abusing-dpapi-for-credential-access

Installation
SKILL.md

Abusing DPAPI for Credential Access

Legal Notice: This skill is for authorized penetration testing, red-team engagements, and educational purposes only. Extracting credentials from systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud and abuse laws. Always operate within a signed rules-of-engagement and document every action.

Overview

The Windows Data Protection API (DPAPI) is the operating system's built-in symmetric-encryption service that applications use to protect secrets at rest: saved RDP and Windows Credential Manager credentials, web and Wi-Fi credentials in the Credential Vault, browser saved logins and cookies (Chrome/Edge), KeePass keys, certificate private keys, and Scheduled Task passwords. DPAPI derives a per-user (or per-machine) master key from the user's password (or the machine account secret), and that master key encrypts individual "DPAPI blobs." The encrypted master keys live under %APPDATA%\Microsoft\Protect\<SID>\ (user) and %WINDIR%\System32\Microsoft\Protect\ (machine).

Red teamers abuse DPAPI to recover plaintext secrets after gaining a foothold, mapping to MITRE ATT&CK T1555.004 (Credentials from Password Stores: Windows Credential Manager). There are three primary decryption paths:

  1. Online / context-based — running as the target user, DPAPI APIs (CryptUnprotectData) transparently decrypt the user's blobs. SharpDPAPI's /unprotect flag uses this.
  2. Offline with the user password or NTLM hash — decrypt the user's master keys with /password: or /ntlm:, then decrypt the blobs offline (great for triaged files pulled from a host).
  3. Domain-wide with the DPAPI backup key — Domain Admins can extract the domain's RSA DPAPI backup key (.pvk) once, then decrypt any domain user's master keys forever, online or offline, with /pvk:.

The canonical tooling is SharpDPAPI (GhostPack, a C# port of Mimikatz DPAPI functionality) for Windows, SharpChrome for browser secrets, and Mimikatz (dpapi::*) as the original implementation. On Linux, Impacket's dpapi.py and donpapi perform remote/offline triage.

When to Use

Installs
117
GitHub Stars
24.2K
First Seen
12 days ago
abusing-dpapi-for-credential-access — mukul975/anthropic-cybersecurity-skills