Decrypting View State Messages
4 hours ago
- #ASP.NET cryptography
- #IIS security
- #view state decryption
- A user found a malicious encrypted view state in Windows event logs but only had a disk image and autogenerated keys from the Windows registry.
- Decrypting view state varies from trivial for legacy setups (using CyberChef) to complex for modern ones (using Blacklist3r or reflection).
- Autogen keys are 1024-byte blobs stored in the registry or LSA secrets, generated via SetAutogenKeys() with random bytes and IIS functions.
- For legacy crypto, master validation and decryption keys are extracted from the autogen key at specific offsets (64 and 24 bytes).
- Final machine keys in legacy setups derive from master keys using hashes of app virtual paths or IDs via GetNonRandomizedStringComparerHashCode.
- Modern crypto uses HMACSHA512 with purposes (e.g., 'MachineKeyDerivation') and secondary parameters (like IsolateApps) to derive master keys.
- Key sizes cause compatibility issues: AES supports 24/32 bytes, TripleDES only 24, DES only 8, leading to errors with auto-generated keys.
- Final machine keys in modern setups derive similarly, with purposes based on app directory, page type, and optional view state user key.
- Decryption involves base64 decoding, stripping validation hash, and decrypting with the final key (legacy uses IV of zeros, modern extracts IV).
- VSRipper is a tool introduced to automate view state decryption, supporting all modern/legacy payloads and brute-forcing with autogen keys.