How Hackers Steal Windows Passwords with DPAPI, Mimikatz, and Other Tools

By /

How Hackers Steal Windows Passwords Using DPAPI, Mimikatz, and Other Tools

Password theft remains one of the most common attack techniques used by threat actors. Modern malware and penetration testing tools exploit Windows Data Protection API (DPAPI), credential storage locations, and post-exploitation frameworks to extract saved credentials. This guide explains how these techniques work, provides PowerShell examples, and highlights the real tools attackers use. (Windows password stealing)

Windows password stealing

How Windows Stores Passwords with DPAPI

Windows uses the Data Protection API (DPAPI) to encrypt and store sensitive information such as:

  • Saved browser passwords
  • RDP credentials
  • Wi-Fi keys
  • Application secrets

DPAPI uses two encryption scopes:

  • Current User — tied to the logged-in user account
  • Local Machine — tied to the host system

Encryption relies on master keys stored under the user’s AppData directory:

%APPDATA%\Microsoft\Protect\<SID>\

These master keys are further protected using the user’s Windows login password.

PowerShell Example: Encrypting and Decrypting Passwords with DPAPI

Here’s how DPAPI can be invoked directly in PowerShell:

# Store a sample password
$Password = "Hunter2"

# Convert to bytes
$PlainBytes = [System.Text.Encoding]::UTF8.GetBytes($Password)

# Define scope (Current User)
$Scope = [System.Security.Cryptography.DataProtectionScope]::CurrentUser

# Encrypt the password
$Encrypted = [System.Security.Cryptography.ProtectedData]::Protect($PlainBytes, $null, $Scope)

# Decrypt the password
$DecryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($Encrypted, $null, $Scope)
$Decrypted = [System.Text.Encoding]::UTF8.GetString($DecryptedBytes)

Write-Output $Decrypted  # Returns "Hunter2"

This is the same process used by Windows internally when saving credentials.

For Linux users exploring penetration testing, see the Essential Linux Commands Guide.

Tools Hackers Use to Extract Passwords

1. Mimikatz

  • Developed by Benjamin Delpy.
  • Extracts plaintext passwords, hashes, PINs, and Kerberos tickets.
  • Provides modules for working with DPAPI blobs and Chrome/Edge saved passwords.
  • Signature-heavy—detected by most antivirus solutions.
  • Mimikatz on GitHub

2. SharpDPAPI

  • A C# port of Mimikatz DPAPI functions.
  • Runs entirely in memory—useful for red teams inside Cobalt Strike or Havoc.
  • Extracts machine keys, browser credentials, and secrets.
  • SpecterOps GhostPack Collection

3. DPLoot

  • Python rewrite of SharpDPAPI.
  • Works remotely or locally.
  • Useful for Linux attackers pivoting into Windows environments.
  • DPLoot on GitHub

4. LaZagne

  • Open-source post-exploitation tool.
  • Dumps passwords from browsers, mail clients, Wi-Fi profiles, and databases.
  • Supported on Windows, Linux, and macOS.
  • LaZagne GitHub Repository

5. NirSoft Tools

  • Includes WebBrowserPassView, MailPassView, WirelessKeyView.
  • Extracts browser logins, Outlook keys, RDP passwords, and Wi-Fi profiles.
  • Widely abused in malware campaigns.
  • NirSoft Official Website

Real-World Example: Extracting Brave Browser Passwords

Browsers like Chrome, Edge, and Brave use DPAPI to protect saved credentials. Attackers can extract keys from the Local State file and decrypt stored logins.

PowerShell to Get Encrypted Key:

$LocalStatePath = "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data\Local State"
$Key = (Get-Content $LocalStatePath | ConvertFrom-Json).os_crypt.encrypted_key
[System.Convert]::FromBase64String($Key) | Format-Hex

Mimikatz or SharpDPAPI can then use this key to decrypt stored login credentials from the Login Data SQLite database.

Threat Actors Using These Techniques

According to the MITRE ATT&CK Framework, several groups use password extraction tools:

  • APT33 — Uses LaZagne to dump stored credentials.
  • Wizard Spider — Employs Mimikatz in ransomware operations.
  • OilRig and MuddyWater — Target government and financial organizations with credential theft.
  • DarkGate Malware — Uses NirSoft NetPass to recover RDP passwords.

Defensive Strategies

Organizations should harden systems against these attacks by:

  • Enforcing multi-factor authentication (MFA).
  • Using credential guard and disabling LSA secrets dumping.
  • Deploying endpoint detection and response (EDR) to flag tools like Mimikatz.
  • Regularly scanning for compromised passwords in Active Directory.

Key Takeaways

  • Windows DPAPI protects local credentials but can be abused if attackers gain access.
  • Tools like Mimikatz, SharpDPAPI, and LaZagne remain core to both attackers and penetration testers.
  • Real malware campaigns use off-the-shelf utilities from NirSoft and GitHub repositories.
  • Strong defenses require MFA, monitoring, and proactive password protection.

Read how attackers use fake prompts in Fake CAPTCHAs in 2025.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top