DonPAPI v1.2 releases: Dumping revelant information on compromised targets without AV detection

DonPAPI

Dumping relevant information on compromised targets without AV detection

DPAPI dumping

Lots of credentials are protected by DPAPI.

We aim at locating those “secured” credentials, and retrieve them using :

• User password
• Domaine DPAPI BackupKey
• Local machine DPAPI Key (protecting TaskScheduled blob)

Currently gathered info

• Windows credentials (Taskscheduled credentials & a lot more)
• Windows Vaults
• Windows RDP credentials
• AdConnect (still require a manual operation)
• Wifi key
• Intenet explorer Credentials
• Chrome cookies & credentials
• Firefox cookies & credentials
• VNC passwords
• mRemoteNG password (with default config)

Check for a bit of compliance

• SMB signing status
• OS/Domain/Hostname/Ip of the audited scope

Operational use

With a local admin account on a host, we can :

• Gather machine protected DPAPI secrets
  • ScheduledTask that will contain cleartext login/password of the account configured to run the task
  • Wi-Fi passwords
• Extract Masterkey’s hash value for every user profile (masterkeys being protected by the user’s password, let’s try to crack them with Hashcat)
• Identify who is connected from where in order to identify the admin’s personal computers.
• Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
• Gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.

With a user password, or the domain PVK we can unprotect the user’s DPAPI secrets.

Changelog v1.2

• a lot of Bugfixes, and the addition of “Refresh Token” stealing in Chrome

Install

git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
python3 -m pip install -r requirements.txt
python3 DonPAPI.py

Tutorial