodemk for local account in same OS, OFFLINE(guid copied) and ONLINE(guid_full_path) using /password:user_SHA1 , doesn't works

There's no problem making the data.blob.There's no problem with nthash-win64.exe /decodeblob /verbose . And , NTHASH-win64.exe /decodeblob /binary:.\data.blob /input:MKsha1 key
, works fine in all situations if I have the MKsha1 key.

I hope you can read all this. I did this tests carefully by-hand , one user account at a time and every command one-by-one(just use my existing notes to compare/verified if some data was wrong)

So thanks in advanced.

erwan2212 commented 4 years ago

Very useful feedback : i need to review it all and possibly fix some issues here and there. On my todo list :)

erwan2212 commented 4 years ago

FYI, my test commands (online)

rem crypt a string NTHASH-win64 /cryptprotectdata /input:secret /mode:USER rem get the GuidMasterKey NTHASH-win64 /decodeblob | findstr /I GuidMasterKey rem decode the mk (not needed, just for display) NTHASH-win64 /decodemk /binary:c:\users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\9EE10504-AF4A-4FFC-B90F-6131C37C40A0 rem get the sha1 of the user password NTHASH-win64.exe /widestringtohexa /input:PasswordXXXX | NTHASH-win64.exe /gethash /mode:SHA1 rem retrieve the MasterKey SHA1 key - i am use the /password here but /input can be used instead (hmac of SID+sha1 password) NTHASH-win64 /decodemk /binary:%userprofile%\AppData\Roaming\Microsoft\Protect\S-1-5-21-24275130 87-2265021005-1965656450-1001\9EE10504-AF4A-4FFC-B90F-6131C37C40A0 /password:XXA 612FE247D7DFCE7DAB432D5831A6474E8DDXX rem decode the blob NTHASH-win64 /decodeblob /input:XXBE8F92FD2C5860F60585C258E8D23E9083A9XX

whenever you get a fail with one of these commands, try again with /verbose and post the log.

Papotito123 commented 4 years ago

Hello: Well , is long.

Papotito123_decodemk_offline user.txt

Thanks.

Update: Later I ran this same commands for an offline local user(copied files) in same OS toward /decodemk /password: .,and this time works good.I had to use /decodemk /input: , in my before attempt.

Something really weird: This is an offline local user(copied files) from other OS(Win 10 2004H1 x64). When run /decodemk /password /verbose , gives the error -- dpapi_unprotect_masterkey_with_shaDerivedkey not ok But when running /decodemk /password ,gives the mkSHA1 well: C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(16OCT2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\TESTACCOUNT2004\S-1-5-21-1615885338-2756042382-2413003415-1001\02A47881-19D4-4B7A-9D4E-2C628B5C8E4D /password:ZZZZZZZZZZZZA74553780BB55F2F3E3FF5ZZZZZZ /verbose

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(16OCT2020)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\TESTACCOUNT2004\S-1-5-21-1615885338-2756042382-2413003415-1001\02A47881-19D4-4B7A-9D4E-2C628B5C8E4D /password:ZZZZZZZZZZZZA74553780BB55F2F3E3FF5ZZZZZZ NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey KEY:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq...... SHA1:XXXXXXXXXXXXXXXX6CED7FED1D3155C265XXXXXX

Thanks again.

erwan2212 commented 4 years ago

you have spot a nice bug : when using /verbose with /password, password was getting messed up ... this is now fixed in latest version.

still i will review this entire thread and redo all my tests with decodemk.

erwan2212 commented 4 years ago

fixed another bug : i assumed the sid would always be 46 chars...wrong... that was affecting the /decodemk /password in some scenarios

erwan2212 commented 4 years ago

My test commands (offline i.e using files from another computer). Test files are on github in test folder : the blob, the MK, the sid, the sha1(password).

rem get GuidMasterKey NTHASH-win64 /decodeblob /binary:%cd%\test\data_blob | findstr /I GuidMasterKey GuidMasterKey:{6DEAADE9-7898-4CD5-AEF1-8D22ED86ACD4}

rem compute hmac of sid+sha1(password) NTHASH-win64.exe /widestringtohexa /input:S-1-5-21-1891491695-624633549-2724392037-1002 NTHASH 1.8 x64 by erwan2212@gmail.com widestringtohexa 53002D0031002D0035002D00320031002D0031003800390031003400390031003600390035002D00 3600320034003600330033003500340039002D003200370032003400330039003200300033003700 2D003100300030003200

NTHASH-win64.exe /gethmac /mode:SHA1 /key:34A8D13A08847A081A1D6762229DE5EC6E6F3FE9 /input:53002D 0031002D0035002D00320031002D0031003800390031003400390031003600390035002D00360032 0034003600330033003500340039002D0032003700320034003300390032003000330037002D0031 003000300032000000 NTHASH 1.8 x64 by erwan2212@gmail.com gethmac 62A7BCDF92AE702C29E7AEE434C98ACC5D4FB95C

rem get the MK sha1 using password (no need of the above computed hmac value then) NTHASH-win64 /decodemk /binary:%cd%\test\S-1-5-21-1891491695-624633549-2724392037-1002\6DEAADE9-7898-4CD5-AEF1-8D22ED86ACD4 /password:34A8D13A08847A081A1D6762229DE5EC6E6F3FE9

rem OR rem get the MK sha1 using hmac input NTHASH-win64 /decodemk /binary:%cd%\test\S-1-5-21-1891491695-624633549-2724392037-1002\6DEAADE9-7898-4CD5-AEF1-8D22ED86ACD4 /input:62A7BCDF92AE702C29E7AEE434C98ACC5D4FB95C

rem finally decrypt the blob NTHASH-win64 /decodeblob /binary:%cd%\test\data_blob /input:EB903129D2216AEE2164992AB1A1C1B4B82E6604 NTHASH 1.8 x64 by erwan2212@gmail.com filename:data_blob Unprotecting Blob Blob:736563726574 Blob:secret

And actually, once you know (1) the MK guid, (2) the user sid and (3) sha1(password) you can decrypt the user masterkey and blob in one line only :

NTHASH-win64 /decodemk /binary:%cd%\test\S-1-5-21-1891491695-624633549-2724392037-1002\6DEAADE9-7898-4CD5-AEF1-8D22ED86ACD4 /password:34A8D13A08847A081A1D6762229DE5EC6E6F3FE9 | NTHASH-win64 /decodeblob /binary:%cd%\test\data_blob NTHASH 1.8 x64 by erwan2212@gmail.com filename:data_blob Unprotecting Blob Blob:736563726574 Blob:secret

erwan2212 commented 4 years ago

With latest nthash version, hopefully, you should see a lot less issues when using /decodemk either with /input or with /password.

Cheers, Erwan

Papotito123 commented 4 years ago

Hello: Sorry but I ran my commands and then as you posted before, and in both gave same result: dpapi_unprotect_masterkey_with_shaDerivedkey not ok

Papotito123(erwan2212 sync)_mksha1.txt

You mention some about SID config.These are 2 accounts from same OS in same machine: PROBANDO: MicrosftAccount user <<< issued one S-1-5-21-337365419-192549521-2618175838-100x

TESTACCOUNT: local user S-1-5-21-337365419-192549521-2618175838-100x

Fot PROBANDO account , user password SHA1 calculated is same as grabbed by mimi. guid name is same according to mimi.

I get the data.blob with: echo local_state_base64string|nthash-win64.exe /base64decodehexa|nthash-win64.exe /hexatofile

The hmac ii used: NTHASH-win64.exe /gethmac /mode:SHA1 /key:gethash(user_SHA1 hash) /input:S-I-D_widestringtohexa + 0000

And for MKsha1 key: NTHASH-win64.exe /decodemk /binary:.\SID name\guid_filecopied /input:gethmac_hexastring

I do the same for FAKEACCOUNT(local user) in same OS/machine , and works well. Also I do for a Win 2004H1 x764 TESTACCOUNT(local user) , and works well.

Papotito123 commented 4 years ago

Hello: I logged to PROBANDO account. The allways password works well. Then I ran mimi.

Authentication Id : 0 ; 2302781 (00000000:0023233d) Session : Interactive from 3 User Name : PROBANDO Domain : DESKTOP-2GHHNFK Logon Server : (null) Logon Time : 10/17/2020 8:51:51 PM SID : S-1-5-21-337365419-192549521-2618175838-1003 msv : [00000003] Primary

Then I grab ::dpapi. Authentication Id : 0 ; 2302781 (00000000:0023233d) Session : Interactive from 3 User Name : PROBANDO Domain : DESKTOP-2GHHNFK Logon Server : (null) Logon Time : 10/17/2020 8:51:51 PM SID : S-1-5-21-337365419-192549521-2618175838-1003 [00000000]

But I can't see the guid {BB0FD3D0-3DAA-4D06-AA93-A282EEA027DB} and the Masterkey/SHA1 matched pairs. I found an archive mimi text for PROBANDO but with wdigest Enabled. In this time the user password is grabbed and also this guid {BB0FD3D0-3DAA-4D06-AA93-A282EEA027DB} and the Masterkey/SHA1 matched pair appears.

So I ran the /chrome /unprotect and AES key and password are shown:

Encrypted Key found in local state file Encrypted Key seems to be protected by DPAPI

  • using CryptUnprotectData API AES Key is: wwwwwwwwwwwwwwwwwwwwwwwwwwwwww0866ea << AND THIS aes key IS THE RIGHT ONE(ALSO GRABBED IN nthash WHEN USING THE mkey sha1

URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: otheremail@hotmail.com

Papotito123 commented 4 years ago

Hello: From Passcape: A Master Key file is a binary structure, which consists of a service header and four slots, namely: the actual user's Master Key, the local encryption key (for unprotecting local backup key), local backup key (in Windows 2000) or CREDHIST GUID (in Windows XP and higher) and domain backup key.

Maybe this is non-sense, but could be necessary to add in some way /binary:CREDHIST file in /decodemk /password sentence?.,,- User SHA1 open CREDHIST and can check older SHA1 and test until find the matched one

Or as I see for NordVPN decrypting mkey, the machne-/system key is used,and can be offline?

Just guessing.

erwan2212 commented 4 years ago

About credhist, i believe you are right : in some circumstances, the sha1 needs to be retrieved from there. Alternatively, have you tried /dpamk ?

erwan2212 commented 4 years ago

About NordPVN, yes you can do it offline : have a look here.

Papotito123 commented 4 years ago

Hello: I doesn't have NordVPN. I mention it because in some articles using mimi and some screenshots , for decrypting this mkey offline the machine (offlline) is needed because is type of encryption. As I think I read,MicrosoftAccount user has extra encryption layer and password validation is different to local user.

Look this pictures; https://mobile.twitter.com/gentilkiwi/status/1178796512580702208

About /dpamk , I didn't use it.I will try .

But my real issue is to decrypt an offline(copying needed files)user MicrosoftAccount user mkey to retrieve chrome login. /dpamk will retrieve DPAPI keys in lsass for running OS.As I mentioned when logged in the PROBANDO MicrosoftAccount ,I ran mimi sekurlsa::dpapi ,and the masterkey with paired mkey/sha1 wasn't here.I have this from other time.

So much thanks to keep in touch.

Papotito123 commented 4 years ago

Hello: Having the blob, the MK, the sid, and the sha1(password),is the fast track ending .Sure I don't have problem ti get the AES key to decrypt the chrome logins. I performed the process backwards and the issue is after getting hacked and /decodemk. Here the error throws.

I made a MucrosoftAccount user in Win 2004H1.I used the same email and passwordlogin info that PROBANDO(win 10 1809). Then I copied the needed files/lsass.exe dump and get back to Win 10 1809 TESTACCOUNT (the usual working account). I did the whole process and got same error.

I used mimikatz to decode mkey and also gives error. But always is pointing to same , that derivedsha1 not ready todecrypt the mkey.

Papotito123 commented 4 years ago

Hello: I used Passcape Windows Password Recovery. It has a tool to analyze Master keys and also have Password Check tool to verify if password is incorrect. So for PROBANDO(MicrosoftAccount) says password is correct.

erwan2212 commented 4 years ago

will look at this case "MucrosoftAccount user in Win 2004H1" in the coming days

Papotito123 commented 4 years ago

Hello: So much thanks.

I tried substituting userpassword_SHA1 with DPAPI user hash .Not. I tried adding one zero,2 zeroes,3 zeroes instead of 4 zeroes for SID hexa.Not. Using this tool to Analyze DPAPI GUID's the Password check says Matched for the actual password. I tried other passwords but always Matched with actual password.So that means that user password is part of the equation to decrypt and get the MKsha1.

Maybe the command to get hmac is right.Maybe the /decodedemk is right. But maybe in 1 of them something to validate/some permission is missing.

Also I can't do in mimi.Gives error derivedsha1 not ready. Definitely the MKsha1(from lsassdump,or from other way) is the right one.

This only happens when decrypting MK with MicrosoftAccount user in Win 10 1809 and also in Win 10 2004H1.I tried online and offline(files copied).

Papotito123 commented 4 years ago

Hello: From digital-forensics.sans.org ; give me the password and I'll rule the world - SANS Forensics For Dpapick Tool,is mention: Warning: only local account on Windows 8.1 • Live accounts uses the new DPAPI-NG • http://msdn.microsoft.com/en-us/library/windows/desktop/Hh706794%28v=vs.85%29.aspx

DPAPI-NG was established from Win 8.1.

DPAPI-NG microsoft; https://docs.microsoft.com/en-us/windows/win32/seccng/cng-dpapi

As I see, for masterkey there's a prekey that is hmac_sha1. In DPAPI-NG sems that SID is used to make other encryption layer.

Just sharing info I read.

Papotito123 commented 4 years ago

Hello: I was testing pypykatz .

When running as this, for offline MicrosoftAccount user ;

pypykatz dpapi prekey password -o "C:\jibes\PROBANDO\TESTING.txt" --system "C:\jibes\PROBANDO\SYSTEM" --sam "C:\jibes\PROBANDO\SAM" --security "C:\jibes\PROBANDO\SECURITY" --sid S-1-5-21-xxxxxxx --password userpassword

,it gives some SHA1 hashes. I can recognized 1 of them being the hmacSHA1 hash ,as in NTHASH is gethmac hash , . So seems the hmac is also good.

But can't decrypt the guid so can't give the MKkey.

Papotito123 commented 4 years ago

Hello: I opened 2 MicrosoftAccount(from different Win versions) user guid pertaining to chrome login and compare to 3 local user guid. I noticed 2 things.

One is that the MicroaoftAccount guids shows less lines of chars when compairing with a local account user guid.

Second,both MicrosoftAccount guids has the same chars ending ( ·^«g ) .This ending is different than local user guids. Could be a little "secret" that has to be added to , maybe the hmac ?

Just guessing.But looks curious to me

erwan2212 commented 4 years ago

I created a microsoft account on win10 1903.

/logonpasswords shows :

LUID:00442BC0 username:erwan domain:DESKTOP-ATMCNA4 ->CredentialManager:24D1C4D16D0 -CREDENTIALW:24D1CE42FF0 CREDENTIALS.AuthID:00000003 ->Primary domain:MicrosoftAccount username:erwan.l@outlook.com ntlm:---correct NTLM sha1:---correct SHA1

i keep testing...

erwan2212 commented 4 years ago

Still using a microsoft account, if i try /decodemk /password:sha1password I get dpapi_unprotect_masterkey_with_shaDerivedkey not ok

erwan2212 commented 4 years ago

If I use /dpapimk, I retrieve the correct SHA1 MK which I can then use with /decodeblob /input:sha1mk

erwan2212 commented 4 years ago

The answer actually lays here : http://msdn.microsoft.com/en-us/library/windows/desktop/Hh706794%28v=vs.85%29.aspx (link you provided) :

_Cloud computing, however, often requires that content encrypted on one computer be decrypted on another. Therefore, beginning with Windows 8, Microsoft extended the idea of using a relatively straightforward API to encompass cloud scenarios. This new API, called DPAPI-NG, enables you to securely share secrets (keys, passwords, key material) and messages by protecting them to a set of principals that can be used to unprotect them on different computers after proper authentication and authorization. The following principals are currently supported:

A group in an Active Directory forest. Web credentials._

I guess I need to add this in my code now :)

erwan2212 commented 4 years ago

One thing I notice : -when using a microsoft account, /decodemk gives me rounds:0001 -when using a local account, /decodemk gives me rounds:1F40

might be a wrong track but clearly i need to double check this...

Papotito123 commented 4 years ago

Hello: So much thanks for reviewing. Definitely something in or after calculating the hmac is needed. As I tested ,a Microsoft@Account user doesn't need to be connected to internet to do login.So something is Authorizing/Validating the logon.

I made tests sure substituting user_sha1for other, or substituting the hmac for other hmac to use in /decodemk but get same error.

I made a local account using same password as the MicrosoftAccount and guid is of same length and NTLN/SHA1 are exactly same. I used SID hexa and add SIDname 4 last digit instead of 4 zeroes.Not. There's no doubt that grabbing the MKkey hash(lsass.dmp,/dpapimk or other) is the right one.And then ,piece of cake. So the stuck line should be when calculating the hmac,that as read is an authentication message to be compared in this case with the guid. The guid in the MicrosoftAccount ,when opened with notepad has an ending chars different than a local guid. More. I used a nirsoft tool .With this tool,providing user plaintext password, other " local users " chrome logins can be grabbed. Always failed when the chrome logins is a from a MicrosoftAccount user. When logged in MicrosoftAccount the decryting process is close to same but at User level or Machine/System level maybe there's some "secret" or User validation that only occurs in this scenario.And could be related to the fact of need of validating login when no internet. Guessing.

For me,I can take a breath because now I'm sure I used the right commands in the correct way . But this is far away than my knowledge.

I'm keeping reading and testing.

So thanks to keep it alive.

Papotito123 commented 4 years ago

Hello: A MicrosoftAccount is being Validate during windows setup connected to internet or when in a local account and changes/create new user as MicrosoftSccount being connected to interneet. Microsoft needs to Validate the account and this have to left something in OS this is used for offline login.

As my experience with some Windows login "Bypass" tools ,after bypassing a MicrosoftAccount login(bypassed by changing password and then rerurn back to original , or "bypassing" login with none password ) always I have to connect to internet to Validate account after making login with the "ussual password". Now you have a microsoftaccount user , you can try it.Windows Login Unlocker 1.6 from joker2013 and nizzzz

I tried using SYSKEY ,BOOTKEY,SAMKEY , dpapi Machine hash,dpapi user hash but same results. Maybe the command line needs some change.

Papotito123 commented 4 years ago

Hello: When I try to replicate, in (http://labalec.fr/erwan/?p=2247) ,nthash and dpapi secrets #2 ;

nthash-win64 /decodeblob /binary:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\guidname /input:mkey SHA1

CryptDecrypt not OK dpapi_unprotect_blob:0 dpapi_unprotect_blob not ok

But can grab the MKkey from ; nthash-win64 /decodemk /binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\guid /input:dpapi_User key

Papotito123 commented 4 years ago

Hello: I used some tools in order to decrypt or view guid contents and to decrypt the guid. The user password is right.The guid seems the right one. Could be possible that another user password encryption or re-encryption be used to get the mk key ?. As I saw in one tool, in the guid properties/description, there's a LiveID account ID when the guid is fir a MicrosoftAccount.I think can be seeing in a hex editor.

One particular thing. With one tool to see CREDHIST contents,so to see older user password SHA1 failed when user account was created after August 2019..For user accounts created before this time the CREDHIST file can be open and show older user SHA1

Papotito123 commented 4 years ago

Hello: I changed the MicrosoftAccount to local account user. I left the same user password to be able to compare some things.

Using CredHistView tool from nirsoft, allways failed to catch the "older" SHA1/ntlm hashes. After changed to local , then grab the "old" SHA1/NTLM hashes but are different as the ones grabbed(mimi,lazagne,others)while the account being a MicrosoftAccount. I read somewhere that user hashes are the right one but used for login purposes.But for the MicrosoftAccount the hashes are different.

Also . I did tried to decrypt MK of this "changed to locaal account" doing OFFLINE .With /input and with /password both failed. But.... , when using full path ,now MK is decrypted in both modes,/input and /password.

And the SID path is very important because can gives error. If I copy the GUID file to nthash folder I got: NTHASH 1.8 x64 by erwan2212@gmail.com cannot detect SID in path

If I copy the folder SIDxxxxxxx with the guid inside, to the ntash folder,still have the error: NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey dpapi_unprotect_masterkey_with_shaDerivedkey not ok

So the error , dpapi_unprotect_masterkey_with_shaDerivedkey not ok, seems like a generic error for whatever different than successful.

Papotito123 commented 4 years ago

Hello: I found something.

I have to copy the folder S-I-D-xxxxxxxxxxxxx instead copy individual files or reconstruct the folder dir. For copy files I was using Robocopy as this:

Robocopy "%%~fD\AppData\Roaming\Microsoft\Protect" ".\1SECRETS\%ComputerName%_LSASSDUMP\%%~nxD" /COPY:DAT /S /E /A-:H

Maybe I need some switch to copy the folder/files permissions.

Still there's the MicrosoftAccount guid issue, as I test other account. But the guid path seems to need some care. And maybe the permissions when copying the S-I-D xxxxxx folder or contents.

Papotito123 commented 4 years ago

Hello: Well then I recap in mind what is and what was happened. When switching from MicrosoftAccount to local account Windows ask to enter new password(I used same password as when MicrosofAccount).So a new entry is made in CREDHIST file with the "latest old password".I confirm that this SHA1 hash is different as what should be(catches by mimi,lasagne,others). How is calculate ? I don't know if is a re-hash. I will do some play with it. But I can confirm (using Passcape) that the last CREDHIST sha1 entry is for the first password being set (while the account was created as a local account and then I changed to a MicrosoftAccount to make some tests with tools like nthash). So the others SHA1 entries are pertaining to passwords for the MicrosoftAccount user (I'm trying to remember what other passwords could be because I made some trying with other MicrosoftAccounts)..

As when switching to local account I had to copy again the SID folder for offline use.And make me thing, why again? The date of guid changes because there's a "new user password"(that's still the same).After copying ,now I can decrypt Online and Offline , using /input and using /password(of course the user is local account now). The MK SHA1 is not issue,because is the same. Now, the hmac for both scenarios should be the same?

For me,I strongly feels that the command to get the hmac is the decisive point. Maybe the user SHA1 to used is this "other sha1 make/calculated to MicrosoftAccount" rather than the user SHA1 placed in SAM(that is the right SHA1 for the user password string). If this is the case,then the hmac should be different.This can be identified by looking into the guid Properties?

As for me (can be wrong) a MicrosotAccount user account is authorized/Validate at the very creation by being connected to internet because its authorized/Validate by device and not by user.So this MicrosoftAccount can be used in multiple devices.

If a "second user password SHA1" exist when MicrosofAccount,how is calculate? If not,then the hmac needs something extra.

Maybe I have the advantage of having this user local(first creation) ,then switch to MicrosoftAccount,and then re-swith to a local user.Because CREDHIST is populated,guid date changes,and I'm sure that guid contents also changed As opposed to my other MicrosoftAccount user that was created as microsoft as first creation ,so no entries in CREDHIST.

Papotito123 commented 4 years ago

Hello: Well... I've been switching my PROBANDO account to local and MicrosftAccount back-and-forth and compare SHA1/NTLM hashes entries in CREDHIST, When the user is a local account then CREDHIST sha1/ntlm hashes are the right ones.Verified with other tools. I tried to used , NTHASH /getntlmhash /password:userpassword .Doesn't works for me to calculate some passwords NTLM hashes.

But when user is a MicrosoftAccount then CREDHIST sha1/ntlm hashes are different than the calculated one.(the user password is allways the same no matters if local or MicrosoftAccount) And worst is that each CREDHIST sha1 entry that should be associated with MicrosoftAccount user is different.So is not using a fixed value.Is a new one every time the MicrosoftAccount is being set despite the fact that the microsoftaccount I used is allways the same and same password.

So,this is a complicated big .I try to find anything that explain some of this but not find.

Papotito123 commented 4 years ago

CONFIRMED: CONFIRMED. When user is a MicrosoftAccount user, the user password sha1 is encrypted in other way. So to decrypt the guid you need this "MA user password encrypted sha1" to decrypt guid and not the user password sha1. So obviously, the hmac is also different than local user even having the same password. But as I allways suspect, the MK key sha1 is allways the same.

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(18OCT2020)\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /gethmac /mode:SHA1 /key:7ED-MicrosoftAccount_encrypted SHA1-DA8 /input:5300_user_S-I-D hexa_plus_0000 NTHASH 1.8 x64 by erwan2212@gmail.com gethmac 5F38_hmac_from_MAencryptedSHA1_EEA23

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(18OCT2020)\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\Users\PROBANDO\AppData\Roaming\Microsoft\Protect\S-1-5-21-XXXXXXXXXXXXXXXXXXX-1003\bb0fd3d0-3daa-4d06-aa93-a282eea027db /input:5F38_hmac_from_MAencryptedSHA1_EEA23 NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey KEY:2D43xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDAA3 SHA1:EDF_good_MKsha1_986

I have to re-copy back the guid to the MicrosftAccount user ,because it doesn't works doing OFFLINE.

How/where to get/calculate this MicrosoftAccount_encrypted SHA1 , I have no idea.

But I get into deep to see what I was suspecting.

Sorry for the multiple extra large posts.

erwan2212 commented 4 years ago

Hello: When I try to replicate, in (http://labalec.fr/erwan/?p=2247) ,nthash and dpapi secrets #2 ;

nthash-win64 /decodeblob /binary:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\guidname /input:mkey SHA1

CryptDecrypt not OK dpapi_unprotect_blob:0 dpapi_unprotect_blob not ok

But can grab the MKkey from ; nthash-win64 /decodemk /binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\guid /input:dpapi_User key

For machine/system blobs, the system dpapi key is the key. But, as you may have seen there are 2 system dpapi keys : machine and user. You may have to try one or the other.

erwan2212 commented 4 years ago

Hello: I used some tools in order to decrypt or view guid contents and to decrypt the guid. The user password is right.The guid seems the right one. Could be possible that another user password encryption or re-encryption be used to get the mk key ?. As I saw in one tool, in the guid properties/description, there's a LiveID account ID when the guid is fir a MicrosoftAccount.I think can be seeing in a hex editor.

One particular thing. With one tool to see CREDHIST contents,so to see older user password SHA1 failed when user account was created after August 2019..For user accounts created before this time the CREDHIST file can be open and show older user SHA1

CREDHIST is on my todo list. Reading your latest feedback, I believe we can discard the CREDHIST track for now.

erwan2212 commented 4 years ago

Hello: I changed the MicrosoftAccount to local account user. I left the same user password to be able to compare some things.

Using CredHistView tool from nirsoft, allways failed to catch the "older" SHA1/ntlm hashes. After changed to local , then grab the "old" SHA1/NTLM hashes but are different as the ones grabbed(mimi,lazagne,others)while the account being a MicrosoftAccount. I read somewhere that user hashes are the right one but used for login purposes.But for the MicrosoftAccount the hashes are different.

Also . I did tried to decrypt MK of this "changed to locaal account" doing OFFLINE .With /input and with /password both failed. But.... , when using full path ,now MK is decrypted in both modes,/input and /password.

And the SID path is very important because can gives error. If I copy the GUID file to nthash folder I got: NTHASH 1.8 x64 by erwan2212@gmail.com cannot detect SID in path

If I copy the folder SIDxxxxxxx with the guid inside, to the ntash folder,still have the error: NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey dpapi_unprotect_masterkey_with_shaDerivedkey not ok

So the error , dpapi_unprotect_masterkey_with_shaDerivedkey not ok, seems like a generic error for whatever different than successful.

You are correct : when using decodemk and /password, nthash will try to find the SID in the path. This is why I store my offline MK's in a path like c:\evidence\sid\mk.

erwan2212 commented 4 years ago

Hello: I found something.

I have to copy the folder S-I-D-xxxxxxxxxxxxx instead copy individual files or reconstruct the folder dir. For copy files I was using Robocopy as this:

Robocopy "%%~fD\AppData\Roaming\Microsoft\Protect" ".\1SECRETS%ComputerName%_LSASSDUMP%%~nxD" /COPY:DAT /S /E /A-:H

Maybe I need some switch to copy the folder/files permissions.

Still there's the MicrosoftAccount guid issue, as I test other account. But the guid path seems to need some care. And maybe the permissions when copying the S-I-D xxxxxx folder or contents.

Once you start processing files offlines, "normally" file permissions are irrelevant. Now, clearly, from a forensics point of view, i would recommend to create one folder per use and then create a sid folder in there.

c:\forensics\username\sid -> put your MK files in there - put nthash in forensics

erwan2212 commented 4 years ago

Hello: Well then I recap in mind what is and what was happened. When switching from MicrosoftAccount to local account Windows ask to enter new password(I used same password as when MicrosofAccount).So a new entry is made in CREDHIST file with the "latest old password".I confirm that this SHA1 hash is different as what should be(catches by mimi,lasagne,others). How is calculate ? I don't know if is a re-hash. I will do some play with it. But I can confirm (using Passcape) that the last CREDHIST sha1 entry is for the first password being set (while the account was created as a local account and then I changed to a MicrosoftAccount to make some tests with tools like nthash). So the others SHA1 entries are pertaining to passwords for the MicrosoftAccount user (I'm trying to remember what other passwords could be because I made some trying with other MicrosoftAccounts)..

As when switching to local account I had to copy again the SID folder for offline use.And make me thing, why again? The date of guid changes because there's a "new user password"(that's still the same).After copying ,now I can decrypt Online and Offline , using /input and using /password(of course the user is local account now). The MK SHA1 is not issue,because is the same. Now, the hmac for both scenarios should be the same?

For me,I strongly feels that the command to get the hmac is the decisive point. Maybe the user SHA1 to used is this "other sha1 make/calculated to MicrosoftAccount" rather than the user SHA1 placed in SAM(that is the right SHA1 for the user password string). If this is the case,then the hmac should be different.This can be identified by looking into the guid Properties?

As for me (can be wrong) a MicrosotAccount user account is authorized/Validate at the very creation by being connected to internet because its authorized/Validate by device and not by user.So this MicrosoftAccount can be used in multiple devices.

If a "second user password SHA1" exist when MicrosofAccount,how is calculate? If not,then the hmac needs something extra.

Maybe I have the advantage of having this user local(first creation) ,then switch to MicrosoftAccount,and then re-swith to a local user.Because CREDHIST is populated,guid date changes,and I'm sure that guid contents also changed As opposed to my other MicrosoftAccount user that was created as microsoft as first creation ,so no entries in CREDHIST.

Clealry, when the password changes, it becomes more difficult. Indeed, MK then depends on a sha1 which is no longer the sha1 of the current password but the sha1 of a previous password. That is when credhist comes into play then.

I am going to test that scenario today.

erwan2212 commented 4 years ago

CONFIRMED: CONFIRMED. When user is a MicrosoftAccount user, the user password sha1 is encrypted in other way. So to decrypt the guid you need this "MA user password encrypted sha1" to decrypt guid and not the user password sha1. So obviously, the hmac is also different than local user even having the same password. But as I allways suspect, the MK key sha1 is allways the same.

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(18OCT2020)\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /gethmac /mode:SHA1 /key:7ED-MicrosoftAccount_encrypted SHA1-DA8 /input:5300_user_S-I-D hexa_plus_0000 NTHASH 1.8 x64 by erwan2212@gmail.com gethmac 5F38_hmac_from_MAencryptedSHA1_EEA23

C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(18OCT2020)\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /decodemk /binary:C:\Users\PROBANDO\AppData\Roaming\Microsoft\Protect\S-1-5-21-XXXXXXXXXXXXXXXXXXX-1003\bb0fd3d0-3daa-4d06-aa93-a282eea027db /input:5F38_hmac_from_MAencryptedSHA1_EEA23 NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey KEY:2D43xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDAA3 SHA1:EDF_good_MKsha1_986

I have to re-copy back the guid to the MicrosftAccount user ,because it doesn't works doing OFFLINE.

How/where to get/calculate this MicrosoftAccount_encrypted SHA1 , I have no idea.

But I get into deep to see what I was suspecting.

Sorry for the multiple extra large posts.

Please please do not be sorry : on the contrary, your efforts are appreciated. Looks like you are on to something and getting closer.

A few questions from me : -where did you get the "MA user password encrypted sha1" ? -the fact that you are managing to create a proper HMAC which is accepted by decodemk clearly proves your point -i dont understand this "I have to re-copy back the guid to the MicrosftAccount user" By guid you mean the MK file? or have you edited some files?

At this stage the conclusion seems to be that the Microsoft Account SHA1 password is not the one we think (i.e sha1 of current password). I'll check credhist file thus once more.

Theory: -Microsoft Account is created with a default password -at the same time a masterkey is created -password is changed to current one -masterkey can only be decrypted with previous password

Theory does not work ... CREDHIST len=0 for my microsoft account so clearly nothing to see there...

So clearly, whereas for a local account, the expected SHA1 to generate the HMAC is the sha1 of the current password - for a microsoft account, this SHA1 is something different. As long as we dont find out how to generate this SHA1 or where to find it (and therefore the HMAC as well), the only way is to retrieve the MK SHA1 with /dpapimk. For now, this SHA1 key could be anything today : a private cert, some registry entry, some dpapi secret, etc ...

Once you tell me how/where you retrieved the microsoft account sha1, I will dig more.

Papotito123 commented 4 years ago

Hello: Thanks for responding. I get this "MicrosoftAccount user SHA1" using Passcape Recovery that has a Dump CREDHIST hashes tool. Your CREDHIST should be in blank because you never change the password or switch from local account to MA account as I did to prove some(I did back and forth 3 times that's why I have 6 entries in CREDHIST) For mk guid path,I recreated folder structure (Users | usename|AppData and so until the S-I-D folder and put inside the guid file When user is MA account this doesn't works,I have to use user account full path.

I saved a copy of this guid (dated September2020) when use was a MA accont.Now, when I open the actual CREDHIST file,I know clearly when this user account was as local user because the user SHA1 is easily recognized(I have all data for all accounts). But the others SHA1(4 entries,that are all different) are the user SHA1 saved by the OS when password was changed(even the MA account and password always is the same) I tested the SHA1 that should be saved for when user was MA account(I changed to local) and I decrypt the guid that I have saved(not the actual guid) successfully. But I have to "copy back" this guid to the "user environment" because doesn't works doing Offline(even having folder structure recreated) That's another proved point.

When the guid file is from a MA account user, the Offline method seems not working.Have to do with "user full path.

Clearly ,Windows has the user password string hash(sha1/ntlm) as usual.And also has another sha1/html for the same user password string but to MicrosoftAccount purposes.And this MA user sha1 is the one used to get the MK key SHA1(and not the usual user login sha1hash).

For 2 user accounts with same password string, the SHA1 is the same but the hmac(challenge/response) should be different because different SID. So,for a MicrosoftAccount user every time you "get out of the club" a new hmac is created. With the extra security layer that the user password is re-encrypted.

Taken from a post from 2017: Authentication credentials are stored differently in the SAM/SYSTEM files when using a 'normal' offline windows account compared to an 'online' Microsoft account. When a user logs into their machine using their Microsoft account, their details will be cached onto the machine which allows them to log on even if they are offline. If a user changes their Microsoft account password online on a different machine/device, even if the original machine is connected to the internet, they can proceed to log in using the old password. It is only when they log in with the new password, does the cached details get updated.

Chrome logins recovery tools,as ChromePass ,works when logged into a MicrosoftAccount user because probably grab the MK SHA1 from dpapi and not by decrypting with the hmac. But it can't decrypt chrome logins for Offline MA account.

So the hmac is not the issue but to get the "MA user SHA1".