SharpDPAPI

SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project.

I did not come up with this logic, it is simply a port from Mimikatz in order to better understand the process and operationalize it to fit our workflow.

The SharpChrome subproject is an adaptation of work from @gentilkiwi and @djhohnstein, specifically his SharpChrome project. However, this version of SharpChrome uses a different version of the C# SQL library that supports lockless opening. SharpChrome is built as a separate project in SharpDPAPI because of the size of the SQLite library utilized.

Both Chrome and newer Chromium-based Edge browsers can be triaged with SharpChrome.

SharpChrome also uses an minimized version of @AArnott's BCrypt P/Invoke code released under the MIT License.

If you're unfamiliar with DPAPI, check out this post for more background information. For more information on Credentials and Vaults in regards to DPAPI, check out Benjamin's wiki entry on the subject.

@harmj0y is the primary author of this port.

SharpDPAPI is licensed under the BSD 3-Clause license.

Table of Contents

• SharpDPAPI
  • Table of Contents
  • Background
    • SharpDPAPI Command Line Usage
    • SharpChrome Command Line Usage
    • Operational Usage
      • SharpDPAPI
      • SharpChrome
  • SharpDPAPI Commands
    • User Triage
      • masterkeys
      • credentials
      • vaults
      • rdg
      • keepass
      • certificates
      • triage
    • Machine Triage
      • machinemasterkeys
      • machinecredentials
      • machinevaults
      • certificates /machine
      • machinetriage
    • Misc
      • ps
      • blob
      • backupkey
      • search
      • SCCM
  • SharpChrome Commands
    • logins
    • cookies
    • statekeys
    • backupkey
  • Compile Instructions
    • Targeting other .NET versions
    • Sidenote: Running SharpDPAPI Through PowerShell
      • Sidenote Sidenote: Running SharpDPAPI Over PSRemoting

Background

SharpDPAPI Command Line Usage

  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.20.0

Retrieve a domain controller's DPAPI backup key, optionally specifying a DC and output file:

  SharpDPAPI backupkey [/nowrap] [/server:SERVER.domain] [/file:key.pvk]


The *search* comand will search for potential DPAPI blobs in the registry, files, folders, and base64 blobs:

    search /type:registry [/path:HKLM\path\to\key] [/showErrors]
    search /type:folder /path:C:\path\to\folder [/maxBytes:<numOfBytes>] [/showErrors]
    search /type:file /path:C:\path\to\file [/maxBytes:<numOfBytes>]
    search /type:base64 [/base:<base64 string>]


Machine/SYSTEM Triage:

    machinemasterkeys       -   triage all reachable machine masterkey files (elevates to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret)
    machinecredentials      -   use 'machinemasterkeys' and then triage machine Credential files
    machinevaults           -   use 'machinemasterkeys' and then triage machine Vaults
    machinetriage           -   run the 'machinecredentials' and 'machinevaults' commands


User Triage:

    Arguments for the 'masterkeys' command:

        /target:FILE/folder     -   triage a specific masterkey, or a folder full of masterkeys (otherwise triage local masterkeys)
        /pvk:BASE64...          -   use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
        /pvk:key.pvk            -   use a DPAPI domain private key file to first decrypt reachable user masterkeys
        /password:X             -   decrypt the target user's masterkeys using a plaintext password (works remotely)
        /ntlm:X                 -   decrypt the target user's masterkeys using a NTLM hash (works remotely)
        /credkey:X              -   decrypt the target user's masterkeys using a DPAPI credkey (domain or local SHA1, works remotely)
        /rpc                    -   decrypt the target user's masterkeys by asking domain controller to do so
        /server:SERVER          -   triage a remote server, assuming admin access
        /hashes                 -   output usermasterkey file 'hashes' in JTR/Hashcat format (no decryption)


    Arguments for the credentials|vaults|rdg|keepass|triage|blob|ps commands:

        Decryption:
            /unprotect          -   force use of CryptUnprotectData() for 'ps', 'rdg', or 'blob' commands
            /pvk:BASE64...      -   use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
            /pvk:key.pvk        -   use a DPAPI domain private key file to first decrypt reachable user masterkeys
            /password:X         -   decrypt the target user's masterkeys using a plaintext password (works remotely)
            /ntlm:X             -   decrypt the target user's masterkeys using a NTLM hash (works remotely)
            /credkey:X          -   decrypt the target user's masterkeys using a DPAPI credkey (domain or local SHA1, works remotely)
            /rpc                -   decrypt the target user's masterkeys by asking domain controller to do so
            GUID1:SHA1 ...      -   use a one or more GUID:SHA1 masterkeys for decryption
            /mkfile:FILE        -   use a file of one or more GUID:SHA1 masterkeys for decryption

        Targeting:
            /target:FILE/folder -   triage a specific 'Credentials','.rdg|RDCMan.settings', 'blob', or 'ps' file location, or 'Vault' folder
            /server:SERVER      -   triage a remote server, assuming admin access
                                    Note: must use with /pvk:KEY or /password:X
                                    Note: not applicable to 'blob' or 'ps' commands


Certificate Triage:

    Arguments for the 'certificates' command:
        /showall                                        -   show all decrypted private key files, not just ones that are linked to installed certs (the default)
        /machine                                        -   use the local machine store for certificate triage
        /mkfile | /target                               -   for /machine triage
        [all decryption args from User Triage above]


Note: in most cases, just use *triage* if you're targeting user DPAPI secrets and *machinetriage* if you're going after SYSTEM DPAPI secrets.
      These functions wrap all the other applicable functions that can be automatically run.

SharpChrome Command Line Usage

  __                 _
 (_  |_   _. ._ ._  /  |_  ._ _  ._ _   _
 __) | | (_| |  |_) \_ | | | (_) | | | (/_
                |
  v1.9.0


Retrieve a domain controller's DPAPI backup key, optionally specifying a DC and output file:

  SharpChrome backupkey [/nowrap] [/server:SERVER.domain] [/file:key.pvk]


Global arguments for the 'cookies', 'logins', and 'statekeys' commands:

    Decryption:
        /unprotect          -   force use of CryptUnprotectData() (default for unprivileged execution)
        /pvk:BASE64...      -   use a base64'ed DPAPI domain private key file to first decrypt reachable user masterkeys
        /pvk:key.pvk        -   use a DPAPI domain private key file to first decrypt reachable user masterkeys
        /password:X         -   decrypt the target user's masterkeys using a plaintext password (works remotely)
        /ntlm:X             -   decrypt the target user's masterkeys using a NTLM hash (works remotely)
        /prekey:X           -   decrypt the target user's masterkeys using a DPAPI prekey (domain or local SHA1, works remotely)
        /rpc                -   decrypt the target user's masterkeys by asking domain controller to do so
        GUID1:SHA1 ...      -   use a one or more GUID:SHA1 masterkeys for decryption
        /statekey:X         -   a decrypted AES state key (from the 'statekey' command)

    Targeting:
        /target:FILE        -   triage a specific 'Cookies', 'Login Data', or 'Local State' file location
        /target:C:\Users\X\ -   triage a specific user folder for any specified command
        /server:SERVER