crash.software
Projects
Pull Requests
Issues
Builds
DonPAPI
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY DonPAPI Commits 9ebb2838
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    pyproject.toml
    skipped 1 lines
    2 2  name = "donpapi"
    3 3  version = "1.0.0"
    4 4  description = "Dumping revelant information on compromised targets without AV detection"
    5  -authors = ["login-securite"]
     5 +authors = ["Login Securite <contact@login-securite.com>"]
     6 +readme = "readme.md"
     7 +homepage = "https://github.com/login-securite/DonPAPI"
     8 +repository = "https://github.com/login-securite/DonPAPI"
     9 +exclude = []
     10 +include = ["config/*", "lazagne/*", "lib/*", "software/*", "*.py"]
     11 +classifiers = [
     12 + 'Environment :: Console',
     13 + 'Programming Language :: Python :: 3',
     14 + 'Topic :: Security',
     15 +]
     16 +packages = [
     17 + { include = "lib", from = "." }
     18 +]
     19 + 
     20 +[tool.poetry.scripts]
     21 +donpapi = 'DonPAPI:main'
    6 22   
    7 23  [tool.poetry.dependencies]
    8 24  python = "^3.9"
    skipped 13 lines
  • ■ ■ ■ ■ ■ ■
    readme.md
    1 1  # DonPAPI
     2 + 
    2 3  Dumping revelant information on compromised targets without AV detection
    3 4  ![alt text](https://github.com/login-securite/DonPAPI/blob/main/res/Logo%20DonPapi.png)
    4 5   
    5 6   
    6 7  ## DPAPI dumping
     8 + 
    7 9  Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection).
    8 10   
    9 11  We aim at locating those "secured" credentials, and retrieve them using :
     12 + 
    10 13  - User password
    11 14  - Domaine DPAPI BackupKey
    12 15  - Local machine DPAPI Key (protecting `TaskScheduled` blob)
    13 16   
    14 17  ## Curently gathered info
     18 + 
    15 19  - Windows credentials (Taskscheduled credentials & a lot more)
    16 20  - Windows Vaults
    17 21  - Windows RDP credentials
    skipped 6 lines
    24 28  - mRemoteNG password (with default config)
    25 29   
    26 30  ## Check for a bit of compliance
     31 + 
    27 32  - SMB signing status
    28 33  - OS/Domain/Hostname/Ip of the audited scope
    29 34   
    30 35  ## Operational use
    31 36   
    32 37  With local admin account on a host, we can :
     38 + 
    33 39  - Gather machine protected DPAPI secrets
    34 40   - ScheduledTask that will contain cleartext login/password of the account configured to run the task
    35 41   - Wi-Fi passwords
    skipped 59 lines
    95 101   
    96 102   
    97 103  ## Opsec consideration
     104 + 
    98 105  The RemoteOps part can be spoted by some EDR. It can be disabled using `--no_remoteops` flag, but then the machine DPAPI key won't be retrieved, and scheduled task credentials/Wi-Fi passwords won't be harvested.
    99 106   
    100 107  ## Installation
     108 + 
    101 109  ```
    102 110  git clone https://github.com/login-securite/DonPAPI.git
    103 111  cd DonPAPI
    skipped 1 lines
    105 113  python3 DonPAPI.py
    106 114  ```
    107 115   
     116 +or
     117 + 
     118 +```
     119 +git clone https://github.com/login-securite/DonPAPI.git
     120 +cd DonPAPI
     121 +poetry install
     122 +poetry run donpapi
     123 +```
     124 + 
    108 125  ## Credits
     126 + 
    109 127  All the credits goes to these great guys for doing the hard research & coding :
     128 + 
    110 129  - Benjamin Delpy ([@gentilkiwi](https://twitter.com/gentilkiwi)) for most of the DPAPI research (always greatly commented, <3 your code)
    111 130  - Alberto Solino ([@agsolino](https://twitter.com/agsolino)) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
    112 131  - [Alesandro Z](https://github.com/AlessandroZ) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
    skipped 2 lines
    115 134  - All the Team at [@LoginSecurite](https://twitter.com/LoginSecurite) for their help in debugging my shity code (special thanks to [@layno](https://github.com/clayno) & [@HackAndDo](https://twitter.com/HackAndDo) for that)
    116 135   
    117 136  ## Todo
     137 + 
    118 138  - Finish ADSync/ADConnect password extraction
    119 139  - CREDHISTORY full extraction
    120 140  - Extract windows Certificates
    skipped 12 lines
Please wait...
Page is in error, reload to recover