The open-source tool DPAPISnoop has been updated to extract CREDHIST entries, enabling offline cracking of historical Windows credentials and providing deeper insights into password patterns.
Microsoft’s Data Protection API (DPAPI) is widely used to protect sensitive user data, such as browser credentials, encryption keys, and stored secrets. Traditionally, attackers and red teamers focus on recovering DPAPI Master Keys to decrypt protected data. However, another lesser-explored artifact, CREDHIST, plays a critical role in DPAPI’s design.
Understanding CREDHIST and Its Significance
When a user changes their password, Windows maintains a chain of previous password-derived keys to ensure older encrypted data remains accessible. This credential history is stored in the CREDHIST file located under: %APPDATA%\Microsoft\Protect. Each entry in the file represents a previous password, encrypted using key material derived from that password, forming a sequential chain.
The updated DPAPISnoop tool can parse CREDHIST files and convert entries into offline-crackable hash formats. These hashes, identified by the “$credhist$” prefix, can be used directly with Hashcat. To support this, researchers introduced two new Hashcat modes:
- 15920 for CREDHIST entries using 3DES with HMAC-SHA1.
- 15930 for entries using AES-256 with SHA-512.
This allows attackers or testers to brute-force historical password entries independently, without needing to decrypt the entire DPAPI key upfront.
Implications for Security
Once hashes are extracted, they can be cracked offline using GPU-based tools like Hashcat. If a password is recovered, it can be fed back into DPAPISnoop to decrypt additional entries in the chain. For example, cracking a mid-chain CREDHIST entry reveals the SHA1 or NTLM hash of an older password, which can then be used to unlock further entries. This iterative process allows reconstruction of a user’s password history.
Notably, older entries often use weaker cryptographic schemes, such as SHA1-based PBKDF2 with 3DES, making them significantly easier to crack than modern SHA-512 implementations with higher iteration counts. While this behavior is not a vulnerability, it highlights how legitimate Windows features can be leveraged to obtain credentials when attackers gain filesystem access.
The ability to recover historical passwords provides valuable intelligence, including:
- Identification of password reuse patterns.
- Insight into password complexity trends.
- Potential reuse across enterprise systems.
This can significantly accelerate lateral movement and privilege escalation in real-world attacks.
Detection and Mitigation
Defenders should monitor for abnormal access to DPAPI-related paths, particularly: %APPDATA%\Microsoft\Protect. Implementing robust monitoring and alerting mechanisms can help detect unauthorized access attempts and mitigate potential threats.
The enhancement of DPAPISnoop to extract CREDHIST entries underscores the importance of understanding and securing all aspects of credential management within Windows environments. Organizations should review their password policies, ensure the use of strong, unique passwords, and educate users on the risks of password reuse to bolster their defenses against such advanced credential recovery techniques.
