Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection).
8
10
9
11
We aim at locating those "secured" credentials, and retrieve them using :
12
+
10
13
- User password
11
14
- Domaine DPAPI BackupKey
12
15
- Local machine DPAPI Key (protecting `TaskScheduled` blob)
13
16
14
17
## Curently gathered info
18
+
15
19
- Windows credentials (Taskscheduled credentials & a lot more)
16
20
- Windows Vaults
17
21
- Windows RDP credentials
skipped 6 lines
24
28
- mRemoteNG password (with default config)
25
29
26
30
## Check for a bit of compliance
31
+
27
32
- SMB signing status
28
33
- OS/Domain/Hostname/Ip of the audited scope
29
34
30
35
## Operational use
31
36
32
37
With local admin account on a host, we can :
38
+
33
39
- Gather machine protected DPAPI secrets
34
40
- ScheduledTask that will contain cleartext login/password of the account configured to run the task
35
41
- Wi-Fi passwords
skipped 59 lines
95
101
96
102
97
103
## Opsec consideration
104
+
98
105
The RemoteOps part can be spoted by some EDR. It can be disabled using `--no_remoteops` flag, but then the machine DPAPI key won't be retrieved, and scheduled task credentials/Wi-Fi passwords won't be harvested.
All the credits goes to these great guys for doing the hard research & coding :
119
+
110
120
- Benjamin Delpy ([@gentilkiwi](https://twitter.com/gentilkiwi)) for most of the DPAPI research (always greatly commented, <3 your code)
111
121
- Alberto Solino ([@agsolino](https://twitter.com/agsolino)) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
112
122
- [Alesandro Z](https://github.com/AlessandroZ) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
skipped 2 lines
115
125
- All the Team at [@LoginSecurite](https://twitter.com/LoginSecurite) for their help in debugging my shity code (special thanks to [@layno](https://github.com/clayno) & [@HackAndDo](https://twitter.com/HackAndDo) for that)