DonPAPI/readme.md

# DonPAPI
Dumping revelant information on compromised targets without AV detection

## DPAPI dumping
Lots of credentials are protected by DPAPI (link )
We aim at locating those "secured" credentials, and retreive them using :
- user password
- domaine DPAPI BackupKey
- Local machine DPAPI Key (that protect TaskScheduled Blob)

## Curently gathered info: 
- Windows credentials (Taskscheduled credentials & a lot more)
- Windows Vaults
- Windows RDP credentials 
- AdConnect (still require a manual operation)
- Wifi key
- Intenet explorer Creentials
- Chrome cookies & credentials
- Firefox cookies & credentials 
- VNC passwords
- mRemoteNG password (with default config)

## Check for a bit of compliance
- smb signing enabled
- OS/Domain/Hostname/Ip of the audited scope

## Operational use 
with local admin account on a machine, we can :
- gather Machine protected DPAPI secrets, like ScheduledTask, that will contains cleartext login/password of the account that should run the task (Also Wifi passwords)
- extract Masterkey's hash value for every users profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
- Identify who is connected from where, in order to identify Admin's personal machines. 
- extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)

With a user password, or the domain PVK we can unprotect it's DPAPI Secrets. 
you can pass a full list of credentials that will be tested on the machine.
- gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant. 

## Exemples 
dump all secrets of our target machine with an admin account : 

```python DonPAPI.py Domain/user:passw0rd@target```

connect with PTH

```python DonPAPI.py -Hashes XXXXXXXXXX Domain/user@target```

can do kerberos (-k), and local auth (-local_auth)

connect with an account that have LAPS rights:

```python DonPAPI.py -laps Domain/user:passw0rd@target```

you have a few users passwords ? just give them to DonPAPI and it will try to use them to decipher masterkeys of these users. (the file have to contain user:pass, one per line)

```python DonPAPI.py -credz credz_file Domain/user:passw0rd@target```

you got domain admin access and dumped the domain backup key ? (impacket dpapi.py backupkey --export). them dump all secrets of all users of the domain !

`python DonPAPI.py -pvk domain_backupkey.pvk -credz file_with_Login:pass Domain/user:passw0rd@domain_network_list`

target can be an IP, IP range, CIDR, file containing list of the above targets (one per line)


## Opsec consideration
The RemoteOps part can be spoted by some EDR. 
has it's only real use is to get DPAPI Machine key, it could be deactivated (--no_remoteops). but no more taskscheduled credentials in that case.

# INSTALL 
```
git clone https://github.com/login-securite/DonPAPI.git
pip install -r requirements.txt
python3 DonPAPI.py
```

# Credits
All the credits goes to these great guys for doing the hard research & coding : 
- Benjamin Delpy (@gentilkiwi) for most of the DPAPI research (always greatly commented - <3 your code)
- Alberto Solino (@agsolino) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket. 
- Alesandro Z (@) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur. 
- dirkjanm @dirkjanm for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. i learned so much on so many subjects thanks to you. <3
- @Byt3bl3d33r for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
- All the Team of @LoginSecurite for their help in debugging my shity code (special thanks to @layno & @HackAndDo for that)

# TODO
- finish ADSync/ADConnect password extraction
- CREDHISTORY full extraction
- extract windows Certificates
- further analyse ADAL/msteams
- implement Chrome <v80 decoder
- find a way to implement Lazagne's great modules