cube0x0/Get-DpapiBlobs.ps1

## Get-DpapiBlobs.ps1
function Get-DPAPIBlobs {
    <#
    .SYNOPSIS
    Author: Cube0x0
    License: BSD 3-Clause
    .DESCRIPTION
    Enumerate DPAPI blobs and masterkeys
    #>
    [CmdletBinding()]
    Param()
    $blobs=@()
    foreach($user in ((Get-ChildItem C:\users).fullname)){
        try{
            $blobs += Get-ChildItem $user\AppData\Local\Microsoft\Credentials\ -h -ErrorAction SilentlyContinue
            $blobs += Get-ChildItem $user\AppData\Roaming\Microsoft\Credentials\ -h -ErrorAction SilentlyContinue
        }catch{
            Write-Verbose "Access Denied $user"
        }
    }
    try{
        $blobs += Get-ChildItem $env:SystemRoot\System32\config\systemprofile\AppData\Local\Microsoft\Credentials -h -ErrorAction SilentlyContinue
    }catch{
        Write-Verbose "Failed accessing System DPAPI"
    }
    foreach($blob in $blobs){
        try{
            $bytes = [System.IO.File]::ReadAllBytes($blob.fullname)
            $offset = $bytes[56..(56+4)]
            $desc = [System.Text.Encoding]::Unicode.GetString($bytes, 60,([bitconverter]::ToInt32($offset,0)))
            [byte[]]$Masterkeybytes = $bytes[36..(36+15)]
            [string]$Masterkey = [guid]::new($Masterkeybytes)
            [pscustomobject]@{
                Directory = $blob.Directory
                name = $blob.name
                Description = $desc.Replace([environment]::NewLine , '')
                Masterkey = $Masterkey
                CreationTime = $blob.CreationTime
                LastAccessTime = $blob.LastAccessTime
                SizeKB = [math]::Round($blob.length / 1kb)}
        }catch{
            Write-Verbose "Failed enumerating blob $blob.fullname"
        }
    }
}
	function Get-DPAPIBlobs {
	<#
	.SYNOPSIS
	Author: Cube0x0
	License: BSD 3-Clause
	.DESCRIPTION
	Enumerate DPAPI blobs and masterkeys
	#>
	[CmdletBinding()]
	Param()
	$blobs=@()
	foreach($user in ((Get-ChildItem C:\users).fullname)){
	try{
	$blobs += Get-ChildItem $user\AppData\Local\Microsoft\Credentials\ -h -ErrorAction SilentlyContinue
	$blobs += Get-ChildItem $user\AppData\Roaming\Microsoft\Credentials\ -h -ErrorAction SilentlyContinue
	}catch{
	Write-Verbose "Access Denied $user"
	}
	}
	try{
	$blobs += Get-ChildItem $env:SystemRoot\System32\config\systemprofile\AppData\Local\Microsoft\Credentials -h -ErrorAction SilentlyContinue
	}catch{
	Write-Verbose "Failed accessing System DPAPI"
	}
	foreach($blob in $blobs){
	try{
	$bytes = [System.IO.File]::ReadAllBytes($blob.fullname)
	$offset = $bytes[56..(56+4)]
	$desc = [System.Text.Encoding]::Unicode.GetString($bytes, 60,([bitconverter]::ToInt32($offset,0)))
	[byte[]]$Masterkeybytes = $bytes[36..(36+15)]
	[string]$Masterkey = [guid]::new($Masterkeybytes)
	[pscustomobject]@{
	Directory = $blob.Directory
	name = $blob.name
	Description = $desc.Replace([environment]::NewLine , '')
	Masterkey = $Masterkey
	CreationTime = $blob.CreationTime
	LastAccessTime = $blob.LastAccessTime
	SizeKB = [math]::Round($blob.length / 1kb)}
	}catch{
	Write-Verbose "Failed enumerating blob $blob.fullname"
	}
	}
	}