SharpDPAPI icon indicating copy to clipboard operation
SharpDPAPI copied to clipboard
verified publisher icon GhostPack

[BUG] /ntlm switch not working correctly

Open 0xShkk opened this issue 6 months ago • 0 comments

Using the /ntlm switch, it is not possible to decrypt the user's masterkey. While on the same system, same user, same credentials it is possible with the cleartex password using the /password switch.

SharpDPAPI.exe masterkeys /password:ActivatorVisel

  __                 _   _       _ ___ 
 (_  |_   _. ._ ._  | \ |_) /\  |_) |  
 __) | | (_| |  |_) |_/ |  /--\ |  _|_ 
                |                      
  v1.12.0                               


[*] Action: User DPAPI Masterkey File Triage

[*] Found MasterKey : C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500\d8377558-8284-494f-a0aa-4b62e8f072b7

[*] Preferred master keys:

C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500:d8377558-8284-494f-a0aa-4b62e8f072b7

[*] User master key cache:

{d8377558-8284-494f-a0aa-4b62e8f072b7}:06D3269D3E6FA6D90291C8772B548D46A7CBCCE0

SharpDPAPI completed in 00:00:00.2418325

SharpDPAPI.exe masterkeys /ntlm:9CDD174A8CCF28AD8DE61701C58AE077

  __                 _   _       _ ___ 
 (_  |_   _. ._ ._  | \ |_) /\  |_) |  
 __) | | (_| |  |_) |_/ |  /--\ |  _|_ 
                |                      
  v1.12.0                               


[*] Action: User DPAPI Masterkey File Triage

[*] Found MasterKey : C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500\d8377558-8284-494f-a0aa-4b62e8f072b7

[*] Preferred master keys:

C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500:d8377558-8284-494f-a0aa-4b62e8f072b7

[!] No master keys decrypted!

SharpDPAPI completed in 00:00:00.2446776

0xShkk avatar Jul 16 '25 08:07 0xShkk