crash.software
Projects
Pull Requests
Issues
Builds
DonPAPI
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY DonPAPI Commits d5015226
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    readme.md
    skipped 1 lines
    2 2  Dumping revelant information on compromised targets without AV detection
    3 3   
    4 4  ## DPAPI dumping
    5  -Lots of credentials are protected by DPAPI (link )
     5 +Lots of credentials are protected by [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection).
     6 + 
    6 7  We aim at locating those "secured" credentials, and retreive them using :
    7  -- user password
    8  -- domaine DPAPI BackupKey
    9  -- Local machine DPAPI Key (that protect TaskScheduled Blob)
     8 +- User password
     9 +- Domaine DPAPI BackupKey
     10 +- Local machine DPAPI Key (protecting `TaskScheduled` blob)
    10 11   
    11  -## Curently gathered info:
     12 +## Curently gathered info
    12 13  - Windows credentials (Taskscheduled credentials & a lot more)
    13 14  - Windows Vaults
    14 15  - Windows RDP credentials
    skipped 6 lines
    21 22  - mRemoteNG password (with default config)
    22 23   
    23 24  ## Check for a bit of compliance
    24  -- smb signing enabled
     25 +- SMB signing status
    25 26  - OS/Domain/Hostname/Ip of the audited scope
    26 27   
    27 28  ## Operational use
    28  -with local admin account on a machine, we can :
    29  -- gather Machine protected DPAPI secrets, like ScheduledTask, that will contains cleartext login/password of the account that should run the task (Also Wifi passwords)
    30  -- extract Masterkey's hash value for every users profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
    31  -- Identify who is connected from where, in order to identify Admin's personal machines.
    32  -- extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
    33 29   
    34  -With a user password, or the domain PVK we can unprotect it's DPAPI Secrets.
    35  -you can pass a full list of credentials that will be tested on the machine.
    36  -- gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.
     30 +With local admin account on a host, we can :
     31 +- Gather machine protected DPAPI secrets
     32 + - ScheduledTask that will contain cleartext login/password of the account configured to run the task
     33 + - Wi-Fi passwords
     34 +- Extract Masterkey's hash value for every user profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
     35 +- Identify who is connected from where, in order to identify admin's personal computers.
     36 +- Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
     37 +- Gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.
    37 38   
    38  -## Exemples
    39  -dump all secrets of our target machine with an admin account :
     39 +With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.
    40 40   
    41  -```python DonPAPI.py Domain/user:passw0rd@target```
     41 +## Examples
    42 42   
    43  -connect with PTH
     43 +Dump all secrets of the target machine with an admin account :
    44 44   
    45  -```python DonPAPI.py -Hashes XXXXXXXXXX Domain/user@target```
     45 +```bash
     46 +DonPAPI.py domain/user:passw0rd@target
     47 +```
    46 48   
    47  -can do kerberos (-k), and local auth (-local_auth)
     49 +Using user's hash
    48 50   
    49  -connect with an account that have LAPS rights:
     51 +```bash
     52 +DonPAPI.py --hashes <LM>:<NT> domain/user@target
     53 +```
    50 54   
    51  -```python DonPAPI.py -laps Domain/user:passw0rd@target```
     55 +Using kerberos (-k) and local auth (-local_auth)
    52 56   
    53  -you have a few users passwords ? just give them to DonPAPI and it will try to use them to decipher masterkeys of these users. (the file have to contain user:pass, one per line)
     57 +```bash
     58 +DonPAPI.py -k domain/user@target
     59 +DonPAPI.py -local_auth user@target
     60 +```
    54 61   
    55  -```python DonPAPI.py -credz credz_file Domain/user:passw0rd@target```
     62 +Using a user with LAPS password reading rights
    56 63   
    57  -you got domain admin access and dumped the domain backup key ? (impacket dpapi.py backupkey --export). them dump all secrets of all users of the domain !
     64 +```bash
     65 +DonPAPI.py -laps domain/user:passw0rd@target
     66 +```
    58 67   
    59  -`python DonPAPI.py -pvk domain_backupkey.pvk -credz file_with_Login:pass Domain/user:passw0rd@domain_network_list`
     68 +It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.
    60 69   
    61  -target can be an IP, IP range, CIDR, file containing list of the above targets (one per line)
     70 +This credential file must have the following syntax:
     71 + 
     72 +```plain
     73 +user1:pass1
     74 +user2:pass2
     75 +...
     76 +```
     77 + 
     78 +```bash
     79 +DonPAPI.py -credz credz_file.txt domain/user:passw0rd@target
     80 +```
     81 + 
     82 +When a domain admin user is available, it is possible to dump the domain backup key using impacket `dpapi.py` tool.
     83 + 
     84 +```bash
     85 +dpapi.py backupkey --export
     86 +```
     87 + 
     88 +This backup key can then be used to dump all domain user's secrets!
     89 + 
     90 +`python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list`
     91 + 
     92 +Target can be an IP, IP range, CIDR, file containing list targets (one per line)
    62 93   
    63 94   
    64 95  ## Opsec consideration
    65  -The RemoteOps part can be spoted by some EDR.
    66  -has it's only real use is to get DPAPI Machine key, it could be deactivated (--no_remoteops). but no more taskscheduled credentials in that case.
     96 +The RemoteOps part can be spoted by some EDR. It can be disabled using `--no_remoteops` flag, but then the machine DPAPI key won't be retrieved, and scheduled task credentials/Wi-Fi passwords won't be harvested.
    67 97   
    68  -# INSTALL
     98 +## Installation
    69 99  ```
    70 100  git clone https://github.com/login-securite/DonPAPI.git
    71  -pip install -r requirements.txt
     101 +cd DonPAPI
     102 +python3 -m pip install -r requirements.txt
    72 103  python3 DonPAPI.py
    73 104  ```
    74 105   
    75  -# Credits
     106 +## Credits
    76 107  All the credits goes to these great guys for doing the hard research & coding :
    77  -- Benjamin Delpy (@gentilkiwi) for most of the DPAPI research (always greatly commented - <3 your code)
    78  -- Alberto Solino (@agsolino) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
    79  -- Alesandro Z (@) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
    80  -- dirkjanm @dirkjanm for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. i learned so much on so many subjects thanks to you. <3
    81  -- @Byt3bl3d33r for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
    82  -- All the Team of @LoginSecurite for their help in debugging my shity code (special thanks to @layno & @HackAndDo for that)
     108 +- Benjamin Delpy ([@gentilkiwi](https://twitter.com/gentilkiwi)) for most of the DPAPI research (always greatly commented, <3 your code)
     109 +- Alberto Solino ([@agsolino](https://twitter.com/agsolino)) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
     110 +- [Alesandro Z](https://github.com/AlessandroZ) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
     111 +- dirkjanm [@_dirkjan](https://twitter.com/_dirkjan) for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. I learned so much on so many subjects thanks to you. <3
     112 +- [@byt3bl33d3r](https://twitter.com/byt3bl33d3r) for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
     113 +- All the Team at [@LoginSecurite](https://twitter.com/LoginSecurite) for their help in debugging my shity code (special thanks to [@layno](https://github.com/clayno) & [@HackAndDo](https://twitter.com/HackAndDo) for that)
    83 114   
    84  -# TODO
    85  -- finish ADSync/ADConnect password extraction
     115 +## Todo
     116 +- Dinish ADSync/ADConnect password extraction
    86 117  - CREDHISTORY full extraction
    87  -- extract windows Certificates
    88  -- further analyse ADAL/msteams
    89  -- implement Chrome <v80 decoder
    90  -- find a way to implement Lazagne's great modules
     118 +- Extract windows Certificates
     119 +- Further analysis ADAL/msteams
     120 +- Omplement Chrome <v80 decoder
     121 +- Find a way to implement Lazagne's great modules
     122 + 
     123 +# Changelog
     124 + 
     125 + ```
     126 + v1.0
     127 + ----
     128 + Initial release
     129 + ```
     130 + 
Please wait...
Page is in error, reload to recover