| skipped 5 lines |
6 | 6 | | ## DPAPI dumping |
7 | 7 | | Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection). |
8 | 8 | | |
9 | | - | We aim at locating those "secured" credentials, and retreive them using : |
| 9 | + | We aim at locating those "secured" credentials, and retrieve them using : |
10 | 10 | | - User password |
11 | 11 | | - Domaine DPAPI BackupKey |
12 | 12 | | - Local machine DPAPI Key (protecting `TaskScheduled` blob) |
| skipped 71 lines |
84 | 84 | | When a domain admin user is available, it is possible to dump the domain backup key using impacket `dpapi.py` tool. |
85 | 85 | | |
86 | 86 | | ```bash |
87 | | - | dpapi.py backupkey --export |
| 87 | + | dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip |
88 | 88 | | ``` |
89 | 89 | | |
90 | | - | This backup key can then be used to dump all domain user's secrets! |
| 90 | + | This backup key (pvk file) can then be used to dump all domain user's secrets! |
91 | 91 | | |
92 | 92 | | `python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list` |
93 | 93 | | |
| skipped 39 lines |