The Windows DPAPI mechanism was introduced a long time ago and proved to be a reliable means of storing encrypted user’s data. Google Chrome, Dropbox, RSA SecurID, Windows standard mechanisms (such as crypt.exe, EFS) use it for protect users’ passwords, keys information and other ‘secrets’. The target of this article is showing an ability to decrypt user’s data which is encrypted with DPAPI tools. This research necessary used at post-exploitation stage in red teaming. The report based on the PassScape research and the DPAPIck Python framework used for offline analysis of keys material.

In the introduction of this report we will cover the work of the DPAPI mechanism, encryption keys, data blocks (Encrypted-Blob), their storage locations in various operating systems. Also, we will consider Windows 10 differences to the encryption mechanism of DPAPI keys.

Then we will show ways to decrypt key material and user’s data using the DPAPIck framework. We’ll tell you how to use the framework to decrypt data without knowing the user's passwords (but using the domain controller). Also, we will consider what are the Windows 10 differences to the encryption mechanism of DPAPI keys.