masterkey
dpapi::masterkey describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directory (cf. dumping DPAPI secrets). It has the following command line arguments:
/in: The path of the masterkey. The masterkeys are stored atC:\Users\<UserName>\AppData\Roaming\Microsoft\Protect\<SID>\<MasterKey>/dc: the target domain controller/rpc: it can be used to remotely decrypt the masterkey of the target user by contacting the domain controller.According to Benjamin, in a domain, a domain controller runs an RPC Service to deal with encrypted masterkeys for users, MS-BKRP (Backupkey Remote Protocol)./sid: the target user's Security Identifier/pvk: the path to the private key file. It can be obtained throughlsadump::backupkeys /export./hash: the SHA1 hash of the target user's password. It can be found throughsekurlsa::logonpasswords./system: The DPAPI_SYSTEM key. It can be found through
lsadump::secrets./domain: the target active directory domain/password: the target user's password/protected: it defines the user account as a protected one
The dpapi::cred can also display the masterkey location through the guidMasterKey value.
The following examples were taken from Benjamin's howto ~ credential manager saved credentials guide.
Last updated