You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello. Is it possible that pypykatz can't decode files from identity cache?
My command
pypykatz dpapi blob C:\Users<user>\mkf.json C:\Users<user>\AppData\Local\Microsoft\IdentityCache\1\UD\u_441G1KG8SN3V2EP7\e_C2GK9UTC67FSUCG3\AT\r_74DB6FURNR2TGPBK\c_CIKANBVJ4RSF161D.bin
Result:
Traceback (most recent call last):
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
return run_code(code, main_globals, None,
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in run_code
exec(code, run_globals)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\Scripts\pypykatz.exe_main.py", line 7, in
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz_main.py", line 89, in main
helper.execute(args)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz\dpapi\cmdhelper.py", line 151, in execute
self.run(args)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz\dpapi\cmdhelper.py", line 277, in run
dec_sec = dpapi.decrypt_securestring_file(args.blob)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz\dpapi\dpapi.py", line 562, in decrypt_securestring_file
data = f.read()
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x9d in position 6: character maps to
For some reasons pypykatz unable to read file but mimikatz did just fine and get me everything without any error.
Also, if I use credential instead of blob it fails with "No matching masterkey was found for the blob". However, masterkey is correct
Hello. Is it possible that pypykatz can't decode files from identity cache?
My command
pypykatz dpapi blob C:\Users<user>\mkf.json C:\Users<user>\AppData\Local\Microsoft\IdentityCache\1\UD\u_441G1KG8SN3V2EP7\e_C2GK9UTC67FSUCG3\AT\r_74DB6FURNR2TGPBK\c_CIKANBVJ4RSF161D.bin
Result:
Traceback (most recent call last):
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
return run_code(code, main_globals, None,
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in run_code
exec(code, run_globals)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\Scripts\pypykatz.exe_main.py", line 7, in
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz_main.py", line 89, in main
helper.execute(args)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz\dpapi\cmdhelper.py", line 151, in execute
self.run(args)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz\dpapi\cmdhelper.py", line 277, in run
dec_sec = dpapi.decrypt_securestring_file(args.blob)
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\site-packages\pypykatz\dpapi\dpapi.py", line 562, in decrypt_securestring_file
data = f.read()
File "C:\Users\docker\AppData\Local\Programs\Python\Python310\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x9d in position 6: character maps to
For some reasons pypykatz unable to read file but mimikatz did just fine and get me everything without any error.
Also, if I use credential instead of blob it fails with "No matching masterkey was found for the blob". However, masterkey is correct
pypykatz dpapi credential C:\Users\docker\master.json C:\Users\docker\AppData\Local\Microsoft\IdentityCache\1\UD\u_441G1KG8SN3V2EP7\e_C2GK9UTC67FSUCG3\Accounts\r_74DB6FURNR2TGPBK.bin
The text was updated successfully, but these errors were encountered: