akde/infosec

Information security is ultimately about managing risk

DPAPI

3 Post Exploitation

DPAPI, John, JTR, Windows

The DPAPI is a Windows system which stored passwords bound to the local system.

In the user directory there are the keys stored in the AppData\Roaming\Microsoft\Protect\<SID> directory.
From the user’s password, a master key is derived. When the user changes his password, a new master key is generated as well — and all old master keys are still in the directory from above.
Decrypt on the same system with Mimikatz.
The script DPAPImk2john.py can be used to convert a DPAPI hash for John.

Links

https://sudonull.com/post/6370-Secrets-DPAPI-or-DPAPI-for-pentesters

Leave a Reply Cancel reply

You must be logged in to post a comment.

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';