The open-source DPAPISnoop tool has been enhanced to extract CREDHIST entries, enabling offline cracking of historical Windows credentials and deeper insight into password patterns.
Lefteris Panos, Security Consultant at LRQA Red Team, said the update adds CREDHIST extraction capabilities to DPAPISnoop, enabling the recovery and analysis of historical Windows credentials alongside DPAPI Master Key hashes.
Microsoft’s Data Protection API (DPAPI) is widely used to protect sensitive user data such as browser credentials, encryption keys, and stored secrets.
Traditionally, attackers and red teamers focus on recovering DPAPI Master Keys, which allow the decryption of protected data. However, another lesser-explored artifact, CREDHIST, plays a critical role in DPAPI’s design.
When a user changes their password, Windows maintains a chain of previous password-derived keys to ensure older encrypted data remains accessible.
This credential history is stored in the CREDHIST file located under: %APPDATA%MicrosoftProtect.
Each entry in the file represents a previous password, encrypted using key material derived from that password, forming a sequential chain.
According to Lefteris Panos at LRQA Red Team, the updated DPAPISnoop tool can parse CREDHIST files and convert entries into offline-crackable hash formats.
These hashes, identified by the “$credhist$” prefix, can be used directly with Hashcat.
To support this, researchers introduced two new Hashcat modes:
1. 15920 for CREDHIST entries using 3DES with HMAC-SHA1.
2. 15930 for entries using AES-256 with SHA-512.
This allows attackers or testers to brute-force historical password entries independently, without needing to decrypt the entire DPAPI key upfront.
Once hashes are extracted, they can be cracked offline using GPU-based tools like Hashcat. If a password is recovered, it can be fed back into DPAPISnoop to decrypt additional entries in the chain.
For example, cracking a mid-chain CREDHIST entry reveals the SHA1 or NTLM hash of an older password, which can then be used to unlock further entries. This iterative process allows reconstruction of a user’s password history.
Notably, older entries often use weaker cryptographic schemes, such as SHA1-based PBKDF2 with 3DES, making them significantly easier to crack than modern SHA-512 implementations with higher iteration counts.
While this behavior is not a vulnerability, it highlights how legitimate Windows features can be leveraged to obtain credentials when attackers gain filesystem access.
The ability to recover historical passwords provides valuable intelligence, including: Identification of password reuse patterns. Insight into password complexity trends. Potential reuse across enterprise systems.
This can significantly accelerate lateral movement and privilege escalation in real-world attacks.
Detection and Mitigation
Defenders should monitor for abnormal access to DPAPI-related paths, particularly:
%APPDATA%MicrosoftProtectCREDHIST. User-specific DPAPI directories. Remote access via SMB or administrative shares.
Security tools such as Sigma and Elastic already provide detection rules for suspicious access to credential history files.
The key challenge is distinguishing normal DPAPI activity from anomalous file access patterns.
Organizations are advised to enforce strong password policies, limit local file access, and monitor endpoint activity for unusual credential-related behavior.
The research by Lefteris Panos highlights how revisiting well-known mechanisms like DPAPI can still uncover new offensive opportunities, reinforcing the importance of continuous research in Windows credential security.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
