Dumping DPAPI credz remotely
Go to file
Login Securite 08282a06d2
Merge pull request #81 from Dfte/Add-Notepad++-collector
Add notepad++ collector
2024-10-19 13:21:39 +02:00
assets LeHack Release (#50) 2023-07-01 17:20:13 +02:00
donpapi Merge pull request #81 from Dfte/Add-Notepad++-collector 2024-10-19 13:21:39 +02:00
frontend delete node_modules files 2024-08-01 14:55:19 +02:00
utils donpapi 2.0 release 2024-07-05 15:47:43 +02:00
.gitignore delete node_modules files 2024-08-01 14:55:19 +02:00
LICENSE donpapi 2.0 release 2024-07-05 15:47:43 +02:00
README.md donpapi 2.0 release 2024-07-05 15:47:43 +02:00
pyproject.toml kerberos fix 2024-07-11 14:38:28 +02:00

README.md

DonPAPI

DonPAPI automates secrets dump remotely on multiple Windows computers, with defense evasion in mind.

DonPAPI Logo

Collected credentials:

  • Chromium browser Credentials, Cookies and Chrome Refresh Token
  • Windows Certificates
  • Credential Manager
  • Firefox browser Credentials and Cookies
  • Mobaxterm Credentials
  • MRemoteNg Credentials
  • RDC Manager Credentials
  • Files on Desktop and and Recent folder
  • SCCM Credentials
  • Vaults Credentials
  • VNC Credentials
  • Wifi Credentials

We made a talk in french about DPAPI called DPAPI - Don't Put Administration Passwords In 🇫🇷:

Table of Content

Installation

This tool should be install with pipx or in a dedicated virtual environment

pipx install donpapi

or (with latest commits)

pipx install git+https://github.com/login-securite/DonPAPI.git

or (to dev)

git clone git+https://github.com/login-securite/DonPAPI.git
cd DonPAPI
poetry update
poetry run DonPAPI

Quick Start

pipx install donpapi
donpapi collect -u admin -p 'Password123!' -d domain.local -t ALL --fetch-pvk
donpapi gui

Usage

usage: DonPAPI [-h] [-v] [-o DIRNAME] {collect,gui} ...

Dump revelant information on compromised targets without AV detection. Version: 2.0.0

positional arguments:
  {collect,gui}         DonPAPI Action
    collect             Dump secrets on a target list
    gui                 Spawn a Flask webserver to crawl DonPAPI database

options:
  -h, --help            show this help message and exit
  -v                    Verbosity level (-v or -vv)
  -o DIRNAME, --output-directory DIRNAME
                        Output directory. Default is ~/.donpapi/loot/

collect

This action is used to collect secrets on the targets specified in -t.

usage: dpp collect [-h] [--keep-collecting seconds] [--threads Number of threads] [--no-config] [-t TARGET [TARGET ...]] [-d domain.local]
                   [-u username] [-p password] [-H LMHASH:NTHASH] [--no-pass] [-k] [--aesKey hex key] [--laps Administrator] [--dc-ip IP address]
                   [-r /home/user/.donpapi/recover/recover_1718281433] [-c COLLECTORS] [-nr] [--fetch-pvk] [--pvkfile PVKFILE]
                   [--pwdfile PWDFILE] [--ntfile NTFILE] [--mkfile MKFILE]

options:
  -h, --help            show this help message and exit
  --keep-collecting seconds
                        Rerun the attack against all targets after X seconds, X being the value
  --threads Number of threads
                        Number of threads (default: 50)
  --no-config           Do not load donpapi config file (~/.donpapi/donpapi.conf)

authentication:
  -t TARGET [TARGET ...], --target TARGET [TARGET ...]
                        the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, ALL to fetch every
                        computer hostnames from LDAP
  -d domain.local, --domain domain.local
                        Domain
  -u username, --username username
                        Username
  -p password, --password password
                        Password
  -H LMHASH:NTHASH, --hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  --no-pass             don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid
                        credentials cannot be found, it will use the ones specified in the command line
  --aesKey hex key      AES key to use for Kerberos Authentication (1128 or 256 bits)
  --laps Administrator  use LAPS to request local admin password. The laps parameter value is the local admin account use to connect
  --dc-ip IP address    IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -r /home/user/.donpapi/recover/recover_1718281433, --recover-file /home/user/.donpapi/recover/recover_1718281433
                        The recover file path. If used, the other parameters will be ignored

attacks:
  -c COLLECTORS, --collectors COLLECTORS
                        Chromium, Certificates, CredMan, Files, Firefox, MobaXterm, MRemoteNG, RDCMan, SCCM, Vaults, VNC, Wifi, All (all
                        previous) (default: All)
  -nr, --no-remoteops   Disable Remote Ops operations (basically no Remote Registry operations, no DPAPI System Credentials)
  --fetch-pvk           Will automatically use domain backup key from database, and if not already dumped, will dump it on a domain controller
  --pvkfile PVKFILE     Pvk file with domain backup key
  --pwdfile PWDFILE     File containing username:password that will be used eventually to decrypt masterkeys
  --ntfile NTFILE       File containing username:nthash that will be used eventually to decrypt masterkeys
  --mkfile MKFILE       File containing {GUID}:SHA1 masterkeys mappings

Authentication

Authentication works by specifying a domain with --domain, an username with --username, and eventually a password with --password, a hash with --hashes, an AES key with --aesKey or a Kerberos ticket in ccache format with -k (Impacket style). You can also authenticate through LAPS on the computer with --laps and the username of the local LAPS account as the value for this parameter.

Collection

By default, DonPAPI will collect:

  • Chromium: Chromium browser Credentials, Cookies and Chrome Refresh Token
  • Certificates: Windows Certificates
  • CredMan: Credential Manager
  • Firefox: Firefox browser Credentials and Cookies
  • MobaXterm: Mobaxterm Credentials
  • MRemoteNg: MRemoteNg Credentials
  • RDCMan: RDC Manager Credentials
  • Files: Files on Desktop and and Recent folder
  • SCCM: SCCM Credentials
  • Vaults: Vaults Credentials
  • VNC: VNC Credentials
  • Wifi: Wifi Credentials

You can specify each one you want to collect with --collectors (SharpHound style). If you use --fetch-pvk, DonPAPI will automatically fetch the Domain Backup Key of the AD domain and use it to decrypt masterkeys. Otherwise, you can bring one with --pvkfile. --pwdfile, --ntfile are used to feed DonPAPI with secrets in order to unlock masterkeys. But if you have freshly decrypted masterkeys, you can use --mkfile.

[!WARNING] Some collection method will need to dump LSA secrets (in order to obtain the DPAPI machine key). This action can be noizy, and modern EDR will block you instantly. You can use -nr to avoid doing those noisy actions, but some secrets won't be collected.

OPSEC

DonPAPI now supports a configuration file in order to pimp Secretsdump behaviour. This file will be located at ~/.donpapi/donpapi.conf, and by default, it will looks like this:

[secretsdump]
share = C$
remote_filepath = \Users\Default\AppData\Local\Temp
filename_regex = \d{4}-\d{4}-\d{4}-[0-9]{4}
file_extension = .log

Recover

DonPAPI supports recover file. Each time you will run a collect command, it will save a recover file of the remaining targets and all the options. By default, the file is located in ~/.donpapi/register/ folder

Keep Collecting

Sometimes on an internal assessment, you want to go hard on some specific targets and collecting secrets on their computer again and again. Don't do a stupid bash loop, just use --keep-collecting X, X being the seconds you want to wait between each collecting sessions.

gui

Now that you have collected all those secrets, you want to crawl them. DonPAPI allow you to go through all collected secrets with a web GUI. To launch it, use donpapi gui.

usage: DonPAPI gui [-h] [--bind BIND] [--port PORT] [--ssl] [--basic-auth user:password]

options:
  -h, --help            show this help message and exit
  --bind BIND           HTTP Server bind address (default=127.0.0.1)
  --port PORT           HTTP Server port (default=8088)
  --ssl                 Use an encrypted connection
  --basic-auth user:password
                        Set up a basic auth

Web

General

This screen will show you every SAM reused passwords accross all collected computers, dumped scheduled tasks and service account passwords dumped from LSA. You can export all of them as CSV format.

Secrets

This screen will show you every secrets looted with DonPAPI. You can search on multiple elements and exports secrets in CSV

Cookies

This screen will show you every cookies looted with DonPAPI. You can search on multiple elements and exports cookies in CSV, but also copy paste them into JavaScript code to paste it in your browser.

Certificates

This screen will show you every certificates looted with DonPAPI. You can search on multiple elements and exports certificates in CSV, but also if a certificate allow client auth, then clicking on Yes will copy paste a Certipy command to use the certificate.

Disclaimer

This tool is for educational and ethical hacking purpose only. Login Sécurité is not responsible for the abuses committed with this tool.

Functionalities

The GUI frontend is developed in Vue3 + Vite.js, and the backend is Python Flask.

By default, it will be exposed at http://127.0.0.1:8088, but you can expose it the way you like, even at https://0.0.0.0:443.

[!WARNING] Please never expose DonPAPI to a whole network like this, it can be very dangerous. DonPAPI supports HTTPS with --ssl and you can add a Basic Auth with --basic-auth. And moreover, please never expose DonPAPI on the Internet like this.

Clicking on a value in the tables will instantly put it in your clipboard.

A Hide Password checkbox is available in the GUI, in order to hide sensitive data in the GUI, perfect for screenshots.

Credits

All the credits goes to these great guys for doing the hard research & coding :