How the CREDHIST Extraction Works
The open-source DPAPISnoop tool has been updated to extract CREDHIST entries from Windows systems, enabling offline cracking of historical user passwords. Microsoft’s Data Protection API (DPAPI) protects sensitive data like browser credentials and encryption keys. When users change their passwords, Windows maintains a credential history file (CREDHIST) under %APPDATA%\Microsoft\Protect, which stores previous password derived keys to keep older encrypted data accessible.
Security consultant Lefteris Panos from LRQA Red Team enhanced DPAPISnoop to parse these CREDHIST files and convert entries into crackable hash formats. The tool outputs hashes with a “$credhist$” prefix that work directly with Hashcat, supporting two new cracking modes: mode 15920 for 3DES with HMAC SHA1 entries, and mode 15930 for AES 256 with SHA 512 entries.
Impact and Iterative Recovery Process
Once extracted, these hashes can be cracked offline using GPU based tools like Hashcat. If an attacker recovers a password from one CREDHIST entry, they can feed it back into DPAPISnoop to decrypt additional entries in the chain. This iterative process allows reconstruction of a user’s complete password history over time.
Notably, older CREDHIST entries often use weaker cryptographic schemes such as SHA1 based PBKDF2 with 3DES, making them significantly easier to crack than modern encryption. This tool provides red teams and security researchers deeper insight into historical password patterns while highlighting an often overlooked Windows credential artifact.
Source: Cyber Security News
