DonPAPI/readme.md

# DonPAPI
Dumping revelant information on compromised targets without AV detection

## DPAPI dumping
Lots of credentials are protected by DPAPI (link )
We aim at locating those "secured" credentials, and retreive them using :
- user password
- domaine DPAPI BackupKey
- Local machine DPAPI Key (that protect TaskScheduled Blob)

#Curently gathered info: 
- Windows credentials (Taskscheduled credentials & a lot more)
- Windows Vaults
- Windows RDP credentials 
- AdConnect (still require a manual operation)
- Wifi key
- Intenet explorer Creentials
- Chrome cookies & credentials
- Firefox cookies & credentials 
- VNC passwords
- mRemoteNG password (with default config)

#Check for a bit of compliance
- smb signing enabled
- OS/Domain/Hostname/Ip of the audited scope

# Operational use 
with local admin account on a machine, we can :
- gather Machine protected DPAPI secrets, like ScheduledTask, that will contains cleartext login/password of the account that should run the task (Also Wifi passwords)
- extract Masterkey's hash value for every users profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
- Identify who is connected from where, in order to identify Admin's personal machines. 
- extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)

With a user password, or the domain PVK we can unprotect it's DPAPI Secrets. 
you can pass a full list of credentials that will be tested on the machine.
- gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant. 

# Exemples 
dump all secrets of our target machine with an admin account : 

```python DonPAPI.py Domain/user:passw0rd@target```

connect with PTH

```python DonPAPI.py -Hashes XXXXXXXXXX Domain/user@target```

can do kerberos (-k), and local auth (-local_auth)

connect with an account that have LAPS rights:

```python DonPAPI.py -laps Domain/user:passw0rd@target```

you have a few users passwords ? just give them to DonPAPI and it will try to use them to decipher masterkeys of these users. (the file have to contain user:pass, one per line)

```python DonPAPI.py -credz credz_file Domain/user:passw0rd@target```

you got domain admin access and dumped the domain backup key ? (impacket dpapi.py backupkey --export). them dump all secrets of all users of the domain !

`python DonPAPI.py -pvk domain_backupkey.pvk -credz file_with_Login:pass Domain/user:passw0rd@domain_network_list`

target can be an IP, IP range, CIDR, file containing list of the above targets (one per line)


# Opsec consideration
The RemoteOps part can be spoted by some EDR. 
has it's only real use is to get DPAPI Machine key, it could be deactivated (--no_remoteops). but no more taskscheduled credentials in that case.

# INSTALL 
```
git clone https://github.com/login-securite/DonPAPI.git
pip install -r requirements.txt
python3 DonPAPI.py
```

# Credits
All the credits goes to these great guys for doing the hard research & coding : 
- Benjamin Delpy (@gentilkiwi) for most of the DPAPI research (always greatly commented - <3 your code)
- Alberto Solino (@agsolino) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket. 
- Alesandro Z (@) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur. 
- dirkjanm @dirkjanm for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. i learned so much on so many subjects thanks to you. <3
- @Byt3bl3d33r for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
- All the Team of @LoginSecurite for their help in debugging my shity code (special thanks to @layno & @HackAndDo for that)

# TODO
- finish ADSync/ADConnect password extraction
- CREDHISTORY full extraction
- extract windows Certificates
- further analyse ADAL/msteams
- implement Chrome <v80 decoder
- find a way to implement Lazagne's great modules
beta release commit 2021-09-27 09:20:43 +00:00			`# DonPAPI`
			`Dumping revelant information on compromised targets without AV detection`

			`## DPAPI dumping`
			`Lots of credentials are protected by DPAPI (link )`
			`We aim at locating those "secured" credentials, and retreive them using :`
			`- user password`
			`- domaine DPAPI BackupKey`
			`- Local machine DPAPI Key (that protect TaskScheduled Blob)`

			`#Curently gathered info:`
			`- Windows credentials (Taskscheduled credentials & a lot more)`
			`- Windows Vaults`
			`- Windows RDP credentials`
			`- AdConnect (still require a manual operation)`
			`- Wifi key`
			`- Intenet explorer Creentials`
			`- Chrome cookies & credentials`
			`- Firefox cookies & credentials`
			`- VNC passwords`
			`- mRemoteNG password (with default config)`

			`#Check for a bit of compliance`
			`- smb signing enabled`
			`- OS/Domain/Hostname/Ip of the audited scope`

			`# Operational use`
			`with local admin account on a machine, we can :`
			`- gather Machine protected DPAPI secrets, like ScheduledTask, that will contains cleartext login/password of the account that should run the task (Also Wifi passwords)`
			`- extract Masterkey's hash value for every users profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)`
			`- Identify who is connected from where, in order to identify Admin's personal machines.`
			`- extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)`

			`With a user password, or the domain PVK we can unprotect it's DPAPI Secrets.`
			`you can pass a full list of credentials that will be tested on the machine.`
			`- gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.`

			`# Exemples`
			`dump all secrets of our target machine with an admin account :`

			```python DonPAPI.py Domain/user:passw0rd@target```

			`connect with PTH`

			```python DonPAPI.py -Hashes XXXXXXXXXX Domain/user@target```

			`can do kerberos (-k), and local auth (-local_auth)`

			`connect with an account that have LAPS rights:`

			```python DonPAPI.py -laps Domain/user:passw0rd@target```

			`you have a few users passwords ? just give them to DonPAPI and it will try to use them to decipher masterkeys of these users. (the file have to contain user:pass, one per line)`

			```python DonPAPI.py -credz credz_file Domain/user:passw0rd@target```

			`you got domain admin access and dumped the domain backup key ? (impacket dpapi.py backupkey --export). them dump all secrets of all users of the domain !`

			`python DonPAPI.py -pvk domain_backupkey.pvk -credz file_with_Login:pass Domain/user:passw0rd@domain_network_list`

			`target can be an IP, IP range, CIDR, file containing list of the above targets (one per line)`


			`# Opsec consideration`
			`The RemoteOps part can be spoted by some EDR.`
			`has it's only real use is to get DPAPI Machine key, it could be deactivated (--no_remoteops). but no more taskscheduled credentials in that case.`

			`# INSTALL`
			```
			`git clone https://github.com/login-securite/DonPAPI.git`
			`pip install -r requirements.txt`
			`python3 DonPAPI.py`
			```

			`# Credits`
			`All the credits goes to these great guys for doing the hard research & coding :`
			`- Benjamin Delpy (@gentilkiwi) for most of the DPAPI research (always greatly commented - <3 your code)`
			`- Alberto Solino (@agsolino) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.`
			`- Alesandro Z (@) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.`
			`- dirkjanm @dirkjanm for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. i learned so much on so many subjects thanks to you. <3`
			`- @Byt3bl3d33r for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )`
			`- All the Team of @LoginSecurite for their help in debugging my shity code (special thanks to @layno & @HackAndDo for that)`

			`# TODO`
			`- finish ADSync/ADConnect password extraction`
			`- CREDHISTORY full extraction`
			`- extract windows Certificates`
			`- further analyse ADAL/msteams`
			`- implement Chrome <v80 decoder`
			`- find a way to implement Lazagne's great modules`