Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dpapi::chrome - bug in parsing "Local State" file #459

Open
yaronsamuel opened this issue Jan 9, 2025 · 2 comments
Open

dpapi::chrome - bug in parsing "Local State" file #459

yaronsamuel opened this issue Jan 9, 2025 · 2 comments

Comments

@yaronsamuel
Copy link

yaronsamuel commented Jan 9, 2025
edited
Loading

as part of the execution of dpapi::chrome I got the following error

mimikatz # dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

URL     : https://one.co.il/ ( https://one.com/ )
Username: johnny1
ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption

Looking at mimikatz's code I understand that if no further arguments are provided, mimikatz tries to parse the "Local State" file using kuhl_m_dpapi_chrome_alg_key_from_auto . The function later on calls kuhl_m_dpapi_chrome_alg_key_from_file which attempts to get the encrypted key by parsing Local State:

if(begin = wcsstr(uData, L"\"os_crypt\":{\"encrypted_key\":\""))

The function assumes that encrypted_key will be the first key under os_crypt. This assumption got broken in recent chrome versions (mine is 131). In recent chrome versions there are several other keys before encrypted_key.

The solution will be to properly parse the json, or perform wcsstr(uData, L"\"encrypted_key\":\"")).

In my own environment, if I manually fixed Local State then dpapi::chrome worked like a charm.
@mreouven
Copy link

mreouven commented Jan 9, 2025

The error message ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption indicates that Mimikatz is unable to locate the necessary decryption key or algorithm to decrypt Chrome’s data. This issue often arises when Mimikatz is run under the SYSTEM account, which lacks access to the user’s DPAPI keys.

Potential Solutions:
1. Run Mimikatz as the Target User: Execute Mimikatz in the context of the user whose Chrome data you’re attempting to decrypt. This ensures access to the appropriate DPAPI keys. You can use tools like runas to achieve this.
2. Provide the User’s Master Key Manually: If running as the target user isn’t feasible, you can extract the user’s master key and supply it to Mimikatz. First, retrieve the master key using the sekurlsa::dpapi command:

sekurlsa::dpapi

Identify the relevant master key from the output. Then, execute the dpapi::chrome command with the /masterkey parameter:

dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /masterkey:{retrieved_master_key}

Replace {retrieved_master_key} with the actual master key obtained earlier.

3.	Ensure Correct File Paths: Verify that the file paths provided to Mimikatz are accurate and accessible. Incorrect paths can lead to errors during decryption.

For more detailed guidance, refer to the article on reading DPAPI encrypted keys with Mimikatz. 

Additionally, be aware that changes in Chrome’s handling of encrypted keys may affect Mimikatz’s ability to parse them. Ensure you’re using the latest version of Mimikatz, as updates may address compatibility issues with newer Chrome versions.

@yaronsamuel
Copy link
Author

Hey,
none of the above helped, I already read them online.
The issue is appernt in the source code of mimikatz.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mreouven @yaronsamuel