CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery

Cybersecurity News Archived Jun 15, 2026 ✓ Full text saved

The open-source DPAPISnoop tool has been enhanced to extract CREDHIST entries, enabling offline cracking of historical Windows credentials and deeper insight into password patterns. Lefteris Panos, Security Consultant at LRQA Red Team, said the update adds CREDHIST extraction capabilities to DPAPISnoop, enabling the recovery and analysis of historical Windows credentials alongside DPAPI Master Key hashes. […] The post DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recove

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery By Abinaya June 15, 2026 The open-source DPAPISnoop tool has been enhanced to extract CREDHIST entries, enabling offline cracking of historical Windows credentials and deeper insight into password patterns. Lefteris Panos, Security Consultant at LRQA Red Team, said the update adds CREDHIST extraction capabilities to DPAPISnoop, enabling the recovery and analysis of historical Windows credentials alongside DPAPI Master Key hashes. Microsoft’s Data Protection API (DPAPI) is widely used to protect sensitive user data such as browser credentials, encryption keys, and stored secrets. Traditionally, attackers and red teamers focus on recovering DPAPI Master Keys, which allow the decryption of protected data. However, another lesser-explored artifact, CREDHIST, plays a critical role in DPAPI’s design. DPAPISnoop Tool Extracts When a user changes their password, Windows maintains a chain of previous password-derived keys to ensure older encrypted data remains accessible. Access to a user’s CREDHIST entries ( source : lrqa ) This credential history is stored in the CREDHIST file located under: %APPDATA%\Microsoft\Protect. Each entry in the file represents a previous password, encrypted using key material derived from that password, forming a sequential chain. According to Lefteris Panos at LRQA Red Team, the updated DPAPISnoop tool can parse CREDHIST files and convert entries into offline-crackable hash formats. These hashes, identified by the “$credhist$” prefix, can be used directly with Hashcat. To support this, researchers introduced two new Hashcat modes: 1. 15920 for CREDHIST entries using 3DES with HMAC-SHA1. 2. 15930 for entries using AES-256 with SHA-512. This allows attackers or testers to brute-force historical password entries independently, without needing to decrypt the entire DPAPI key upfront. Once hashes are extracted, they can be cracked offline using GPU-based tools like Hashcat. If a password is recovered, it can be fed back into DPAPISnoop to decrypt additional entries in the chain. For example, cracking a mid-chain CREDHIST entry reveals the SHA1 or NTLM hash of an older password, which can then be used to unlock further entries. This iterative process allows reconstruction of a user’s password history. The tool outputs a hash that can be cracked offline ( source : lrqa ) Notably, older entries often use weaker cryptographic schemes, such as SHA1-based PBKDF2 with 3DES, making them significantly easier to crack than modern SHA-512 implementations with higher iteration counts. While this behavior is not a vulnerability, it highlights how legitimate Windows features can be leveraged to obtain credentials when attackers gain filesystem access. The ability to recover historical passwords provides valuable intelligence, including: Identification of password reuse patterns. Insight into password complexity trends. Potential reuse across enterprise systems. This can significantly accelerate lateral movement and privilege escalation in real-world attacks. Detection and Mitigation Defenders should monitor for abnormal access to DPAPI-related paths, particularly: %APPDATA%\Microsoft\Protect\CREDHIST. User-specific DPAPI directories. Remote access via SMB or administrative shares. Security tools such as Sigma and Elastic already provide detection rules for suspicious access to credential history files. The key challenge is distinguishing normal DPAPI activity from anomalous file access patterns. Organizations are advised to enforce strong password policies, limit local file access, and monitor endpoint activity for unusual credential-related behavior. The research by Lefteris Panos highlights how revisiting well-known mechanisms like DPAPI can still uncover new offensive opportunities, reinforcing the importance of continuous research in Windows credential security. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users OpenClaw AI Agent Leaks Sensitive Credentials in New Phishing Attack Simulation Latest News AI Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users Cyber Security News Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click Cyber Security News Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees Cyber Security News China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass Cyber Security News SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗