Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to find username field and encrypted password blob #15

Open
dudeman123 opened this issue Feb 8, 2023 · 9 comments
Open

Failed to find username field and encrypted password blob #15

dudeman123 opened this issue Feb 8, 2023 · 9 comments

Comments

@dudeman123
Copy link

dudeman123 commented Feb 8, 2023
edited
Loading

Hello,

I have been working at this for hours, but I have no idea whatsoever about how to get this working. Similar to the issue @simon-baer had (which has no answers at this time), the program refuses to work. After trying to use PsExec, it kept on failing to run PowerShell with SYSTEM privileges, so I turned to using AdvancedRun, which worked.

However, when I followed the guide here https://gist.github.com/sleeyax/e8684c60c9e0b771d96195e0b4d4c8c0 (which was very helpful in explaining), after I ran the command with SYSTEM privileges, PowerShell threw this error at me:

OS: Windows 10 21H2

{***-***-***-***-***}
Extracted stage1 for {***-***-***-***-***}
-1
Failed to find username field!
Failed to find an encrypted password blob :/
Found the following:
Domain:
Username:
Password:

I tried looking at the two files within 'profiles', but there was nothing which I was able to see. If you would like me to, I could send you the encrypted files.

Anyways, please help me to resolve this issue.

Best regards,
dudeman
@ash47
Copy link
Owner

ash47 commented Feb 8, 2023 via email

@dudeman123
Copy link
Author

Alright, got it. I'll look for other solutions, but let me know if you decide to come out with any updates! Thanks :)

@ash47
Copy link
Owner

ash47 commented Feb 8, 2023 via email

@dudeman123
Copy link
Author

Got it, I think I'll check that out tomorrow

@mluug
Copy link

mluug commented Feb 5, 2024

Any insights on such issue? I’m on Windows 11 (22631).

Much appreciated,
Jason

@ash47
Copy link
Owner

ash47 commented Feb 6, 2024 via email

@mluug
Copy link

mluug commented Feb 6, 2024

The format of the binary data changes between windows versions, and even updates sometimes, you can look at the hex it dumps out and figure out where the username and password are stored now, it should be pretty obvious, as most of it will not be visible/ will be noise in a hex editor. I have no insensitive to update this.

On Tue, 6 Feb 2024, 10:13 am MLUUG, @.> wrote: Any insights on such issue? I’m on Windows 11 (22631). Much appreciated, Jason — Reply to this email directly, view it on GitHub <#15 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4UUDUUYAO53GIWQPTZDG3YSFRRVAVCNFSM6AAAAAAUUUR5B2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRYGQ3TGOJYHA . You are receiving this because you commented.Message ID: @.>

I see. With a little experiment I found out that MSMUserData, in this case the stage1 file, ProtectedData.Unprotect(<MSMUserData in byte[]>, null, DataProtectionScope.LocalMachine) is no longer able to be decrypted using the given arguments. Maybe Windows changed here to require additional authorization. I am not sure.

@Walkman100
Copy link

@ash47 For what it's worth, I also followed the instructions at https://gist.github.com/sleeyax/e8684c60c9e0b771d96195e0b4d4c8c0 and it worked. Maybe Win10 22H2 19045.4239 is still using the old format that this tool works for? Also, op could be authenticated with a certificate, I knew already that my credentials were username+password and no certificate.

@mluug
Copy link

mluug commented Apr 10, 2024

The format of the binary data changes between windows versions, and even updates sometimes, you can look at the hex it dumps out and figure out where the username and password are stored now, it should be pretty obvious, as most of it will not be visible/ will be noise in a hex editor. I have no insensitive to update this.

On Tue, 6 Feb 2024, 10:13 am MLUUG, @.> wrote: Any insights on such issue? I’m on Windows 11 (22631). Much appreciated, Jason — Reply to this email directly, view it on GitHub <#15 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4UUDUUYAO53GIWQPTZDG3YSFRRVAVCNFSM6AAAAAAUUUR5B2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRYGQ3TGOJYHA . You are receiving this because you commented.Message ID: _@**.**_>

I see. With a little experiment I found out that MSMUserData, in this case the stage1 file, ProtectedData.Unprotect(<MSMUserData in byte[]>, null, DataProtectionScope.LocalMachine) is no longer able to be decrypted using the given arguments. Maybe Windows changed here to require additional authorization. I am not sure.

Update on this: About a month ago I discovered that I was authenticated by an EAP-TLS certificate instead of a combination of username+password. I am stupid. Using some tools, I was able to extract the certificate marked non-exportable using certlm.msc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ash47 @Walkman100 @dudeman123 @mluug