Outlook password decryption via DPAPI

Όσοι πιστεύουν ότι οι κωδικοί πρόσβασης που είναι αποθηκευμένοι στο Outlook είναι ασφαλείς για πρόσβαση σε λογαριασμούς IMAP θα πρέπει να το ξανασκεφτούν. Οι προγραμματιστές της Microsoft αποθηκεύουν τους κωδικούς πρόσβασης για την πρόσβαση σε λογαριασμούς IMAP του Outlook στο μητρώο.

The codes are indeed encrypted with DAPI, but can be decrypted in the system with an API call. This approach is used by tools (see at the end of the post) to determine the password.

Ναι οι κωδικοί πρόσβασης IMAP υπάρχουν στο μητρώο του Outlook σε κρυπτογραφημένη μορφή DPAPI.

For example, the key is:


A simple call to the CryptUnprotectData() API can decrypt this value from the registry.

Wait, it gets even more interesting:

The Teams full-client cache also stores unencrypted passwords in the browser cache. The same is true for the Teams web client, which stores conversations unencrypted in the browser cache.

What we know about DPAPI

The acronym DPAPI stands for Data Protection API, and is a simple cryptographic application programming interface available as a built-in component of Windows 2000 and later Microsoft Windows operating systems.
In theory, the Data Protection API can symmetrically encrypt any type of data. In practice, it is mainly used in the Windows operating system for symmetric encryption of asymmetric private keys.

DPAPI does not store persistent data. It just takes plain text and returns it encrypted (or vice versa). The security of DPAPI depends on the ability of the Windows operating system to protect the master key and RSA private keys from attacks. This is highly dependent on the security of the end user's credentials in most attack scenarios. The master key for encryption and decryption is derived from the user's password using the PBKDF2 function.

From Microsoft there is this publication for DPAPI but there is also the book Threat Hunter which gives more details.

If you are interested, the tool DataProtectionDecryptor by Nirsoft uses DPAPI to decrypt passwords.

iGuRu.gr The Best Technology Site in Greece
Follow us on Google News

DPAPI, outlook, Microsoft Outlook, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).