Skip to content

Cracking not working with DPAPImk, DPAPI masterkey file v1 and v2 #4777

New issue
New issue
Closed
Closed
Cracking not working with DPAPImk, DPAPI masterkey file v1 and v2#4777
@mpgn

Description

@mpgn
mpgn
opened on Aug 4, 2021

Hello,

When trying to crack DPAPI hash, no password is found while I provide the good password.

└─$ python DPAPImk2john.py.1 -S S-1-5-21-3902381005-3621640295-1501945936-500 -c domain -mk fc4691a6-29c0-47e2-b484-8edd06508327 --password October2021 --debug                                                                         2 ⨯
$DPAPImk$1*2*S-1-5-21-3902381005-3621640295-1501945936-500*des3*sha1*18000*e0c423993bd2f0a870090f2292c9ba6c*208*3c2cd5955d05c0694ff18a2bbe722b53f94fa476f8bea46193bf5f13dc4d695442c604c59881d53230aca4532e73399b2fca93f6ca03cc0ed460c3c7d8e0aef1ec4a51ca8fa304e0529d9d7d2188015eb754010e4770182bddaa0e3017ef4ebf39d3ae2056aaea9b
$DPAPImk$1*3*S-1-5-21-3902381005-3621640295-1501945936-500*des3*sha1*18000*e0c423993bd2f0a870090f2292c9ba6c*208*3c2cd5955d05c0694ff18a2bbe722b53f94fa476f8bea46193bf5f13dc4d695442c604c59881d53230aca4532e73399b2fca93f6ca03cc0ed460c3c7d8e0aef1ec4a51ca8fa304e0529d9d7d2188015eb754010e4770182bddaa0e3017ef4ebf39d3ae2056aaea9b
[
#### MasterKeyFile fc4691a6-29c0-47e2-b484-8edd06508327 ####
        version   = 2
        Policy    = 0x0
        MasterKey = 136
        BackupKey = 104
        DomainKey = 372
    + Master Key: Masterkey block
        cipher algo  = DES3 [0x6603]
        hash algo    = HMAC [0x8009]
        rounds       = 18000
        IV           = e0c423993bd2f0a870090f2292c9ba6c
        ciphertext   = 3c2cd5955d05c0694ff18a2bbe722b53f94fa476f8bea46193bf5f13dc4d695442c604c59881d53230aca4532e73399b2fca93f6ca03cc0ed460c3c7d8e0aef1ec4a51ca8fa304e0529d9d7d2188015eb754010e4770182bddaa0e3017ef4ebf39d3ae2056aaea9b
    + Backup Key: Masterkey block
        cipher algo  = DES3 [0x6603]
        hash algo    = HMAC [0x8009]
        rounds       = 18000
        IV           = a075d692e9f2fab8494b00fe3f3c041e
        ciphertext   = db53d09b8216e9119fada6763a4b2060ec604a867e590cce4881395a80b063f454d627b71621c3c2049dc3465d4dfc45da1b530e0048f8b4b1239b9ba508320104d44ec3223762f5]
Decrypted succesfully as domain1607+
1
                                                                                                                                                                                                                                            
└─$ cat hash       
$DPAPImk$1*2*S-1-5-21-3902381005-3621640295-1501945936-500*des3*sha1*18000*e0c423993bd2f0a870090f2292c9ba6c*208*3c2cd5955d05c0694ff18a2bbe722b53f94fa476f8bea46193bf5f13dc4d695442c604c59881d53230aca4532e73399b2fca93f6ca03cc0ed460c3c7d8e0aef1ec4a51ca8fa304e0529d9d7d2188015eb754010e4770182bddaa0e3017ef4ebf39d3ae2056aaea9b
$DPAPImk$1*3*S-1-5-21-3902381005-3621640295-1501945936-500*des3*sha1*18000*e0c423993bd2f0a870090f2292c9ba6c*208*3c2cd5955d05c0694ff18a2bbe722b53f94fa476f8bea46193bf5f13dc4d695442c604c59881d53230aca4532e73399b2fca93f6ca03cc0ed460c3c7d8e0aef1ec4a51ca8fa304e0529d9d7d2188015eb754010e4770182bddaa0e3017ef4ebf39d3ae2056aaea9b  

└─$ cat pass
October2021                                                                                                                     
                                                                                                                                                                                                                                            
└─$ john hash --wordlist pass                                                                                                                                  
Using default input encoding: UTF-8
Loaded 1 password hash (DPAPImk, DPAPI masterkey file v1 and v2 [SHA1/MD4 PBKDF2-(SHA1/SHA512)-DPAPI-variant 3DES/AES256 256/256 AVX2 8x])
Cost 1 (iteration count) is 18000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 26 candidates left, minimum 64 needed for performance.
0g 0:00:00:04 DONE (2021-08-03 18:53) 0g/s 832.3p/s 832.3c/s 832.3C/s paagal..sss
Session completed

└─$ john hash --show                                                                                                                                           
0 password hashes cracked, 2 left

At first I was thinking it was related to my masterkey file so I tried to crack the example hash:

https://github.com/jagotu/JohnTheRipper/blob/abf2fb3d0446844de498e805708613c7de575334/src/dpapimk_fmt_plug.c#L99

	{"$DPAPImk$1*1*S-15-21-447321867-460417387-480872410-1240*des3*sha1*24000*9b49e2d3b25103d03e936fdf66b94d26*208*ec96025ed4b023ebfa52bdfd91dfeb64edf3f3970b347ee8bb8adfb2a686a0a34792d40074edd372f346da8fcd02cc5d4182c2fd09f4549ec106273926edd05c42e4b5fc8b8758a7c48f6ddae273f357bcb645c8ad16e3161e8a9dbb5002454f4db5ef0d5d7a93ac", "bouledepetanque"},
	{"$DPAPImk$1*3*S-1-5-21-1857904334-2267218879-1458651445-1123*des3*sha1*18000*e4c529ba8975e4ed56f5fb8b1e85be43*208*af96b391f1d6e2d37a4de3b4c412ce78f032d446d77ea1fb6a0782f47c390c844349c2bcaeba9fd570b39def6f67a369aa2e266e8d017689d8a09667fdfb640feb3e19ca22067cc5704644c1dcc43d4cccac667391f4918d0de77f36569fd2e104ef0619a46edcfc", "LaKuckaracha42"},

No hash is cracked using john.

Here is my masterkey file :
fc4691a6-29c0-47e2-b484-8edd06508327.zip

Tested on John 1.9.0-jumbo linux / windows

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions