module ~ dpapi

A basic introduction

A blob

• contains: encrypted raw data, secret, by example Vault, Credential, CAPI/CNG Private Key, Chrome password, WiFi/WWAN key, ...
• is used to: what you want!, this is the final data
• is protected by: a masterkey and optionally entropy data AND/OR aditionnal password
• is linked to: a masterkey

A masterkey

• contains: multiple versions of the encrypted raw key
• is used to: decrypt blob
• is protected by: a key that depends on the situation
  • non-domain context: SID AND (user password SHA1 hash OR previous password SHA1 hash (by knowledge or from CREDHIST))
  • domain context:
    • SID AND (user password NTLM hash OR previous password NTLM hash (by knowledge))
    • domain backup key (RPC or RSA private key)
  • local computer: DPAPI_SYSTEM secret (COMPUTER or USER part)
• is linked to: a credhist entry

A credhist

Only useful in non-domain context

• contains: previous encrypted credentials of the user (SHA1 & NTLM)
• is used to: decrypt masterkey
• is protected by: the most recent user password SHA1 hash used by the user on the system
  • each entry is protected by the previous key, etc.

Remarks

You can find the location of these files: https://onedrive.live.com/redir?resid=A352EBC5934F0254%213104
When the user is a protected user, it's NOT the NTLM hash of the password, but another derived hash from it.

Commands:

Commands: blob, protect, masterkey, credhist, cache, capi, cng, cred, vault, wifi, wwan, chrome

blob

protect

masterkey

credhist

cache

capi

cng

cred

vault

wifi

wwan

chrome