-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dpapi masterkey v2 (15900) on Domain joined Win10 #3189
Comments
Example:
Then we execute hashcat:
We see that hashcat failed to compute password. |
As I have understood HashCat doesn't support so-called "context=3" for MasterKey DPAPI blob encryption. In your example you have: $DPAPImk$1"3"... - it means that you have version=1 and context=3. |
@virusvfv, whether it's simple or not, can you share the password? I'd like to avoid wasting time searching for it. Thanks :) edit: found another example online, I don't need your password anymore |
15910 done
|
@virusvfv could you try with your hash to see if it works correctly? Thanks |
@matrix Yes. It works for my password! Great ! |
When I trying to bruteforce masterkey of domain joined Windows 10 I get "Exhausted" message from hashcat.
So hashcat can't find correct password.
This is because (I suppose) hashcat does not do correct computing pre-key for masterkeys.
With domain joined win10 there are additional PBKDFs rounds for password as we can see in DPAPImk2john.py:
if context == "domain1607-" or context == "domain": self.decryptWithHash(userSID, hashlib.new("md4", pwd.encode('UTF-16LE')).digest()) if self.decrypted: print("Decrypted succesfully as domain1607-") return if context == "domain1607+" or context == "domain": #domain windows 10 SIDenc = userSID.encode("UTF-16LE") NTLMhash = hashlib.new("md4", pwd.encode('UTF-16LE')).digest() derived = pbkdf2(NTLMhash, SIDenc, 32, 10000, digest='sha256') derived = pbkdf2(derived, SIDenc, 16, 1, digest='sha256') self.decryptWithHash(userSID, derived)
to reproduce that U can just extract hash from domain-joined Win10 masterkey with DPAPImk2john.py and give this hash to hascat...
The text was updated successfully, but these errors were encountered: