Adding support for AzureAD accounts#3
Conversation
|
Hi, I was able to get a key (20 bytes), but wasn't able to decrypt the user Masterkey with it. What version of Windows did you test it on, please? |
|
Hello, the |
|
Hi, thanks for the reply. Does the CacheData for AzureAD also has the static 124 byte header? If it helps, I can provide you with a sample CacheData file, I only use burner accounts anyway. |
|
I used the Let me know if it works better on Windows 10. I can do the R&D on Windows 11 later on to verify if the comportement is different. |
|
Hi, I have the same issues on Windows 10. to convert and use the password for decrypting the CacheData file? |
|
Hello, the script should be used in the same manner that with a Microsoft Account. The plaintext password of the Azure Account is used to decrypt the |
|
Hi, Now to digest the actual User MasterKey decryption key, that part is not working yet: Thanks for the assistance |
|
The modified version of the script does not work out of the box? In my sample, I have 112 bytes before the start of the JSON. I have not reversed not looked at the format so there might be some differences between different setups I guess. But here is the start of the data in my case: Then, 16 random bytes that I discard, followed by the next 0x40 random bytes before the start of the JSON that are used to derive the masterkey's decryption key. Maybe taking the 0x40 bytes before the JSON would be a good enough solution to avoid parsing the blob... Moreover, the SID can be omitted in the argument and retrieved from the JSON content, I can edit the PR to reflect this. |
|
Hi, -> In case of an AzureAD file, this seems to be I assume the SID is also the AzureAD version? E.g. Good to know, we need (probably) need the 0x40 bytes prior to the start of the JSON. |
|
The code: Worked in my context because this filter is applied before the data in decrypted, but I am unsure of its necessity and I have no opinion about it.
|
|
Hello @tijldeneut, a colleague performed a more in depth reverse of the Moreover, if your interested, colleagues published a review of Windows Hello For Business and the article contains details of all cryptographic operations and credit some of your work that was used during their research: https://www.synacktiv.com/publications/whfb-and-entra-id-say-hello-to-your-new-cache-flow |
|
@laxaa I already managed to write a new, custom parser for CacheData, based on AADInternals. Seems to be more generic than this approach. Keep you posted once I have more info (and a very close read of the article and other references) |
|
Hi, as mentioned, I will read and verify your article in close detail in the coming days, but in the mean time I'd like to share my attempt from 2 months ago for a future diana-azaccountdec.py script: I think we might be able to combine your additions on DPAPI key extraction and my PRT details for the best results. Any feedback more than welcome, work in progress |
|
Update: I included your changes into my earlier script, it now prints CredKey, PRT and POP: This POP can be decrypted via diana-cloudprtdec.py, but it seems that this it is not really usable in RoadRecon yet (but I have to verify this later) Whatever happens, I will of course give full credit to you and your work, will mention it with a link on the home directory and I am very thankful for your research and assistance :-) |
Hello ! With the blogpost, we released a tool (based on your work for the NGC part) which parses the CacheData file and some of its entries (PIN, Password and Microsoft Smart Card). I think you might be interested to take a look at it :) https://github.com/synacktiv/CacheData_decrypt/tree/main |
Adding support for AzureAD accounts on the
diana-msaccountdec.py. This effectively yields a key to be used when decrypting masterkey. Contrary toMicrosoftAccount, the output is not a password but a key. This key can be used for example withdpapi.pyfrom impacket: