powershell dpapi decrypt internet explorer registry blobs (intelliforms/storage2) RRS feed

  • Question

  • Internet Explorer (>7 ?) store usernames and passwords (login forms only, I believe) in the registry at HKCU:\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

    the key is the hashed (& checksummed) url of the login form, the value is a DPAPI blob.

    So far, so good.

    However, the following code gets, but then fails to decode the registry content:

    $url = "https://www.facebook.com/"
    $enc = [system.Text.Encoding]::UTF8
    $entropy= $enc.GetBytes($url)
    # XXX this works $bytes = "changeit".ToCharArray() | % {[byte] $_}
    $url16 = [System.Text.Encoding]::GetEncoding("UTF-16").GetBytes($url + "`0")
    $sha1 = [System.Security.Cryptography.SHA1]::Create()
    $hash = $sha1.ComputeHash($url16)
    $hs = "" ; $cs = 0
    $THEHASH = $($hash | %{ $hs += $_.ToString("x2") ; $cs += $_ } 
    ($hs + ($cs % 256).ToString("x2")).ToUpper())
    # print the hash to know we are looking at the right key
    Write-Host "$THEHASH" -ForegroundColor Blue
    $encryptedBytes = $(Get-ItemProperty -PATH "HKCU:\Software\Microsoft\Internet Explorer\IntelliForms\Storage2" -Name $THEHASH | Select-Object -ExpandProperty $THEHASH)
    ### XXX this works# Encrypt the byte array.#$encryptedBytes = [System.Security.Cryptography.ProtectedData]::Protect(#        $bytes,#        $entropy,#        [System.Security.Cryptography.DataProtectionScope]::CurrentUser)### 
    Write-Host "Encrypted Data" -ForegroundColor Cyan
    Write-Host ([string] $encryptedBytes) -ForegroundColor DarkGreen
    # Unencrypt the data.
    $bytes2 = [System.Security.Cryptography.ProtectedData]::Unprotect(
    $bytes2 | % { $clearText += [char] $_}
    Write-Host "Decrypted Data" -ForegroundColor Cyan
    Write-Host ($clearText) -ForegroundColor Red

    The included tests work, but if I use the blob in the registry, it just errors out with:

    PS C:\Users\Administrator\Desktop\pv> .\anothertest.ps1
    Encrypted Data
    1 0 0 0 208 [ETC]
    Exception calling "Unprotect" with "3" argument(s): "The data is invalid.
    At C:\Users\Administrator\Desktop\pv\nogeentest.ps1:21 char:66
    + $bytes2 = [System.Security.Cryptography.ProtectedData]::Unprotect <<<< (
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : DotNetMethodException
    Decrypted Data

    I have been googling and trialing for days. The above is based on:

    http://andyarismendi.blogspot.nl/2011/09/powershell-quick-easy.html and http://aidemoire.blogspot.nl/2013/09/how-to-calculate-hash-value-of-url-for.html

    Can somebody point me in the right direction? I have no idea at this point. I must be missing something obvious (although DPAPI is far from obvious, I have to say). The next step would be to start digging around in IE password decryption tools, which should be total overkill for such a basic and common DAPI call. 

    Any help or pointer is much appreciated.

    PS: I initally posted this in the wrong forum, so I'm hope this one I was pointed to fits better. @Mods, please feel free to remove my post @ https://social.msdn.microsoft.com/Forums/en-US/37f34860-34c5-4da9-a40e-4f74e3992ccc/powershell-dpapi-decrypt-internet-explorer-registry-blobs-intelliformsstorage2?forum=os_windowsprotocols. PPS: The sites and suggestions of that thread did not help me further, because I'm already using the standard DPAPI calls discussed there.

    Thursday, February 11, 2016 7:25 PM