New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect folder is not containing any master key #328
Comments
Hello: Open a cmd and do cd "%appdata%/microsoft/protect" and look into protect and inside the S-I-D folder. |
I am running Windows 10, I have tried your suggestion Thanks!! |
However despite the previous unlocked issue I face the following:
I thought then to proceed to look at minikatz for this scenario so to recover the file but:
Is there any hope I will ever fix this problem? I am not sure if the password was different when encrypting the file and if this is the issue now. I used Proactive Password Recovery from Elcomsoft to see if using the hash it founds for the user works but no joy. Thanks for any help |
Hello: https://tinyapps.org/docs/decrypt-efs-without-cert-backup.html Look in Closed issues theres some related to this. |
Hi Papotito, I used the same exact article to resolve my issue. What is the exact syntax for the command you suggested above? thanks |
Hello: dpapi::credhist /in:"path_to\CREDHIST" /hash:actual_user_password_SHA1 /unprotect To understand the CREDHIST process ,Erwan the dev of NTHASH-fpc is doing some work. Also can use Credhistview from Nirsoft. |
Hello: dpapi::credhist /in:"%appdata%\Microsoft\Protect\CREDHIST" /password:user_passw /unprotect dpapi::credhist /in:"%appdata%\Microsoft\Protect\CREDHIST" /hash:user_passw SHA1 /unprotect |
it does shows only the following: CREDHIST I am on windows 10 not joined on any domain. Is this related to password policies like not using the recent n passwords? |
When I follow the article of Erwan http://labalec.fr/erwan/?p=2314 I get in the end the following: NTHASH-win64.exe /decodecredhist /binary:[reducted]\credhist /input:[hidden] /key:1 but I do not get the SHA and NTLM values as shown in the article (i.e. SHA1:2277C28035275149D01A8DE530CC13B74F59EDFB |
Hello: If you run this command without the /key: switch you can see the different Entry in CREDHIST so you get the number of old passwords saved. This process has a logical order because the latest Entry will be decoded with the user latest password. |
it does not change a thing, I do not even know what the salt is and why the SID is a blob of strings... NTHASH-win64.exe nthash-win64 /decodecredhist /binary:.credhist /input:[obfuscated] /key:0 |
Hello: For respect for both dev's, you should post nthash questions in NTHASH-fpc site. |
Papoito, I am respecting all dev's in fact I posted here as I started the journey with mimikatz but since it was a dead end and you re-directed me to NTHASH I kept posting here to keep the thread consistend with e beginning and an end that's the reason. However even following your last suggestion does not change a thing. Same result as the previous with the addition that now the command does not return after showing the psecret and get stuck there until I do a CTRL+C to break the execution. |
Hello: Copy Sam,security,system,software files from config/system32. Put sam.hiv/system.hiv in same folder as mimikatz.exe. mimikatz.exe > privilege::debug > log lsadump::sam /system:SYSTEM.hiv /SAM:SAM.hiv From here you will get NTLM hashes. |
Hello,
I followed the instruction of the how to but in my case within the protect folder in the SID folder I do not find anything is empty.
Even if I create a new EFS certificate nothing land in the folder.
I am using EFS on windows 10 not joined in any domain.
Any inputs?
Thanks
The text was updated successfully, but these errors were encountered: