Papotito123
commented
4 years ago Hello: You can retrieve files from restore point.
Closed zousar09 closed 4 years ago
Papotito123
commented
4 years ago Hello: You can retrieve files from restore point.
zousar09
commented
4 years ago thank you Papotito123 for your feedback. now I can copy the masterkey file properly. However as the current password of user not the same when the file has been created. I try to get the old SHA1 trough Credhist, the issue is the password has been change many times and some times has manually resets by the Administrator. so when I try with "dpapi::credhist /in" I get (please see below) without decrypt any old hashs :
is there any way to unlock this case ?
Papotito123
commented
4 years ago Hello: I'm not an expert/IT/coder. I'm just an enthusiast. Make a copy if this mkey and save it.Then put a copy where should be. Maybe use the shadow tool and grab SAM,SYSTEM,SECURITY from a closed date to this masterkey(mkey has 90 day of caducity).then run lsadump::sam to this hives and grab the NTLM so then use some tools to crack the password(maybe you have a hint or idea or use online crackers if password can be short and trivial ). Or with sharpdpapi(can be compile) ,you can run it in user context and run sharpdpapi masterkey or sharpdpapi credentials comnands to see if something of use. Try mounting a VSS point closed to the mkey used and run recAll 19.05 toward this mounted folder.
zousar09
commented
4 years ago thank you again for your feedback. unfortunately I d'ont have an old restore point to apply your good idea. can I still have any hope for my case ?
Papotito123
commented
4 years ago Hello; If you used shadow copy, should be any restore point because that's what the tool read.But maybe not too old. But you can use a data recover program.
Or read this; https://tinyapps.org/docs/decrypt-efs-without-cert-backup.html
zousar09
commented
4 years ago Hello Papotito123, unfortunately I don't have any old restore point for a good explore, however by some advices from Gentil Kiwi my Mkey has been decrypted by their linked windows user password.
thank you for your above feedbak for my case :)
Papotito123
commented
4 years ago Hello: @zousar09 , glad finally had resolve. But I'm curious about how you decrypted the recovered Mkey because you didn't know the password. If after change user password and return back and old password ,then the mkey encrypted with this old "again set"password will be again decrypted. Of course doing in the same machine.
Some explanation will be much of help and appreciated.
after loss all hope to decrypt some files (wich crypted by error by me, so I'dont care about the PFX file at this moment) as the famous answer for any similaire case said "If you don't have a copy of the certificate then your files are forever lost", I found the Gentil Kiwi way to create a new certificate by using Mimikatz, by following the recovery steeps I'm blocked on decrypt "masterkey", the folder Microsoft\Protect\SID should have the masterkey files is empty! In this case can I apply any workaround to get or create the masterkey file ?
PS: the certificate appear through mmc with private key, but can't export it as PFX just on .cer or .p7b, also when I try to select the certificate through "manage EFS certificate" I get an error as "select certificate key not valid for use in specified state", I think some files has been deleted and the EFS chaine has been broken this is why even have the certificate appear I can't open the EFS file crypted on my current session account. is there any hope to create the PFX and try to decrypt these files on other user account ?
Regards.