Skip to content

dpapi prekey command

Jump to bottom
skelsec edited this page Apr 13, 2021 · 3 revisions

What it does

Generates pre-keys which in turn will allow decryption of a masterkey file. This command can perform the key generation using either *password* + SID or *NT* hash + SID or via parsing the *registry* hive files, hence the three subcommand options

Remarks

There are three possible pre-keys generated for a given credential. Two out of the three keys can be generated without knowing the password only using the NT hash but it's not guaranteed that those two will always yield a successful decryption of a given masterkey.

Requirements

User's SID and either plaintext password or NT hash. If using the registry then you only need the registry hive files.

Subcommands

  • password : This will take the user's SID (S-1-5-...) and password to generate all three prekey candidates
  • nt : This will take the user's NT hash and SID to generate two out of the possible three prekeys
  • registry : This will take registry hive files to yield the prekeys for the machine account (NT/SYSTEM user)

Switches

  • -o: Writes the prekeys in a text file

Examples

  • pypykatz dpapi prekey password 'S-1-5-21-3448413973-1765323015-1500960949-1105' 'Passw0rd!1': Generates three prekeys from the user's SID and password.
  • pypykatz dpapi prekey nt 'S-1-5-21-3448413973-1765323015-1500960949-1105' f8963568a1ec62a3161d9d6449baba93: Generates two out of the three possible prekeys using the user's SID and NT hash
  • pypykatz dpapi prekey registry SYSTEM.reg SAM.reg SECURITY.reg: Parses registry hives an extracts prekeys stored there.

Home

Live commands

Platform-independent commands

ConnectionURL

Clone this wiki locally