{"id":1708,"date":"2020-10-20T22:21:08","date_gmt":"2020-10-20T20:21:08","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1708"},"modified":"2023-12-24T13:03:24","modified_gmt":"2023-12-24T12:03:24","slug":"dpapi","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1708","title":{"rendered":"<span class=\"caps\">DPAPI<\/span>"},"content":{"rendered":"<p>The <span class=\"caps\">DPAPI<\/span> is a Win\u00addows sys\u00adtem which stored pass\u00adwords bound to the local system.<\/p>\n<ul>\n<li>In the user direc\u00adto\u00adry there are the keys stored in the AppData\\Roaming\\Microsoft\\Protect\\&lt;<span class=\"caps\">SID<\/span>&gt; directory.<\/li>\n<li>From the user\u2019s pass\u00adword, a mas\u00adter key is derived. When the user changes his pass\u00adword, a new mas\u00adter key is gen\u00ader\u00adat\u00aded as well \u2014 and all old mas\u00adter keys are still in the direc\u00adto\u00adry from&nbsp;above.<\/li>\n<li><a href=\"https:\/\/miloserdov.org\/?p=4205\">Decrypt on the same sys\u00adtem with Mimikatz.<\/a><\/li>\n<li>The script DPAPImk2john.py can be used to con\u00advert a <span class=\"caps\">DPAPI<\/span> hash for&nbsp;John.<\/li>\n<\/ul>\n<h1>Links<\/h1>\n<ul>\n<li>https:\/\/sudonull.com\/post\/6370-Secrets-DPAPI-or-DPAPI-for-pentesters<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The <span class=\"caps\">DPAPI<\/span> is a Win\u00addows sys\u00adtem which stored pass\u00adwords bound to the local sys\u00adtem. In the user direc\u00adto\u00adry there are the keys stored in the AppData\\Roaming\\Microsoft\\Protect\\&lt;<span class=\"caps\">SID<\/span>&gt; direc\u00adto\u00adry. From the user\u2019s pass\u00adword, a mas\u00adter key is derived. When the user changes his pass\u00adword, a new mas\u00adter key is gen\u00ader\u00adat\u00aded as well \u2014 and all old master&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[472],"tags":[285,125,286,24],"class_list":["post-1708","post","type-post","status-publish","format-standard","hentry","category-postexp","tag-dpapi","tag-john","tag-jtr","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1708"}],"version-history":[{"count":2,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1708\/revisions"}],"predecessor-version":[{"id":1711,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1708\/revisions\/1711"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}