DPAPI Decryption Toolkit

DPAPI Decryption Toolkit

Decryption of data protected by Windows Data Protection API:

• Master Key Extraction — Extracts DPAPI master keys from LSASS memory (mimikatz dpapi::masterkey) or from the master key files on disk using the domain backup key.
• Credential Decryption — Decrypts Windows Credential Manager entries (both generic and domain credentials) stored in the user profile Credentials directory.
• Browser Data — Decrypts Chrome, Edge, and Brave saved passwords, cookies, and credit card data that are encrypted with DPAPI under the user context.
• Certificate Private Keys — Extracts and decrypts private keys from user certificate stores protected by DPAPI, enabling certificate-based authentication impersonation.
• Domain Backup Key — Uses the domain DPAPI backup key (extractable by Domain Admins) to decrypt any user master key in the domain without needing individual user passwords.
• Offline Mode — Processes extracted DPAPI blobs and master key files offline from a forensic image, without requiring access to the live system.