DPAPI Secrets

ABOUT

DPAPI Secrets could be any data, as example browser creds, password manager data, vault creds.

Image from Synacktiv article below

LINUX

We'll be decrypting Secret with impacket's dpapi tool.

For decrypting DPAPI secret we need 3 things, and 2 of them are files which we need to install:

1. Masterkey (filename is guid)

2. DPAPI Secret

3. SID of user encrypted (directory where Secret located)

4. One of 5 things from scheme above, I'll use password for example.

Decrypting Secret

1. Decrypting Masterkey with password's hash and SID

impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -password 'password123' -sid S-1-5-21-1487982659-1829050783-2281216199-1107

1. Using decrypted Masterkey to decrypt Secret

impacket-dpapi credential -f C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

WINDOWS

For Windows I only used SharpDPAPI for triaging certificates

SharpDPAPI

.\SharpDPAPI.exe triage

RESOURCES

DPAPI secrets | The Hacker Recipes

Windows secrets extraction: a summarySynacktiv

SharpCollection/NetFramework_4.0_Any/SharpDPAPI.exe at master · Flangvik/SharpCollectionGitHub