Black Hat USA 2017: DPAPI and DPAPI-NG. A talk on our breakthrough discovery

Hey, Peeps! Have you heard about our DPAPI discovery? I talked about it at the Black Hat USA conference 2017!

Black Hat Slides

In case you didn’t make it to my talk at Black Hat USA 2017 about ‘DPAPI and DPAPI-NG: Decryption Toolkit’, I’m sharing my slides below so you can check it out.

CQMasterKeyAD (CQTools)

Allows decryption of DPAPI protected data by leveraging usage of the private key stored as a LSA Secret on a domain controller (we have called it a ‘backup key,’ and it is a key corresponding to the backup public key stored in the domain user’s profile). The backup key allows decrypting literally all of the domain user’s secrets (passwords / private keys/information stored by the browser). In other words, someone who has the backup key is able to take over all of the identities and their secrets within the whole enterprise. Tool represents CQURE’s breakthrough DPAPI discovery.


Leverages DPAPI-NG used in the SID-protected PFX files and when with the previous tool CQURE Team is able to get access to user’s secrets, here it is a bit different! The tool allows to decrypt SID-protected PFX files even without access to user’s password but just by generating the SID and user’s token. 

CQDPAPIKeePassDBDecryptor (CQTools)

Allows to decrypt KeePass database by using DPAPI data that is possessed from the domain. It provides access to all users’ KeePass databases and it uses DPAPI data leveraged by CQMasterKeyAD. The tool uses decrypted Master Key of the user in order to decrypt key that encrypts KeePass database. 

Want the tools I talked about? Here it is:

CQTools from Black Hat 2017

>> Download The Toolkit <<