-
Notifications
You must be signed in to change notification settings - Fork 384
live dpapi keys command
skelsec edited this page Apr 14, 2021
·
1 revision
Extracts all possible keys from the live system which can be used to decrypt DPAPI protected secrets.
The goal of this command is to get the keys stored in a file which can be used by the 'normal' DPAPI commands to decrypt whatever.
The results will be printed to the command line OR written to two separate files (one for prekeys one for masterkeys)
Please use the -o
switch!
This takes a long time.
It extracts the keys from the lsass
process and the registry
then searches masterkey files on the filesystem and decrypts them.
- Administrator privileges
None
-
-o
: Writes the keys to two files with the given basename -
--method
: Select where you wish to acquire keys from. Default: all
-
pypykatz live dpapi keys -o keys
: Get all DPAPI keys and store them in two files, their name will be starting withkeys_