dpapi::chrome - bug in parsing "Local State" file

[yaronsamuel]

as part of the execution of dpapi::chrome I got the following error

mimikatz # dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

URL     : https://one.co.il/ ( https://one.com/ )
Username: johnny1
ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption

Looking at mimikatz's code I understand that if no further arguments are provided, mimikatz tries to parse the "Local State" file using kuhl_m_dpapi_chrome_alg_key_from_auto . The function later on calls kuhl_m_dpapi_chrome_alg_key_from_file which attempts to get the encrypted key by parsing Local State:

if(begin = wcsstr(uData, L"\"os_crypt\":{\"encrypted_key\":\""))

The function assumes that encrypted_key will be the first key under os_crypt. This assumption got broken in recent chrome versions (mine is 131). In recent chrome versions there are several other keys before encrypted_key.

The solution will be to properly parse the json, or perform wcsstr(uData, L"\"encrypted_key\":\"")).

In my own environment, if I manually fixed Local State then dpapi::chrome worked like a charm.

[mreouven]

The error message ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption indicates that Mimikatz is unable to locate the necessary decryption key or algorithm to decrypt Chrome’s data. This issue often arises when Mimikatz is run under the SYSTEM account, which lacks access to the user’s DPAPI keys.

Potential Solutions:
1. Run Mimikatz as the Target User: Execute Mimikatz in the context of the user whose Chrome data you’re attempting to decrypt. This ensures access to the appropriate DPAPI keys. You can use tools like runas to achieve this.
2. Provide the User’s Master Key Manually: If running as the target user isn’t feasible, you can extract the user’s master key and supply it to Mimikatz. First, retrieve the master key using the sekurlsa::dpapi command:

sekurlsa::dpapi

Identify the relevant master key from the output. Then, execute the dpapi::chrome command with the /masterkey parameter:

dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /masterkey:{retrieved_master_key}

Replace {retrieved_master_key} with the actual master key obtained earlier.

3.	Ensure Correct File Paths: Verify that the file paths provided to Mimikatz are accurate and accessible. Incorrect paths can lead to errors during decryption.

For more detailed guidance, refer to the article on reading DPAPI encrypted keys with Mimikatz. 

Additionally, be aware that changes in Chrome’s handling of encrypted keys may affect Mimikatz’s ability to parse them. Ensure you’re using the latest version of Mimikatz, as updates may address compatibility issues with newer Chrome versions.

[yaronsamuel]

Hey,
none of the above helped, I already read them online.
The issue is appernt in the source code of mimikatz.