Skip to main content
The dpapi module extracts SCCM-related secrets stored in DPAPI (Data Protection API) encrypted blobs on remote Windows systems. This technique recovers sensitive information including Network Access Account credentials, task sequence variables, and other SCCM secrets stored locally on client systems.
DPAPI secrets are stored both in the WMI repository and on disk in OBJECTS.DATA files. This module can extract from both locations, providing comprehensive secret recovery capabilities.

Attack Overview

The DPAPI extraction process works by:
  1. Remote Authentication: Establishing connection with local administrator credentials
  2. Secret Location: Identifying DPAPI blobs in WMI repository and/or disk storage
  3. DPAPI Decryption: Using system privileges to decrypt the protected data
  4. Credential Extraction: Parsing and extracting SCCM secrets from decrypted blobs
This attack requires local administrator privileges on the target system. DPAPI secrets are machine-specific and can only be decrypted on the system where they were created.

DPAPI Storage Locations

SCCM Secret Storage Methods

SCCM stores encrypted secrets in two primary locations:
  • WMI Repository: Active secrets stored in the WMI database (-wmi flag)
  • Disk Storage: Historical and cached secrets in OBJECTS.DATA files (-disk flag)
  • Combined Approach: Both locations for comprehensive extraction (-both flag)

Prerequisites

Requirements

  • Valid local administrator credentials for the target system
  • Network connectivity to the target Windows machine
  • Target system running SCCM client with stored secrets
  • SMB/WMI access to the remote system (ports 135, 445)

Command Syntax

python3 sccmhunter.py dpapi [OPTIONS]

Parameters

ParameterDescriptionExample
-uUsername for authenticationdomainadmin
-targetTarget hostname or IP addressworkstation.ludus.domain
ParameterDescriptionExample
-pPassword for authenticationpassword
-dTarget domain nameludus.domain
-dc-ipDomain controller IP or FQDN10.10.100.100
-hashesNT:LM hash for authenticationaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76
-kUse Kerberos authentication
-no-passDon’t prompt for password
-aesKeyAES key for Kerberos (128/256 bits)
ParameterDescriptionUse Case
-wmiExtract from WMI repositoryActive secrets currently in use
-diskExtract from OBJECTS.DATA filesHistorical/cached secrets
-bothExtract from both WMI and diskComprehensive secret recovery
-debugEnable verbose loggingTroubleshooting and detailed output
-impacket-debugEnable Impacket loggingNetwork protocol debugging
Use -both for the most comprehensive extraction, as it combines both WMI and disk methods to recover all available SCCM secrets from the target system.

Usage Examples

Extract active SCCM secrets from the WMI repository
python3 sccmhunter.py dpapi -u domainadmin -p password -d ludus.domain -target workstation.ludus.domain -wmi
Expected Output:
[13:09:04] INFO     [*] Starting SCCM secrets extraction via WMI

[13:09:04] INFO     [+] Found NAA credentials
[13:09:05] INFO     [!] LSA hashes extraction failed: 'HashRecords'
[13:09:05] INFO             - NetworkAccessUsername: ludus\sccm_naa
[13:09:05] INFO             - NetworkAccessPassword: Password123
[13:09:06] INFO     [+] Found Task Sequence
[13:09:06] INFO             - Task Sequence: <sequence version="3.10"/>
[13:09:06] INFO             - Task Sequence: <sequence version="3.10"/>
[13:09:06] INFO             - Task Sequence: <sequence version="3.10"/>
[13:09:06] INFO             - Task Sequence: <sequence version="3.10"/>

[13:09:06] INFO     [*] WMI SCCM secrets dump complete
WMI extraction recovers currently active Network Access Account credentials and task sequence variables stored in the WMI repository. This method is faster but may miss historical secrets.
Extract secrets from OBJECTS.DATA files on disk for comprehensive recovery
python3 sccmhunter.py dpapi -u domainadmin -p password -d ludus.domain -target workstation.ludus.domain -disk
Use Case: This method accesses potentially changed or deleted secrets that may no longer be available in the WMI repository but are cached in disk storage.
Disk extraction may take longer as it processes OBJECTS.DATA files, but it can recover historical secrets that are no longer active in WMI.
Combine WMI and disk extraction for maximum secret recovery
python3 sccmhunter.py dpapi -u domainadmin -p password -d ludus.domain -target workstation.ludus.domain -both
Benefits:
  • Recovers all active secrets from WMI repository
  • Extracts historical/cached secrets from disk storage
  • Provides the most complete picture of SCCM secrets on the target system
  • Identifies secrets that may have been rotated or updated
The combined approach is recommended for thorough assessments, as it ensures no SCCM secrets are missed during the extraction process.

Understanding Extracted Secrets

Types of SCCM Secrets Recovered

The DPAPI extraction can reveal several categories of sensitive information:
  • Network Access Account (NAA) Credentials: Domain account used for content access
  • Task Sequence Variables: Custom variables containing passwords and configuration data
  • Collection Variables: Site-specific variables with embedded credentials
  • Application Deployment Secrets: Credentials used for software installation
  • LSA Secrets: Additional system-level credentials (when available)

WMI vs Disk Extraction

WMI Repository:
  • Currently active secrets
  • Faster extraction process
  • Real-time SCCM configuration
  • May miss historical data
Disk Storage (OBJECTS.DATA):
  • Historical and cached secrets
  • Potentially deleted/rotated credentials
  • Comprehensive secret archive
  • Slower but more thorough

Operational Security

Detection Considerations:
  • Requires local admin access (high privilege)
  • WMI queries may be logged
  • File system access creates audit trails
  • Network authentication generates logs
  • Consider timing and stealth requirements

Target Selection Strategy

High-Value DPAPI Targets:
  • Workstations with frequent task sequences: Systems that regularly receive OS deployments
  • Administrative workstations: Systems used by SCCM administrators
  • Development/testing machines: Often contain additional variables and secrets
  • Systems with custom applications: May have deployment-specific credentials
  • Long-running systems: More likely to have cached historical secrets
Target Identification:
  • Use smb profiling to identify SCCM clients
  • Target systems with recent SCCM activity
  • Focus on high-privilege user workstations
  • Consider systems in different site codes for broader coverage

Troubleshooting and Error Handling

Authentication Failures:
  • Verify local administrator privileges on target
  • Check network connectivity and firewall rules
  • Confirm WMI/SMB service availability
LSA Hashes Extraction Failed:
  • Normal behavior in many environments
  • Focus on recovered NAA credentials and task sequences
  • Not critical for overall secret extraction success
No Secrets Found:
  • Target may not be an active SCCM client
  • Try different extraction methods (-wmi, -disk, -both)
  • Verify SCCM client installation and configuration

Next Steps

Credential Utilization

Use Extracted Secrets For:
  • SMB share enumeration with NAA credentials
  • Lateral movement with discovered accounts
  • Additional SCCM infrastructure access
  • Privilege escalation opportunities

Persistence

Maintain Access:
  • Document all extracted credentials
  • Test credential validity across environment
  • Identify additional target systems
  • Establish persistent access methods

Coverage Expansion

Broaden Assessment:
  • Target multiple workstations for comprehensive coverage
  • Extract from different SCCM sites
  • Combine with other SCCMHunter modules
  • Build complete credential database

Integration with Other Modules

SCCMHunter Workflow Integration

The DPAPI module complements other SCCMHunter capabilities:
  1. Start with find: Discover SCCM infrastructure
  2. Profile with smb: Identify potential DPAPI targets
  3. Extract credentials via http: Get initial Network Access Account
  4. Use DPAPI extraction: Recover additional secrets from client systems
  5. Escalate with mssql: Leverage credentials for privilege escalation