So you should be able to use DPAmk2john.py to extract the master keys, and then crack them to access the credentials. hashcat also supports cracking these DPAPI v1 and v2 masterkey files with that script. Beyond the Windows platform, the dpapick project also supports offline and non-Windows use of the API, and both that project and John the Ripper include DPAPImk2john.py, a script for extracting the masterkey files for cracking purposes. and includes this chart, which shows how the protections have changed with each release of Windows:Īccording to that presentation, shared keys can be extracted with mimikatz. To avoid this error, you need to set the file association correctly. Windows can go online to look it up automatically, or you can manually select one from a list of programs that are installed on your computer.
These masterkeys are stored in blobs, each containing: This Synactiv presentation has a good overview of DPAPI master keys: The DPAPI key is stored in the sameįile as the master key that protects the users private keys. The DPAPI keys used for encrypting the user's RSA keys are stored The Credential Manager stored passwords are managed by the Data Protection API and protected by DPAPI 'master keys':
