# DonPAPI Dumping revelant information on compromised targets without AV detection ## DPAPI dumping Lots of credentials are protected by DPAPI (link ) We aim at locating those "secured" credentials, and retreive them using : - user password - domaine DPAPI BackupKey - Local machine DPAPI Key (that protect TaskScheduled Blob) ## Curently gathered info: - Windows credentials (Taskscheduled credentials & a lot more) - Windows Vaults - Windows RDP credentials - AdConnect (still require a manual operation) - Wifi key - Intenet explorer Creentials - Chrome cookies & credentials - Firefox cookies & credentials - VNC passwords - mRemoteNG password (with default config) ## Check for a bit of compliance - smb signing enabled - OS/Domain/Hostname/Ip of the audited scope ## Operational use with local admin account on a machine, we can : - gather Machine protected DPAPI secrets, like ScheduledTask, that will contains cleartext login/password of the account that should run the task (Also Wifi passwords) - extract Masterkey's hash value for every users profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat) - Identify who is connected from where, in order to identify Admin's personal machines. - extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG) With a user password, or the domain PVK we can unprotect it's DPAPI Secrets. you can pass a full list of credentials that will be tested on the machine. - gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant. ## Exemples dump all secrets of our target machine with an admin account : ```python DonPAPI.py Domain/user:passw0rd@target``` connect with PTH ```python DonPAPI.py -Hashes XXXXXXXXXX Domain/user@target``` can do kerberos (-k), and local auth (-local_auth) connect with an account that have LAPS rights: ```python DonPAPI.py -laps Domain/user:passw0rd@target``` you have a few users passwords ? just give them to DonPAPI and it will try to use them to decipher masterkeys of these users. (the file have to contain user:pass, one per line) ```python DonPAPI.py -credz credz_file Domain/user:passw0rd@target``` you got domain admin access and dumped the domain backup key ? (impacket dpapi.py backupkey --export). them dump all secrets of all users of the domain ! `python DonPAPI.py -pvk domain_backupkey.pvk -credz file_with_Login:pass Domain/user:passw0rd@domain_network_list` target can be an IP, IP range, CIDR, file containing list of the above targets (one per line) ## Opsec consideration The RemoteOps part can be spoted by some EDR. has it's only real use is to get DPAPI Machine key, it could be deactivated (--no_remoteops). but no more taskscheduled credentials in that case. # INSTALL ``` git clone https://github.com/login-securite/DonPAPI.git pip install -r requirements.txt python3 DonPAPI.py ``` # Credits All the credits goes to these great guys for doing the hard research & coding : - Benjamin Delpy (@gentilkiwi) for most of the DPAPI research (always greatly commented - <3 your code) - Alberto Solino (@agsolino) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket. - Alesandro Z (@) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur. - dirkjanm @dirkjanm for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. i learned so much on so many subjects thanks to you. <3 - @Byt3bl3d33r for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec ) - All the Team of @LoginSecurite for their help in debugging my shity code (special thanks to @layno & @HackAndDo for that) # TODO - finish ADSync/ADConnect password extraction - CREDHISTORY full extraction - extract windows Certificates - further analyse ADAL/msteams - implement Chrome