Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
Total 1 files
■ ■ ■ ■ ■ ■
readme.md
skipped 1 lines
2
2
Dumping revelant information on compromised targets without AV detection
3
3
4
4
## DPAPI dumping
5
-
Lots of credentials are protected by DPAPI (link )
5
+
Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection).
6
+
6
7
We aim at locating those "secured" credentials, and retreive them using :
7
-
- user password
8
-
- domaine DPAPI BackupKey
9
-
- Local machine DPAPI Key (thatprotect TaskScheduled Blob)
8
+
- User password
9
+
- Domaine DPAPI BackupKey
10
+
- Local machine DPAPI Key (protecting`TaskScheduled`blob)
10
11
11
-
## Curently gathered info:
12
+
## Curently gathered info
12
13
- Windows credentials (Taskscheduled credentials & a lot more)
13
14
- Windows Vaults
14
15
- Windows RDP credentials
skipped 6 lines
21
22
- mRemoteNG password (with default config)
22
23
23
24
## Check for a bit of compliance
24
-
- smb signing enabled
25
+
- SMB signing status
25
26
- OS/Domain/Hostname/Ip of the audited scope
26
27
27
28
## Operational use
28
-
with local admin account on a machine, we can :
29
-
- gather Machine protected DPAPI secrets, like ScheduledTask, that will contains cleartext login/password of the account that should run the task (Also Wifi passwords)
30
-
- extract Masterkey's hash value for every users profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
31
-
- Identify who is connected from where, in order to identify Admin's personal machines.
32
-
- extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
33
29
34
-
With a user password, or the domain PVK we can unprotect it's DPAPI Secrets.
35
-
you can pass a full list of credentials that will be tested on the machine.
36
-
- gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.
30
+
With local admin account on a host, we can :
31
+
- Gather machine protected DPAPI secrets
32
+
- ScheduledTask that will contain cleartext login/password of the account configured to run the task
33
+
- Wi-Fi passwords
34
+
- Extract Masterkey's hash value for every user profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
35
+
- Identify who is connected from where, in order to identify admin's personal computers.
36
+
- Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
37
+
- Gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.
37
38
38
-
## Exemples
39
-
dump all secrets of our target machine with an admin account :
39
+
With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.
you have a few users passwords ? just give them to DonPAPI and it will try to use them to decipher masterkeys of these users. (the file have to contain user:pass, one per line)
you got domain admin access and dumped the domain backup key ? (impacket dpapi.py backupkey --export). them dump all secrets of all users of the domain !
It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.
60
69
61
-
target can be an IP, IP range, CIDR, file containing list of the above targets (one per line)
70
+
This credential file must have the following syntax:
Target can be an IP, IP range, CIDR, file containing list targets (one per line)
62
93
63
94
64
95
## Opsec consideration
65
-
The RemoteOps part can be spoted by some EDR.
66
-
has it's only real use is to get DPAPI Machine key, it could be deactivated (--no_remoteops). but no more taskscheduled credentials in that case.
96
+
The RemoteOps part can be spoted by some EDR. It can be disabled using `--no_remoteops` flag, but then the machine DPAPI key won't be retrieved, and scheduled task credentials/Wi-Fi passwords won't be harvested.
All the credits goes to these great guys for doing the hard research & coding :
77
-
- Benjamin Delpy (@gentilkiwi) for most of the DPAPI research (always greatly commented- <3 your code)
78
-
- Alberto Solino (@agsolino) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
79
-
- Alesandro Z(@) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
80
-
- dirkjanm @dirkjanm for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. i learned so much on so many subjects thanks to you. <3
81
-
- @Byt3bl3d33r for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
82
-
- All the Team of @LoginSecurite for their help in debugging my shity code (special thanks to @layno & @HackAndDo for that)
108
+
- Benjamin Delpy ([@gentilkiwi](https://twitter.com/gentilkiwi)) for most of the DPAPI research (always greatly commented, <3 your code)
109
+
- Alberto Solino ([@agsolino](https://twitter.com/agsolino)) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
110
+
- [Alesandro Z](https://github.com/AlessandroZ) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
111
+
- dirkjanm [@_dirkjan](https://twitter.com/_dirkjan) for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. I learned so much on so many subjects thanks to you. <3
112
+
- [@byt3bl33d3r](https://twitter.com/byt3bl33d3r) for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
113
+
- All the Team at[@LoginSecurite](https://twitter.com/LoginSecurite) for their help in debugging my shity code (special thanks to [@layno](https://github.com/clayno) & [@HackAndDo](https://twitter.com/HackAndDo) for that)