Outlook password decryption via DPAPI

Those who believe that the stored in Outlook are safe to access IMAP accounts should think again. Microsoft developers store passwords for accessing Outlook IMAP accounts in the registry.

The codes are indeed encrypted with DAPI, but can be decrypted in the system with an API call. This approach is used by tools (see at the end of the post) to determine the password.

Yes IMAP passwords exist in the Outlook registry in DPAPI encrypted format.
cryptography

For example, the key is:

HKLM\Software\Microsoft\\16.0\Outlook\Profiles\Outlook\9898CFF0885468d3B88A99567B2A6676

A simple call to the CryptUnprotectData() API can decrypt it from the registry.

Wait, it gets even more interesting:

Η (cache) of Teams full-client also stores unencrypted codes in the browser cache. The same is true for the Teams web client, which stores conversations unencrypted in the browser cache.

What we know about DPAPI

The acronym DPAPI stands for Data Protection API, and is a simple cryptographic application programming interface available as a built-in component of Windows 2000 and later Microsoft Windows operating systems.
In theory, the Data Protection API can symmetrically encrypt any type of data. In practice, it is mainly used in the Windows operating system for symmetric encryption of asymmetric private keys.

DPAPI does not store persistent data. It just takes plain text and returns it encrypted (or vice versa). The security of DPAPI depends on the ability of the Windows operating system to protect the master key and RSA private keys from attacks. This is highly dependent on the security of the end user's credentials in most attack scenarios. The master key for encryption and decryption is derived from the user's password using the PBKDF2 function.

From Microsoft there is this publication for DPAPI but there is also the book Threat hunters which gives more details.

If you are interested, the tool DataProtectionDecryptor by Nirsoft uses DPAPI to decrypt passwords.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.081 registrants.
DPAPI, outlook, Microsoft Outlook, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).