Retrieving DPAPI Backup Keys from Active Directory

October 26, 2015 | Michael Grafnetter

Introduction

The Data Protection API (DPAPI) is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user’s master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user’s access to the master key is automatically restored using the backup key.

The Mimikatz Method

Benjamin Delpy has already found a way to extract these backup keys from the LSASS of domain controllers and it even works remotely:

Mimikatz DPAPI Backup Keys

Key Storage

I have taken Benjamin’s research one step further and I can now extract these keys directly from the Active Directory database, where they are physically stored:

Backup Key Storage

The keys are stored in the currentValue attribute of objects whose names begin with BCKUPKEY and are of class secret. The BCKUPKEY_PREFERRED Secret and BCKUPKEY_P Secret objects actually only contain GUIDs of objects that hold the current modern and legacy keys, respectively. Furthermore, the currentValue attribute is encrypted using BootKey (aka SysKey) and is never sent through LDAP.

The Database Dump Method

The Get-BootKey, Get-ADDBBackupKey and Save-DPAPIBlob cmdlets from my DSInternals PowerShell Module can be used to retrieve the DPAPI Domain Backup Keys from ntds.dit files:

Note that mimikatz would name these files similarly.

The DRSR Method

The same result can be achieved by communicating with the Directory Replication Service using the Get-ADReplBackupKey cmdlet:

Defense

I am already starting to repeat myself:

  • Restrict access to domain controller backups.
  • Be cautious when delegating the “Replicating Directory Changes All” right.

 


Tags: , , ,

3 comments on “Retrieving DPAPI Backup Keys from Active Directory

  1. Eugen says:

    Hi Michael!
    Thank you for your’s toolkit. I have a question about RODC’s NTDS.dit file. It seems that it is been built differently as the NTDS on writable DC.

    So, my purpose was to demonstrate to my collegues in lab, that it is impossible to stolen non-cached user passwords from the RODC. I tried to read pwd hashes from NTDS file extracted from a RODC. I’ve pre-populated my RODC by some user passwords, but $key = Get-BootKey -SystemHivePath ‘d:\SHARE\SYSTEM’
    Get-ADDBAccount -all -DBPath ‘d:\share\ntds.dit’ -BootKey $key -Verbose

    does not generate any output. The ADUC snap-in says some password are replicated to the RODC. I pushed the replication of those passwords from repadmin too. When I specify a NTDS file from writable DC in the same domain, it shows me NT hashes of all accounts.

    Have tried 2012 R2 and 2016 domains. What may be a reason?

  2. Michael Grafnetter says:

    That is a good point, Eugen, it should have work as you expected. Unfortunately, I currently do not have a RODC available, so I cannot test it right away. I will let you know as soon I have an answer.

  3. Eugen says:

    Michael, For quick RODC deployment, you can use the same scripts I use in my lab environment

    http://pastebin.com/cKxSKda3

    Hope this will save your time

Leave a Reply

Your email address will not be published.