blob
dpapi::blob describes a DPAPI blob and unprotects/decrypts it with API or Masterkey. It has the following command line arguments:
  • /in: the path to the blob file
  • /raw: the blob data in raw format
  • /out: the path to save the results
  • /ascii: the blob data in ASCII format
  • /password: the password to decrypt the blob
  • /unprotect: displays the decryption results on screen
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
1
mimikatz # dpapi::blob /in:dpapi_blob.txt /unprotect
2
**BLOB**
3
dwVersion : 00000001 - 1
4
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
5
dwMasterKeyVersion : 00000001 - 1
6
guidMasterKey : {5c22983f-77ee-41e4-9086-8073d664e417}
7
dwFlags : 00000000 - 0 ()
8
dwDescriptionLen : 00000002 - 2
9
szDescription :
10
algCrypt : 00006603 - 26115 (CALG_3DES)
11
dwAlgCryptLen : 000000c0 - 192
12
dwSaltLen : 00000010 - 16
13
pbSalt : 6bccc6a1e6ba8ae74d99fc0801bdc502
14
dwHmacKeyLen : 00000000 - 0
15
pbHmackKey :
16
algHash : 00008004 - 32772 (CALG_SHA1)
17
dwAlgHashLen : 000000a0 - 160
18
dwHmac2KeyLen : 00000010 - 16
19
pbHmack2Key : 2a31aa666d7a0efb8b140df7709d0814
20
dwDataLen : 00000020 - 32
21
pbData : 679f2ed4ef2829dd49f94fb46ebd575b7d545a92d762bbedbf384eece6a69599
22
dwSignLen : 00000014 - 20
23
pbSign : e57681477a7407acceb724c385243070cc7aa6ba
24
​
25
* using CryptUnprotectData API
26
description :
27
data: Hello Mimikatz
Copied!
Last modified 6mo ago
Copy link