crash.software
Projects
Pull Requests
Issues
Builds
DonPAPI
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY DonPAPI Commits c0802735
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    readme.md
    1 1  # DonPAPI
     2 + 
    2 3  Dumping revelant information on compromised targets without AV detection
    3 4  ![alt text](https://github.com/login-securite/DonPAPI/blob/main/res/Logo%20DonPapi.png)
    4 5   
    5 6   
    6 7  ## DPAPI dumping
     8 + 
    7 9  Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection).
    8 10   
    9 11  We aim at locating those "secured" credentials, and retrieve them using :
     12 + 
    10 13  - User password
    11 14  - Domaine DPAPI BackupKey
    12 15  - Local machine DPAPI Key (protecting `TaskScheduled` blob)
    13 16   
    14 17  ## Curently gathered info
     18 + 
    15 19  - Windows credentials (Taskscheduled credentials & a lot more)
    16 20  - Windows Vaults
    17 21  - Windows RDP credentials
    skipped 6 lines
    24 28  - mRemoteNG password (with default config)
    25 29   
    26 30  ## Check for a bit of compliance
     31 + 
    27 32  - SMB signing status
    28 33  - OS/Domain/Hostname/Ip of the audited scope
    29 34   
    30 35  ## Operational use
    31 36   
    32 37  With local admin account on a host, we can :
     38 + 
    33 39  - Gather machine protected DPAPI secrets
    34 40   - ScheduledTask that will contain cleartext login/password of the account configured to run the task
    35 41   - Wi-Fi passwords
    skipped 59 lines
    95 101   
    96 102   
    97 103  ## Opsec consideration
     104 + 
    98 105  The RemoteOps part can be spoted by some EDR. It can be disabled using `--no_remoteops` flag, but then the machine DPAPI key won't be retrieved, and scheduled task credentials/Wi-Fi passwords won't be harvested.
    99 106   
    100 107  ## Installation
     108 + 
    101 109  ```
    102 110  git clone https://github.com/login-securite/DonPAPI.git
    103 111  cd DonPAPI
    skipped 2 lines
    106 114  ```
    107 115   
    108 116  ## Credits
     117 + 
    109 118  All the credits goes to these great guys for doing the hard research & coding :
     119 + 
    110 120  - Benjamin Delpy ([@gentilkiwi](https://twitter.com/gentilkiwi)) for most of the DPAPI research (always greatly commented, <3 your code)
    111 121  - Alberto Solino ([@agsolino](https://twitter.com/agsolino)) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
    112 122  - [Alesandro Z](https://github.com/AlessandroZ) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
    skipped 2 lines
    115 125  - All the Team at [@LoginSecurite](https://twitter.com/LoginSecurite) for their help in debugging my shity code (special thanks to [@layno](https://github.com/clayno) & [@HackAndDo](https://twitter.com/HackAndDo) for that)
    116 126   
    117 127  ## Todo
     128 + 
    118 129  - Finish ADSync/ADConnect password extraction
    119 130  - CREDHISTORY full extraction
    120 131  - Extract windows Certificates
    skipped 12 lines
Please wait...
Page is in error, reload to recover