DonPAPI - Dumping DPAPI Credz Remotely

Topic created · 1 Posts · 0 Views

  • Dumping revelant information on compromised targets without AV detection 
    DPAPI dumping
    Lots of credentials are protected by DPAPI.
    We aim at locating those "secured" credentials, and retreive them using :

    • User password
    • Domaine DPAPI BackupKey
    • Local machine DPAPI Key (protecting TaskScheduled blob)
      Curently gathered info
    • Windows credentials (Taskscheduled credentials & a lot more)
    • Windows Vaults
    • Windows RDP credentials
    • AdConnect (still require a manual operation)
    • Wifi key
    • Intenet explorer Creentials
    • Chrome cookies & credentials
    • Firefox cookies & credentials
    • VNC passwords
    • mRemoteNG password (with default config)
      Check for a bit of compliance
    • SMB signing status
    • OS/Domain/Hostname/Ip of the audited scope
      Operational use
      With local admin account on a host, we can :
    • Gather machine protected DPAPI secrets
    • ScheduledTask that will contain cleartext login/password of the account configured to run the task
    • Wi-Fi passwords
    • Extract Masterkey's hash value for every user profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
    • Identify who is connected from where, in order to identify admin's personal computers.
    • Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
    • Gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.
      With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.
      Dump all secrets of the target machine with an admin account : domain/user:[[email protected]](/cdn-cgi/l/email-protection)

    Using user's hash --hashes <LM>:<NT> domain/[[email protected]](/cdn-cgi/l/email-protection)

    Using kerberos (-k) and local auth (-local_auth) -k domain/[[email protected]](/cdn-cgi/l/email-protection) -local_auth [[email protected]](/cdn-cgi/l/email-protection)

    Using a user with LAPS password reading rights -laps domain/user:[[email protected]](/cdn-cgi/l/email-protection)

    It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.
    This credential file must have the following syntax:

    user1:pass1  user2:pass2  ...  

    When a domain admin user is available, it is possible to dump the domain backup key using impacket tool. -credz credz_file.txt domain/user:[[email protected]](/cdn-cgi/l/email-protection)

    This backup key can then be used to dump all domain user's secrets!
    python -pvk domain_backupkey.pvk domain/user:[[email protected]](/cdn-cgi/l/email-protection)_network_list
    Target can be an IP, IP range, CIDR, file containing list targets (one per line)
    Opsec consideration
    The RemoteOps part can be spoted by some EDR. It can be disabled using --no_remoteops flag, but then the machine DPAPI key won't be retrieved, and scheduled task credentials/Wi-Fi passwords won't be harvested.
    Installation backupkey --export

    All the credits goes to these great guys for doing the hard research & coding :

    git clone  
    cd DonPAPI  
    python3 -m pip install -r requirements.txt  

    Download DonPAPI

Log in to reply