live dpapi keys command

What it does

Extracts all possible keys from the live system which can be used to decrypt DPAPI protected secrets.
The goal of this command is to get the keys stored in a file which can be used by the 'normal' DPAPI commands to decrypt whatever. The results will be printed to the command line OR written to two separate files (one for prekeys one for masterkeys)

Remarks

Please use the -o switch!
This takes a long time.
It extracts the keys from the lsass process and the registry then searches masterkey files on the filesystem and decrypts them.

Requirements

Administrator privileges

Subcommands

None

Switches

-o: Writes the keys to two files with the given basename
--method : Select where you wish to acquire keys from. Default: all

Examples

pypykatz live dpapi keys -o keys: Get all DPAPI keys and store them in two files, their name will be starting with keys_

Home

Wiki

Live commands

lsa
kerberos
- currentluid
- roast
- tgt
- apreq
- purge
- sessions
- dump
- triage
smbapi
- share
- session
- localgroup
users
token
process
dpapi
- keys
- vpol
- vcred
- cred
- blob
- blobfile
- securestring
- securestringfile
- wifi
smb
- client
- shareenum
- lsassdump
- regdump
- dcsync
- secretsdump
ldap
- client

Platform-independent commands

lsa
- minidump
registry
crypto
- nt
- lm
- dcc
- dcc2
- gppass
kerberos
- tgt
- tgs
- brute
- asreproast
- spnroast (aka. kerberoast)
- s4u
- keytab
- kirbi
- ccache
  - list
  - del
  - roast
  - loadkirbi
  - exportkirbi
dpapi
- prekey
- minidump
- masterkey
- blob
- securestring
- credential
- vpol
- vcred
smb
- client
- lsassfile
- lsassdump
- regfile
- regdump
- dcsync
- secretsdump
- shareenum
ldap
- client

ConnectionURL

ConnectionURL

Provide feedback

Saved searches

Use saved searches to filter your results more quickly