From 005dee76e9a5632c0a3050161e4715bf96a31bba Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Fri, 28 Mar 2025 16:51:40 +0100 Subject: [PATCH] more --- .../gcpw-google-credential-provider-for-windows.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md index 6a175c62e..96c2fbff6 100644 --- a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md +++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md @@ -929,8 +929,9 @@ decrypt_password(access_token, lsa_secret) It's possible to find the key components of this in the Chromium source code: -- API domain: [https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22\&type=code](https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22&type=code) -- API endpoint: [https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential_provider/gaiacp/password_recovery_manager.cc#L70](https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential_provider/gaiacp/password_recovery_manager.cc#L70) +- API domain: [kDefaultEscrowServiceServerUrl[] = L"https://devicepasswordescrowforwindows-pa.googleapis.com";](https://github.com/chromium/chromium/blob/a66c3ddadf5699b5493c3bce9498e53b249d5ba3/chrome/credential_provider/gaiacp/mdm_utils.cc#L78) +- API endpoint: [kEscrowServiceGenerateKeyPairPath](https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential_provider/gaiacp/password_recovery_manager.cc#L70) +- Inside the [password_recovery_manager.cc](https://github.com/chromium/chromium/blob/c4920cc4fcae6defb75dc08a3b774a9bc3172c47/chrome/credential_provider/gaiacp/password_recovery_manager.cc) it's possible to see how the API endpoint is used to get a **public key to encrypt the password and the private key to decrypt** it in the needed methods and also how the encrypted password is **stored and retreived from the LSASS process**. ## GCPW - Recovering locally stored password hash?