The open-source security tool DPAPISnoop has undergone significant enhancements to include the extraction of CREDHIST entries. This development allows for the offline cracking of historical Windows credentials, providing deeper insights into user password patterns. Lefteris Panos, a Security Consultant at LRQA Red Team, outlined that the tool now facilitates the recovery and analysis of historical credentials alongside DPAPI Master Key hashes.
Understanding DPAPI’s Role in Security
Microsoft’s Data Protection API (DPAPI) is integral to safeguarding sensitive user data, such as browser credentials and encryption keys. Traditionally, security professionals focus on recovering DPAPI Master Keys to decrypt protected information. However, CREDHIST, an often-overlooked component, is fundamental to DPAPI’s architecture.
Whenever a password change occurs, Windows generates a sequence of keys derived from previous passwords, ensuring ongoing access to encrypted data. This credential history is stored within the CREDHIST file, located in the user’s %APPDATA%MicrosoftProtect directory. Each entry represents a past password encrypted with key material from that password, forming a sequential chain.
Innovations in CREDHIST Extraction
According to Panos, the improved DPAPISnoop can parse CREDHIST files and convert entries into hashes that can be cracked offline. These hashes, prefixed with “$credhist$,” are compatible with Hashcat. To support this, researchers have introduced two new Hashcat modes: 15920 for CREDHIST entries using 3DES with HMAC-SHA1, and 15930 for AES-256 with SHA-512.
This functionality enables attackers or testers to brute-force historical password entries without decrypting the entire DPAPI key. Extracted hashes can be cracked using GPU-based tools like Hashcat. Successfully recovering a password allows further decryption of the sequential entries, potentially revealing more of the user’s password history.
Implications for Security and Defense
Older password entries often employ weaker cryptographic schemes, such as SHA1-based PBKDF2 with 3DES, making them easier to crack compared to modern SHA-512 implementations. Although this is not a vulnerability, it demonstrates how legitimate Windows features can be exploited when attackers gain access to the filesystem.
Recovering historical passwords offers valuable intelligence, such as identifying password reuse patterns and understanding password complexity trends. This information can significantly hasten lateral movement and privilege escalation during cyber attacks.
Detection and Prevention Strategies
Defensive measures should include monitoring for unusual access to DPAPI-related paths, especially the %APPDATA%MicrosoftProtectCREDHIST directory. Security tools like Sigma and Elastic provide detection rules for suspicious access attempts. The challenge lies in distinguishing normal DPAPI activity from anomalous behavior.
Organizations are encouraged to enforce robust password policies, restrict local file access, and actively monitor endpoint activities for unusual credential-related actions. The research led by Lefteris Panos underscores the importance of revisiting established security protocols like DPAPI to uncover new offensive opportunities, highlighting the necessity for ongoing research in Windows credential security.
