Windows Password Recovery - DPAPI analysis and recovery tools
Starting with Windows 2000, Microsoft began equipping their operating systems with a special data protection interface, Data Protection Application Programming Interface (DPAPI). Currently, DPAPI is very widely spread and used in many Windows applications and subsystems. For example, in the file encryption system, for storing wireless network passwords, in Microsoft Vault and Credential Manager, Internet Explorer, Outlook, Skype, Google Chrome, etc. This system has become popular among programmers first of all for its simplicity of use, as it consists of just a couple of functions for encrypting and decrypting data: CryptProtectData and CryptUnprotectData. However, despite its apparent simplicity, the technical implementation of DPAPI is quite complicated.
Passcape Software first in the world offers a set of 6 tools for comprehensive analysis and decrypting data encrypted with DPAPI. These utilities allow you to:
- Decrypt DPAPI blobs for any user account
- Search DPAPI blobs on disk
- Decrypt DPAPI blobs encrypted under the SYSTEM account (e.g., WiFi passwords)
- Analyze and decrypt the user's Master Keys
- Check user's password without dumping hashes from SAM or NTDS.DIT
- Decrypt history hashes of all passwords entered earlier (without using SAM or NTDS.DIT)
This is a tool for decrypting data that is stored in DPAPI objects (DPAPI blobs)...
More information...
|
 |
A DPAPI blob is an opaque binary structure, which contains application's private data encrypted with DPAPI. Many Windows applications and subsystems store passwords, secrets and private data in DPAPI blobs...
More information...
|
 |
Master Key is used as the primary key when decrypting a DPAPI blob. A user's Master Key is encrypted with the user's logon password...
More information...
|
 |
Due to peculiarities of DPAPI implementation, Windows stores all user's previous passwords in the system. User's password history is located in the CREDHIST file...
More information...
|
 |
CREDHIST is a password history file, made out as a chain, where each link represents the user's previous password hashes. Each time user changes the password, the old password hash is appended to the file and encrypted with a new password...
More information... |
 |