{
	"id": "ff155e98-e607-421b-b7c9-e0e167d3e1f2",
	"created_at": "2026-04-06T02:13:17.555029Z",
	"updated_at": "2026-04-10T03:21:14.517084Z",
	"deleted_at": null,
	"sha1_hash": "fe047771df2b25b1642b0411932463d1692b3cce",
	"title": "Passwords stored using reversible encryption: how it works (part 1)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33135,
	"plain_text": "Passwords stored using reversible encryption: how it works (part\r\n1)\r\nArchived: 2026-04-06 02:08:29 UTC\r\nIn case you missed my HAR2009 talk: in the second part I talked about a Windows feature called ‘Store\r\npasswords using reversible encryption’. When this is enabled (per user or for the entire domain), Windows stores\r\nthe password encrypted, but in such a way that it can reverse the encryption and recover the plaintext password.\r\nThis feature exists because some authentication protocols require the plaintext password to function correctly, the\r\ntwo most common examples are HTTP Digest Authentication and CHAP.\r\nThis feature is not enabled by default but I’ve seen it a couple of times in customer networks. As I couldn’t find\r\nany description of how this mechanism works or any tool to recover these passwords, I decided to investigate.\r\nWhen you change your password on a domain that has reversible encryption enabled, a password filter called\r\nRASSFM.DLL is used to store the password using reversible encryption. The key that is used to do this is\r\nG$MSRADIUSCHAPKEY, which is stored as a global LSA secret. This key is decrypted using a static key\r\n(hardcoded in the DLL). The result of this operation is combined with a 16-byte random value (generated every\r\ntime someone changes their password) and that key is used to encrypt a Unicode version of the password using the\r\nRC4 algorithm.\r\nI found out these passwords are stored in Active Directory in a per-user structure called userParameters. If you use\r\na tool such as AD Explorer you can look at this structure in an AD that has enabled this feature. When you look at\r\nthis structure, it looks like a binary blob, with some human-readable parts in there. When you enable reversible\r\nencryption you will notice two readable strings: G$RADIUSCHAP and G$RADIUSCHAPKEY. The\r\nuserParameters can also be used to store settings unrelated to reversible encryption, such as per-user Terminal\r\nServer settings.\r\nFollowing the G$RADIUSCHAP part is the ascii-hex encoded encrypted password. The part following the\r\nG$RADIUSCHAPKEY name is the 16-byte random value.\r\nSo to decrypt this password we use the following steps:\r\n- Take the G$MSRADIUSCHAPKEY Global LSA secret\r\n- Decrypt it using the static key\r\n- Parse the userParameters structure and extract the G$RADIUSCHAP and G$RADIUSCHAPKEY values\r\n- Combine the value of G$RADIUSCHAPKEY (the 16-byte random) with the decrypted LSA secret to create an\r\nRC4 key\r\n- Decrypt the value of G$RADIUSCHAP using that RC4 key\r\nThe result is a plaintext Unicode password. My tool 'Revdump' automates this procedure.\r\nIn part two of this article, I will look at the security of this mechanism.\r\nhttp://blog.teusink.net/2009/08/passwords-stored-using-reversible.html\r\nPage 1 of 2\n\nSource: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html\r\nhttp://blog.teusink.net/2009/08/passwords-stored-using-reversible.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html"
	],
	"report_names": [
		"passwords-stored-using-reversible.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441597,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe047771df2b25b1642b0411932463d1692b3cce.pdf",
		"text": "https://archive.orkl.eu/fe047771df2b25b1642b0411932463d1692b3cce.txt",
		"img": "https://archive.orkl.eu/fe047771df2b25b1642b0411932463d1692b3cce.jpg"
	}
}