dploot

dploot enables security researchers and penetration testers to extract and decrypt DPAPI-protected data from Windows systems. DPAPI (Data Protection API) is used by Windows to encrypt sensitive information such as credentials, certificates, and browser data. This tool replicates the functionality of SharpDPAPI in Python, making it usable in environments without .NET dependencies.

Use cases include post-exploitation scenarios where attackers or red teamers need to loot credentials from domain controllers, user profiles, or remote machines. It can target specific components like Credential Manager, browsers, WiFi profiles, or SCCM data, facilitating privilege escalation or lateral movement.

The tool operates both locally and remotely, fetching necessary masterkeys from targets when required for decryption. It is particularly valuable for analyzing DPAPI blobs without needing Windows-specific binaries.

dploot implements the full DPAPI decryption logic from SharpDPAPI and native DPAPI in Python, leveraging libraries like impacket for remote access and cryptography for decryption. It performs actions such as extracting masterkeys from registry hives, decrypting blobs using those keys, and parsing structures like Credential Manager entries or browser cookies. For remote operations, it uses SMB or other protocols via impacket to access files and registry on targets, then applies DPAPI entropy modes (user, machine, or domain backup keys) to recover plaintext data.