Dumping revelant information on compromised targets without AV detection

Overview

DonPAPI

Dumping revelant information on compromised targets without AV detection

DPAPI dumping

Lots of credentials are protected by DPAPI (link ) We aim at locating those "secured" credentials, and retreive them using :

  • user password
  • domaine DPAPI BackupKey
  • Local machine DPAPI Key (that protect TaskScheduled Blob)

Curently gathered info:

  • Windows credentials (Taskscheduled credentials & a lot more)
  • Windows Vaults
  • Windows RDP credentials
  • AdConnect (still require a manual operation)
  • Wifi key
  • Intenet explorer Creentials
  • Chrome cookies & credentials
  • Firefox cookies & credentials
  • VNC passwords
  • mRemoteNG password (with default config)

Check for a bit of compliance

  • smb signing enabled
  • OS/Domain/Hostname/Ip of the audited scope

Operational use

with local admin account on a machine, we can :

  • gather Machine protected DPAPI secrets, like ScheduledTask, that will contains cleartext login/password of the account that should run the task (Also Wifi passwords)
  • extract Masterkey's hash value for every users profiles (masterkeys beeing protected by the user's password, let's try to crack them with Hashcat)
  • Identify who is connected from where, in order to identify Admin's personal machines.
  • extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)

With a user password, or the domain PVK we can unprotect it's DPAPI Secrets. you can pass a full list of credentials that will be tested on the machine.

  • gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.

Exemples

dump all secrets of our target machine with an admin account :

python DonPAPI.py Domain/user:passw0rd@target

connect with PTH

python DonPAPI.py -Hashes XXXXXXXXXX Domain/user@target

can do kerberos (-k), and local auth (-local_auth)

connect with an account that have LAPS rights:

python DonPAPI.py -laps Domain/user:passw0rd@target

you have a few users passwords ? just give them to DonPAPI and it will try to use them to decipher masterkeys of these users. (the file have to contain user:pass, one per line)

python DonPAPI.py -credz credz_file Domain/user:passw0rd@target

you got domain admin access and dumped the domain backup key ? (impacket dpapi.py backupkey --export). them dump all secrets of all users of the domain !

python DonPAPI.py -pvk domain_backupkey.pvk -credz file_with_Login:pass Domain/user:passw0rd@domain_network_list

target can be an IP, IP range, CIDR, file containing list of the above targets (one per line)

Opsec consideration

The RemoteOps part can be spoted by some EDR. has it's only real use is to get DPAPI Machine key, it could be deactivated (--no_remoteops). but no more taskscheduled credentials in that case.

INSTALL

git clone https://github.com/login-securite/DonPAPI.git
pip install -r requirements.txt
python3 DonPAPI.py

Credits

All the credits goes to these great guys for doing the hard research & coding :

  • Benjamin Delpy (@gentilkiwi) for most of the DPAPI research (always greatly commented - <3 your code)
  • Alberto Solino (@agsolino) for the tremendous work of Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
  • Alesandro Z (@) & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
  • dirkjanm @dirkjanm for the base code of adconnect dump (https://github.com/fox-it/adconnectdump) & every research he ever did. i learned so much on so many subjects thanks to you. <3
  • @Byt3bl3d33r for CME (lots of inspiration and code comes from CME : https://github.com/byt3bl33d3r/CrackMapExec )
  • All the Team of @LoginSecurite for their help in debugging my shity code (special thanks to @layno & @HackAndDo for that)

TODO

  • finish ADSync/ADConnect password extraction
  • CREDHISTORY full extraction
  • extract windows Certificates
  • further analyse ADAL/msteams
  • implement Chrome
  • find a way to implement Lazagne's great modules
Comments
  • Cookie filtering

    Cookie filtering

    At the moment, depending on the network a lot of expired cookies can be returned. It would be nice if the tool could filter out those (at least by default). In the same idea, a lot of cookies can be empty so 99.9% of the time useless, this could also be filtered out.

    opened by tigre-bleu 3
  • Python SyntaxError

    Python SyntaxError

    Hi, When running the DonPAPI.py script I get the following python error:

    File "./DonPAPI.py", line 157
        logging.info(f"Loaded {len(credz)} user credentials")
                                                           ^
    SyntaxError: invalid syntax
    

    Steps to reproduce:

    git clone https://github.com/login-securite/DonPAPI.git
    pip3 install -r requirements.txt
    ./DonPAPI.py
    

    This looks like a great tool, looking forward to using it!

    opened by israsec 2
  • VNC plugin error on reading and parsing registry key

    VNC plugin error on reading and parsing registry key

    The VNC plugin in software/sysadmin/vnc.py does not handle properly the read of a registry key.

    There is two issues:

    • After getting the key from registry, the variable is bytes, but on line 107, you triy to rstrip() some string, causing an error.
    • On the reverse_vncpassword method, you try to unhex/hex the same variable, but as it's bytes and not a string hex representation, it fails.
    opened by Th3l5D 2
  • Short question: cme module

    Short question: cme module

    On the bottom of the readme you write that a lot of code comes from cme. I would love to see the project as a cme module. Is that currently on focus? Maybe you can write your thoughts about this and maybe some hints how to start with this project on my own.

    Cheers.

    opened by blacklist-arcc 2
  • ModuleNotFoundError

    ModuleNotFoundError

    Bonjour à tous, ça fait un p'tit moment que j'utilise DonPAPI et depuis une fresh install de Kali j'ai une erreur que je n'arrive pas debbugger si quelqu'un a une idée je suis preneur:

    python3 DonPAPI.py

    Traceback (most recent call last): File "DonPAPI.py", line 27, in from myseatbelt import MySeatBelt File "myseatbelt.py", line 12, in from lib.secretsdump import LSASecrets as MyLSASecrets ModuleNotFoundError: No module named 'lib.secretsdump'

    Alors que la lib est bien dispo dasn e dossier d'installation dans lib/secretsdump Pour être sûr de moi j'avais ajouté le chemin d'exécution dans la variable $PATH, mais rien n'y fait.

    Je n'ai aucune idée de comment debbugger ceci.

    D'avance merci de l'attention porté à mon problème !

    opened by no0neismrji 1
  • Allow working in local mode

    Allow working in local mode

    Currently this tool allows reading files via SMB only.

    I would like to run it locally, using Kali Live, with Windows drive(s) mounted in eg. /mnt/c, /mnt/d etc.

    opened by tomaszklim 1
  • Add option to retrieve cookies as well as saved logins

    Add option to retrieve cookies as well as saved logins

    DonPAPI does a fantastic job of retrieving saved login credentials, however the option to retrieve cookies would be beneficial to be able to steal existing sessions and bypass 2FA protection. Currently it seems an attempt was made at adding this feature but it may have been abandoned (https://github.com/login-securite/DonPAPI/blob/main/myseatbelt.py#L460). I might try and have a go at this in a few weeks but not sure if I'll be able to pull it off.

    opened by br-sn 1
  • Error when using --GetHashes

    Error when using --GetHashes

    When running DonPAPI with "--GetHashes" I get the following error.

    Traceback (most recent call last):
      File "/<mytoolspath>/DonPAPI/DonPAPI.py", line 273, in <module>
        main()
      File "/<mytoolspath>/DonPAPI/DonPAPI.py", line 185, in main
        my_report.export_hashes()
    AttributeError: 'reporting' object has no attribute 'export_hashes'
    

    DonPAPI is running on KALI 2021.4 with Impacket v0.9.24.dev1+20210720.100427.cd4fe47c. The target is Windows 10 1803

    opened by corsch 1
  • Wrong description for --no_recent and --no_sysadmins

    Wrong description for --no_recent and --no_sysadmins

    The "--no_recent" and "--no_sysamins" options have the wrong description:

    attacks:
      --no_browser          do not hunt for browser passwords
      --no_dpapi            do not hunt for DPAPI secrets
      --no_vnc              do not hunt for VNC passwords
      --no_remoteops        do not hunt for SAM and LSA with remoteops
      --GetHashes           Get all users Masterkey's hash & DCC2 hash
      --no_recent           Get recent files
      --no_sysadmins        Get sysadmins stuff (mRemoteNG, vnc, keepass, lastpass ...)
    

    The Word "Get" should be replaced by "do not hunt for" for --no_recent and --no_sysamins

    opened by corsch 1
  • Poetry build fix + better readme

    Poetry build fix + better readme

    • [x] pyproject.toml: proper pyproject.toml
    • [x] readme: markdown compliant with https://commonmark.org/
    • [x] readme: add alternative poetry install steps

    Before pyproject.toml update

    $ poetry build
    Creating virtualenv donpapi-dfVQVXBX-py3.10 in /home/noraj/.cache/pypoetry/virtualenvs
    Building donpapi (1.0.0)
    
    $ python -m build --wheel
    * Creating virtualenv isolated environment...
    * Installing packages in isolated environment... (poetry-core>=1.0.0)
    * Getting dependencies for wheel...
    * Building wheel...
    Traceback (most recent call last):
      File "/usr/lib/python3.10/site-packages/pep517/in_process/_in_process.py", line 351, in <module>
        main()
      File "/usr/lib/python3.10/site-packages/pep517/in_process/_in_process.py", line 333, in main
        json_out['return_val'] = hook(**hook_input['kwargs'])
      File "/usr/lib/python3.10/site-packages/pep517/in_process/_in_process.py", line 249, in build_wheel
        return _build_backend().build_wheel(wheel_directory, config_settings,
      File "/tmp/build-env-lekq9y_k/lib/python3.10/site-packages/poetry/core/masonry/api.py", line 67, in build_wheel
        return WheelBuilder.make_in(poetry, Path(wheel_directory))
      File "/tmp/build-env-lekq9y_k/lib/python3.10/site-packages/poetry/core/masonry/builders/wheel.py", line 74, in make_in
        wb = WheelBuilder(
      File "/tmp/build-env-lekq9y_k/lib/python3.10/site-packages/poetry/core/masonry/builders/wheel.py", line 57, in __init__
        super().__init__(poetry, executable=executable)
      File "/tmp/build-env-lekq9y_k/lib/python3.10/site-packages/poetry/core/masonry/builders/builder.py", line 83, in __init__
        self._module = Module(
      File "/tmp/build-env-lekq9y_k/lib/python3.10/site-packages/poetry/core/masonry/utils/module.py", line 69, in __init__
        raise ModuleOrPackageNotFound(
    poetry.core.masonry.utils.module.ModuleOrPackageNotFound: No file/folder found for package donpapi
    
    ERROR Backend subprocess exited when trying to invoke build_wheel
    

    cf. https://github.com/python-poetry/poetry/issues/1110

    After pyproject.toml update

    $ poetry build           
    Building donpapi (1.0.0)
      - Building sdist
      - Built donpapi-1.0.0.tar.gz
      - Building wheel
      - Built donpapi-1.0.0-py3-none-any.whl
    
    $  python -m build --wheel
    * Creating virtualenv isolated environment...
    * Installing packages in isolated environment... (poetry-core>=1.0.0)
    * Getting dependencies for wheel...
    * Building wheel...
    Successfully built donpapi-1.0.0-py3-none-any.whl
    
    opened by noraj 0
  • cookies in report and some improvment on the UI

    cookies in report and some improvment on the UI

    adding a section for cookies in the report cookies expire date are printed in readable format section are toggled by default show number of credz in each sections top bar

    opened by login-securite 0
  • Lazagne with DonPAPI

    Lazagne with DonPAPI

    Hello,

    Nice project !

    I wanted to give you some idea to deal with Lazagne modules. I think you could not managed with the lazagne project but you should use lazagne forensic which has been designed to have a similar idea. The project is not up to date but could be done easily copying the code from lazagne modules and modifying from where the data are retrieved.

    What I would suggest you is to integrate lazagneforensic as an external project (like we do in pupy: https://github.com/n1nj4sec/pupy/tree/unstable/pupy/external), and you load the project as module into the code. We update all lazagneForensic modules and fix some compatible issue with your project (if there are).

    Like that if a fix is done on your project or mine, it could be easily fixed.

    If you don't want and want to do your own things, I have no problems with it.

    Have a nice day.

    opened by AlessandroZ 0
  • Missing license file

    Missing license file

    Hi,

    This project looks amazing and solves a large amount of possible problems, However looking at the codebase I wasn't able to find a LICENSE file, The only thing I could find is a message in the master file indicating the license is a modified version of Apache license with more details in the LICENSE file that I wasn't able to find.

    This software is provided under under a slightly modified version

    of the Apache Software License. See the accompanying LICENSE file

    for more information.

    If a license file could be added it will be great help !

    opened by idanlivni 1
Releases(v1.0.0)
Owner
Login Securite
Login Securite
Python tool for dumping flash via uboot reliably

Reliable Uboot Flash Dumper is a Python tool for dumping flash via uboot reliably. If you've ever had to dump flash via uboot and a serial connection and became frustrated about doing it several times and hand-merging files together to fix issues, this should help you out

SecurityJon 25 May 10, 2022
Backdoor is a term that refers to the access of the software or hardware of a computer system without being detected.

This program is an non-object oriented opensource, hidden and undetectable backdoor/reverse shell/RAT for Windows made in Python 3 which contains many features such as multi-client support and cross-platform server.

null 35 Apr 17, 2022
The Devils Eye is an OSINT tool that searches the Darkweb for onion links and descriptions that match with the users query without requiring the use for Tor.

The Devil's Eye searches the darkweb for information relating to the user's query and returns the results including .onion links and their description

Richard Mwewa 135 Dec 31, 2022
Find existing email addresses by nickname using API/SMTP checking methods without user notification. Please, don't hesitate to improve cat's job! 🐱🔎 📬

mailcat The only cat who can find existing email addresses by nickname. Usage First install requirements: pip3 install -r requirements.txt Then just

null 282 Dec 30, 2022
A simple way to store your passwords without requiring third party applications

SimplePasswordManager A simple way to store your passwords without requiring third party applications Simple To Use. Store Your Passwords For Each Web

Leone Odinga 1 Dec 23, 2021
Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts.

Oh365 User Finder Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts. The tool parses responses to ident

Joe Helle 414 Jan 2, 2023
HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

EntySec 5 May 10, 2022
A Python tool to automate some dorking stuff to find information disclosures.

WebDork v1.0.3 A open-source tool to find publicly available sensitive information about Companies/Organisations! WebDork A Python tool to automate so

Rahul rc 123 Jan 8, 2023
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

null 2.4k Jan 7, 2023
Writeups for wtf-CTF hosted by Manipal Information Security Team as part of Techweek2021- INCOGNITO

wtf-CTF_Writeups Table of Contents Table of Contents Crypto Misc Reverse Pwn Web Crypto wtf_Bot Author: Madjelly Join the discord server!You know how

null 6 Jun 7, 2021
A traceroute tool that also displays IP information

infotr A traceroute tool that also displays IP information. This tool has only been tested on Linux. Quick Start First, install this tool from PyPI. p

K4YT3X 10 Oct 29, 2022
Send CVE information to the specified mailbox (from Github)

Send CVE information to the specified mailbox (from Github)

null 91 Nov 8, 2022
This tool ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information that allows them to know in advance if this library complies with processes.

This tool gives developers, researchers and companies the ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information that allows them to know in advance if this library complies with processes. secure development, if currently supported, possible backdoors (malicious embedded code), typosquatting analysis, the history of versions and reported vulnerabilities (CVEs) of the package.

Telefónica 66 Nov 8, 2022
Scan Site - Tools For Scanning Any Site and Get Site Information

Site Scanner Tools For Scanning Any Site and Get Site Information Example Require - pip install colorama - pip install requests How To Use Download Th

NumeX 5 Mar 19, 2022
Sonoff NSPanel protocol and hacking information. Tasmota Berry driver for NSPanel

NSPanel Hacking Sonoff NSPanel protocol and hacking information and Tasmota Berry driver. NSPanel protocol manual Tasmota driver nspanel.be Installati

blakadder 98 Dec 26, 2022
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

null 29 Nov 20, 2022
Mr.Holmes is a information gathering tool (OSINT)

?? Mr.Holmes Mr.Holmes is a information gathering tool (OSINT). Is main purpose is to gain information about domains,username and phone numbers with t

null 534 Jan 8, 2023
GDID (Google Dorks for Information Disclosure)

GDID (Google Dorks for Information Disclosure) Script made for your recon automation in Bug Bounty or Pentest. It will help you to find Information Di

Nischacid 5 Mar 10, 2022