What is DPAPI?
Data Protection Application Programming Interface (DPAPI) is used in many Windows applications and subsystems. What is its purpose? For example:
- Credentials of Microsoft Outlook accounts stored in the registry;
- Credentials and encrypted cookies stored by Google Chrome;
- Credentials stored by IE in the registry under HKCU\Software\Microsoft\Internet Explorer;
- WiFi passwords saved in XML files under %ProgramData%\Microsoft\Wlansvc\Profiles\Interface
- If EFS is used, DPAPI protects private keys associated with users’ certificates used by EFS
It seems to be popular. Why?
First of all, because DPAPI is secure way of protecting user secrets on single machine and it is quite simple to use by developers, as it consists of just a couple of functions for encrypting and decrypting data, CryptProtectData and CryptUnprotectData.
Find out how to use the tools to extract secrets protected by DPAPI
In this video, you’ll become familiar with data protection API tools. We are going to show you the most important tools that allow you to perform the recovery of user secrets.
Let’s analyze how we could get our hands on passwords stored in Google Chrome. You might be surprised to learn that Google stores this information also locally.
Kick off the process by finding out where Google Chrome passwords are stored. Fire up the CQURE tool CQDPAPIBlobSearcher and you will be able to list all the places where the operating system (or an application) might be storing secrets.
ChromePass is a handy password recovery tool that will quickly show you the username and password stored by the user in Google Chrome. It’s not a tool created by CQURE, but you can download it from NirSoft.
This tool will show you only passwords for currently signed-in user. If you need to access Google Chrome passwords for other users or from corrupted user’s profile you can use CQURE tools to modify DPAPI master keys based on DPAPI Backup Key extracted from AD DS database.
Watch the full video for more details and examples.
TIP-> The CQURE team is the first in the world to fully reverse engineer data protection API to bring you these tools. So, if you guys have any questions about that, send them to us at firstname.lastname@example.org.
And in case you want to learn what else you can extract from your cached credentials check out our news intensive training User & System Secrets: Cybersecurity Data Extraction.