Recovering windows secrets and efs certificates offlineRecovering windows secrets and efs certificates offline
  1. publications
  2. hacking

Recovering windows secrets and efs certificates offline

Available Media

Publication (Pdf)

Slides (pdf)

ConferenceWorkshop On Offensive Technologies
AuthorsElie Bursztein , Jean-Michel Picod
Citation

Bibtex Citation

@inproceedings{ BURSZTEIN2010RECOVERING,title = {Recovering windows secrets and efs certificates offline},author = {"Elie, Bursztein" and "Jean-Michel, Picod"},booktitle = {Workshop On Offensive Technologies},year = {2010},organization = {Usenix}}

In this paper we present the result of our reverse-engineering of DPAPI, the Windows API for safe data storage on disk. Understanding DPAPI was the major roadblock preventing alternative systems such as Linux from reading Windows Encrypting File System (EFS) files. Our analysis of DPAPI reveals how an attacker can leverage DPAPI design choices to gain a nearly silent backdoor. We also found a way to recover all previous passwords used by any user on a system. We implement DPAPI data decryption and previous password extraction in a free tool called DPAPIck. Finally, we propose a backward compatible scheme that addresses the issue of previous password recovery.

Recent

newsletter signup slide

Get cutting edge research directly in your inbox.

newsletter signup slide

Get cutting edge research directly in your inbox.