Skip to content

Get-DpapiNgSidKeyIdentifier.md

Latest commit

 

History

History
92 lines (68 loc) · 5.87 KB

Get-DpapiNgSidKeyIdentifier.md

File metadata and controls

92 lines (68 loc) · 5.87 KB
external help file DSInternals.PowerShell.dll-Help.xml
Module Name DSInternals
online version https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Get-DpapiNgSidKeyIdentifier.md
schema 2.0.0

Get-DpapiNgSidKeyIdentifier

SYNOPSIS

Parses a SID-protected DPAPI-NG KeyId blob.

SYNTAX

Get-DpapiNgSidKeyIdentifier [-Blob] <Byte[]> [<CommonParameters>]

DESCRIPTION

This cmdlet parses a DPAPI-NG Protection Key Identifier (KDSK) blob and returns a ProtectionKeyIdentifier object. Such blobs are emitted by the Windows DPAPI-NG implementation when SID-based protectors are used and can be observed, for example, in the KeyId field of Microsoft-Windows-Crypto-NCrypt events. They identify the KDS root key and the L0/L1/L2 key cycle that was used to derive a group key.

The Blob parameter accepts either a byte array or a hexadecimal string, matching the encoding used in the KeyId field of Microsoft-Windows-Crypto-NCrypt events.

EXAMPLES

Example 1

PS C:\> Get-DpapiNgSidKeyIdentifier -Blob 010000004B44534B030000006C010000040000001C000000716B551C22ED5FC4723CDDBE199F6824080300001800000018000000444850420001000087A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A15973FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC4165948FBF0376EBE9B8EAF89CCBBBB12B32F06C4EF6CDE6C927CA76CE8D110E922DFB6EF69C06DC5DD08641620224667CB8AB891CC36B38E32C720B60005BF742DE5A8F1287BD60C9A4CE091CA8873A3538951A268C7E3AA968C2281BAD68571DFEF17EC474BE8C7CD7D1BF251CC3A51270D18E8B3227E59DCC0FE6F45FCE66FE0838DF0E14B9DDF9F2621F39AEDE5A5E982E8CE4D74B64D046C22F7B40C825CACB41C73E1943E6B3F10BBF3CD9A659351C94658CEB54835D81F36734494A7EC768BA3C1478BB5FCACD60F415E61588925047C45A0B9E7CDB96DA3FE0199CBCF7FC89B5D503413AB31411F4769FFB47CCB498F5B89B947B01FF90A48AC12B5658EA163006F006E0074006F0073006F002E0063006F006D00000063006F006E0074006F0073006F002E0063006F006D000000

<# Sample Output:
RootKeyId  : 1c556b71-ed22-c45f-723c-ddbe199f6824
ForestName : contoso.com
DomainName : contoso.com
L0KeyId    : 364
L1KeyId    : 4
L2KeyId    : 28
PublicKey  : 444850420001000087a8e61db4b6663cffbbd19c651959998ceef608660dd0f25d2ceed4435e3b00e00df8f1d61957d4faf7df4561b2aa3016c3d91134096faa3bf4296d830e9a7c209e0c6497517abd5a8a9d306bcf67ed91f9e6725b4758c022e0b1ef4275bf7b6c5bfc11d45f9088b941f54eb1e59bb8bc39a0bf12307f5c
             4fdb70c581b23f76b63acae1caa6b7902d52526735488a0ef13c6d9a51bfa4ab3ad8347796524d8ef6a167b5a41825d967e144e5140564251ccacb83e6b486f6b3ca3f7971506026c0b857f689962856ded4010abd0be621c3a3960a54e710c375f26375d7014103a4b54330c198af126116d2276e11715f693877fad7ef09ca
             db094ae91e1a15973fb32c9b73134d0b2e77506660edbd484ca7b18f21ef205407f4793a1a0ba12510dbc15077be463fff4fed4aac0bb555be3a6c1b0c6b47b1bc3773bf7e8c6f62901228f8c28cbb18a55ae31341000a650196f931c77a57f2ddf463e5e9ec144b777de62aaab8a8628ac376d282d6ed3864e67982428ebc83
             1d14348f6f2f9193b5045af2767164e1dfc967c1fb3f2e55a4bd1bffe83b9c80d052b985d182ea0adb2a3b7313d3fe14c8484b1e052588b9b7d2bbd2df016199ecd06e1557cd0915b3353bbb64e0ec377fd028370df92b52c7891428cdc67eb6184b523d1db246c32f63078490f00ef8d647d148d47954515e2327cfef98c582
             664b4c0f6cc4165948fbf0376ebe9b8eaf89ccbbbb12b32f06c4ef6cde6c927ca76ce8d110e922dfb6ef69c06dc5dd08641620224667cb8ab891cc36b38e32c720b60005bf742de5a8f1287bd60c9a4ce091ca8873a3538951a268c7e3aa968c2281bad68571dfef17ec474be8c7cd7d1bf251cc3a51270d18e8b3227e59dcc0
             fe6f45fce66fe0838df0e14b9ddf9f2621f39aede5a5e982e8ce4d74b64d046c22f7b40c825cacb41c73e1943e6b3f10bbf3cd9a659351c94658ceb54835d81f36734494a7ec768ba3c1478bb5fcacd60f415e61588925047c45a0b9e7cdb96da3fe0199cbcf7fc89b5d503413ab31411f4769ffb47ccb498f5b89b947b01ff9
             0a48ac12b5658ea1
Flags      : PublicAsymmetricKey, SymmetricKey
#>

Parses an asymmetric (Diffie-Hellman) KDSK Protection Key Identifier. The PublicAsymmetricKey flag indicates that the envelope carries a group public key (the embedded PublicKey), and SymmetricKey indicates that the derived key may be used for both encryption and decryption.

PARAMETERS

-Blob

Specifies the DPAPI-NG Protection Key Identifier as a byte array or a hexadecimal string.

Type: Byte[]
Parameter Sets: (All)
Aliases: KeyId, ProtectionKeyIdentifier, KeyIdentifier

Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

System.Byte[]

OUTPUTS

DSInternals.Common.Data.ProtectionKeyIdentifier

NOTES

Alias: Get-CngDpapiSidKeyIdentifier

RELATED LINKS

Get-DpapiNgData Get-ADDBKdsRootKey Get-ADReplKdsRootKey Get-ADSIKdsRootKey