ps
dpapi::ps decrypts PowerShell credentials (PSCredentials or SecureString). It has the following command line arguments:
  • /in: the PowerShell credentials .xml file
  • /password: the password to use to decrypt the PSCredentials
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
  • /unprotect: displays the decryption results on screen
1
mimikatz # dpapi::ps /in:ps_cred.xml /unprotect
2
UserName: hacklab\m3g9tr0n
3
Password: **BLOB**
4
dwVersion : 00000001 - 1
5
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
6
dwMasterKeyVersion : 00000001 - 1
7
guidMasterKey : {5c22983f-77ee-41e4-9086-8073d664e417}
8
dwFlags : 00000000 - 0 ()
9
dwDescriptionLen : 00000002 - 2
10
szDescription :
11
algCrypt : 00006603 - 26115 (CALG_3DES)
12
dwAlgCryptLen : 000000c0 - 192
13
dwSaltLen : 00000010 - 16
14
pbSalt : ec2c6882a6414dbc02ef9635b417b405
15
dwHmacKeyLen : 00000000 - 0
16
pbHmackKey :
17
algHash : 00008004 - 32772 (CALG_SHA1)
18
dwAlgHashLen : 000000a0 - 160
19
dwHmac2KeyLen : 00000010 - 16
20
pbHmack2Key : fdf9251a5503f367cab65c6b13888556
21
dwDataLen : 00000018 - 24
22
pbData : 4dad0233039bd9a634fd1dc4ec89b1a83d0f000da752076c
23
dwSignLen : 00000014 - 20
24
pbSign : 2a8cd7071815f88bbb469b2839c52530baa1dd45
25
โ€‹
26
* using CryptUnprotectData API
27
>> cleartext: Super_SecretPass1!
Copied!
In the example above, the .xml PSCredential file for decryption was previously created by the same user, hence the absence of the /password or /masterkey argument, which would be needed when attempting to decrypt .xml PSCredentials of a different user.
Last modified 6mo ago
Copy link