Weak credentials encryption at rest with DPAPI: NordVPN case study
TL;DR The Windows client of NordVPN leverages DPAPI (Data Protection API ) to effortlessly save the login credentials of the customers. This is a suitable way for developers to avoid common pitfalls regarding cryptographic implementation and key management. However, this simplistic solution entails trivial plain-text password recovery. The goal of this article is to provide a walk-through on how easy is to dump the VPN credentials in a post exploitation scenario with the help of the mighty Mimikatz . Analyzing the encryption and decryption routines of NordVPN Few days ago I was playing with what I already consider to be the best .NET debugger, dnSpy , and the first application I happened to open was NordVPN client v6.23.11.0. After a quick code review I decided to focus on the login routine that auto-connects the VPN at startup. This routine is demanded to the third-party DLL 'Liberation.OS', that in turn, is also developed in .NET. Have a look for the documen