| skipped 5 lines |
| 6 | 6 | | ## DPAPI dumping |
| 7 | 7 | | Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection). |
| 8 | 8 | | |
| 9 | | - | We aim at locating those "secured" credentials, and retreive them using : |
| | 9 | + | We aim at locating those "secured" credentials, and retrieve them using : |
| 10 | 10 | | - User password |
| 11 | 11 | | - Domaine DPAPI BackupKey |
| 12 | 12 | | - Local machine DPAPI Key (protecting `TaskScheduled` blob) |
| skipped 71 lines |
| 84 | 84 | | When a domain admin user is available, it is possible to dump the domain backup key using impacket `dpapi.py` tool. |
| 85 | 85 | | |
| 86 | 86 | | ```bash |
| 87 | | - | dpapi.py backupkey --export |
| | 87 | + | dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip |
| 88 | 88 | | ``` |
| 89 | 89 | | |
| 90 | | - | This backup key can then be used to dump all domain user's secrets! |
| | 90 | + | This backup key (pvk file) can then be used to dump all domain user's secrets! |
| 91 | 91 | | |
| 92 | 92 | | `python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list` |
| 93 | 93 | | |
| skipped 39 lines |
Login Securite
committed
with
GitHub
2 years ago
1 parent e4f3c9be