Is it possible to get account password?
BubbleMaker2089 opened this issue · 3 comments
I have persisted credentials for email account. pypykatz dpapi credential enables to decrypt it but it seems like it does not contain password. What commands should I use to get password for persistent creds like this?
PS C:\Users\docker\Downloads\helper> pypykatz dpapi credential C:\Users\<user>\Downloads\helper\keys_masterkeys C:\Users\<user>\AppData\Local\Microsoft\Credentials\DC65DDB8148C82FE4972A882BF336BB6
type : GENERIC (1)
last_written : 133426964164149642
target : LegacyGeneric:target=MicrosoftAccount:user=<email_account@outlook.com>
description : PersistedCredential
username : <email_account@outlook.com>
ATTRIBUTE
keyword: Microsoft_WindowsLive:authstate:0
<hex_data>
keyword: Microsoft_WindowsLive:authstate:1
<hex_data>
keyword: Microsoft_WindowsLive:authstate:2
<hex_data>
keyword: Microsoft_WindowsLive:authstate:3
<hex_data>
if decryption works, then the pw should be there, the problem is with pypykatz because I was not able to figure out which structure to use when parsing these credentials. Core problem is: these credential files can store data in many different formats, and I could find any documentation on the available formats to implement. As this was not on my priority list, I just left it be.
Summary: I'm afraid you won't get better results without actually touching the code.
I was analizying the code of mimikatz feature and for this type of credential it parses out blobSize = 0, for another one blobSize != 0 and the value exists. Other fields was parsed out without issues (for example, attributes which are the next after blob). Pypykatz has the same behaviour. For me, it seems like there is no password in this credential file because I checked offsets using FileCredentialsView and it shows NULLs where blobSize should be. Of course, this file can have different structure but everything before blob and after blob was parsed out without issues. I don't think it's coincidence because everything seems like it on its place. It just blobSize and blob which are NULL for this specific file and other files with other email accounts
Could it be that there is no password there?