Windows Data Protection API (DPAPI)

DPAPI is what Windows uses to save and encrypt secrets used in other applications.

History of DPAPI

Prior of DPAPI, Windows 93, 95, NT, didn't have a way of securely storing secrets. So there was a need for security due to the rise of "hackers".

Birth of DPAPI

DPAPI has been developed solely by Microsoft to address the need of storing in a secure manner other's applications secrets. It has been introduced in Windows 2000, alongside with AD, Kerberos and so on.

DPAPI Core Functionality

DPAPI at it's core has two functions:

  1. CryptProtectData: This will take the secret and encrypt it using the master key and then storing in on disk in a blob. It will also hand this blob to the application.

  2. CryptUnprotectData: When the application needs the password back it will pass the blob to this function and DPAPI will decrypt it using the same master key.

What is a Master Key?

Master Keys are a random series of bytes generated by Windows for any user.

The interesting part for us is how Windows is securing this master key.

It does it by:

  1. Combining the user's password and SID to generate the protect key.

  2. Uses that protect with a Key Derivation Function algorithm, Password Based Key Derivation Function 2 (PBKDF2). This function will perform thousands of hashing rounds to make it uncrackable.

  3. It then takes this Protect Key to encrypt the Master Key and stores it in a blob on disk.

DPAPI Master Keys

The Master Key files are stored in a directory named after the user's Security Identifier (SID).

  • Location: %APPDATA%\Microsoft\Protect\<User_SID>\

Breakdown:

  • %APPDATA% is the environment variable for C:\Users\<YourUsername>\AppData\Roaming.

  • <User_SID> is the unique ID for the user account, which you can find by running whoami /user.

Saved User Credentials

The encrypted credential blobs are stored in a different directory. There are two common locations:

  • Roaming Credentials Location: %APPDATA%\Microsoft\Credentials\

    • These are credentials that can move with a user's profile in a domain.

  • Local Credentials Location: %LOCALAPPDATA%\Microsoft\Credentials\

    • %LOCALAPPDATA% resolves to C:\Users\<YourUsername>\AppData\Local. These credentials are specific to the local machine only.

The below box I rooted using DPAPI privilege escalation.

Puppy Write-Up - HTB

PreviousWindows Security TokensNextDigital Trust

Last updated