Skip to content

ERROR mimikatz_doLocal ; "cipher" command of "standard" module not found ! #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
phlave opened this issue Jun 22, 2021 · 5 comments
Open

ERROR mimikatz_doLocal ; "cipher" command of "standard" module not found ! #353

phlave opened this issue Jun 22, 2021 · 5 comments

Comments

@phlave
Copy link

phlave commented Jun 22, 2021
edited
Loading

Hi, I'm trying to follow a couple of guides on how to restore some encrypted data from before reinstalling Windows
(https://tinyapps.org/docs/decrypt-efs-without-cert-backup.html; https://github.com/gentilkiwi/mimikatz/wiki/howto-%7E-decrypt-EFS-files)
but I am running into a problem at the first step: when I input the line with > cipher /c I get this error:

#ERROR mimikatz_doLocal ; "cipher" command of "standard" module not found !

Being at my absolute first time trying this, I am using the release version of Mimikatz, and to be sure I tried a couple of those, since they have different names and I am not sure what they do specifically. Is there a specific version I should get to make this work?

Thanks in advance for your time.
@Beercow
Copy link

Beercow commented Jun 22, 2021

cipher is a Windows command line utility.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cipher

@phlave
Copy link
Author

phlave commented Jun 23, 2021

Thanks for your reply.
So, do I need to use that line in cmd and then import the results in mimikatz?

@Beercow
Copy link

Beercow commented Jun 23, 2021

Yes. You need the certificate thumbprint to export the certificate and public key with mimikatz.

@phlave
Copy link
Author

phlave commented Jun 23, 2021

Ok, so, the command in cmd didn't work, but I was able to input the certificate thumbprint by hand and export it.

Now, some steps later, I'm trying to decrypt my masterkey. Problem is: I don't exactly remember which of my passwords I used to use on my old local account, but none of my passwords seem to work.

I always end up with "ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password"

Let me ask something, though. I'm following this guide https://github.com/gentilkiwi/mimikatz/wiki/howto-%7E-decrypt-EFS-files because I formatted my pc and reinstalled Windows without remembering to decrypt a couple of folders, so I'm using certificates from the Windows.old folder. Is it possible it lacks important data for this process? For example, the SID folder inside Protect is empty.

I'm getting kinda resigned for none of this to work. Should I just quit and stop wasting time?

Thanks again for the reply.

@ashepp
Copy link

ashepp commented Aug 30, 2021

I'm experiencing a similar situation to @phlave and wondering if there's any additional guidance to help with retrieving a local accounts password. I've tried all the options I think are viable and get the same error.
"ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Beercow @ashepp @phlave