4-Save the hexa string to a file<\/p>\n
echo hexastring| nthash-win64 \/hexatofile<\/strong><\/p>\n or … steps 2,3 and 4 can be done in one go (pipe in…pipe out…) like below<\/p>\n echo base64string| nthash-win64 \/base64decodehexa | nthash-win64 \/hexatofile <\/strong><\/p>\n 5-Retrieve the mk guid 6-Retrieve the dpapy system key<\/p>\n nthash-win64 \/dumpsecret \/input:dpapi_system \/mode:machine \/offline<\/strong> 7-Decrypt the (encrypted) masterkey<\/p>\n echo mydpapisyskey| nthash-win64 \/decodemk \/binary:c:\\Windows\\System32\\Microsoft\\ProtectS-1-5-18\\90d6942d-4f31-4638-b756-d11efa906e52<\/strong><\/p>\n 8-Finally, decrypt the dpapi blob<\/p>\n echo mymksha1key| nthash-win64 \/decodeblob<\/strong><\/p>\n or … steps 6,7 and 8 can be done in one go like below<\/p>\n NTHASH-win64.exe \/dumpsecret \/input:dpapi_system \/mode:machine \/offline | nthash-win64 \/decodemk \/binary:C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\90d6942d-4f31-4638-b756-d11efa906e52 | nthash-win64 \/decodeblob<\/strong><\/p>\n Note that, online, any user logged on that machine, could simple do the below<\/p>\n echo base64string| nthash-win64 \/base64decodehexa | NTHASH-win64 \/cryptunprotectdata<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" We now know that dpapi secrets are everywhere stored in various ways. Lets have a look at the popular vpn client : NordVPN. NordVPN stores its secrets (username\/password) on a config file (xml format) and is using a machine scope (not good if you ask me…). Lets see how to decrypt it. 1-Retrieve nordvpn user.config […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2288","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2288"}],"version-history":[{"count":8,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2288\/revisions"}],"predecessor-version":[{"id":2335,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2288\/revisions\/2335"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nnthash-win64 \/decodeblob <\/strong><\/p>\n![\"\"](\"https:\/\/imgur.com\/PGZqpa4.png\")
<\/p>\n
\n(if machine key does not work, try user key)<\/p>\n![\"\"](\"https:\/\/imgur.com\/CsqmObd.png\")
<\/p>\n