Dumping relevant information on compromised targets without AV detection
Lots of credentials are protected by DPAPI.
We aim at locating those “secured” credentials, and retrieve them using :
- User password
- Domaine DPAPI BackupKey
- Local machine DPAPI Key (protecting TaskScheduled blob)
Currently gathered info
- Windows credentials (Taskscheduled credentials & a lot more)
- Windows Vaults
- Windows RDP credentials
- AdConnect (still require a manual operation)
- Wifi key
- Intenet explorer Credentials
- Chrome cookies & credentials
- Firefox cookies & credentials
- VNC passwords
- mRemoteNG password (with default config)
Check for a bit of compliance
- SMB signing status
- OS/Domain/Hostname/Ip of the audited scope
With a local admin account on a host, we can :
- Gather machine protected DPAPI secrets
- ScheduledTask that will contain cleartext login/password of the account configured to run the task
- Wi-Fi passwords
- Extract Masterkey’s hash value for every user profile (masterkeys being protected by the user’s password, let’s try to crack them with Hashcat)
- Identify who is connected from where in order to identify the admin’s personal computers.
- Extract other non-dpapi protected secrets (VNC/Firefox/mRemoteNG)
- Gather protected secrets from IE, Chrome, Firefox and start reaching the Azure tenant.
With a user password, or the domain PVK we can unprotect the user’s DPAPI secrets.
git clone https://github.com/login-securite/DonPAPI.git
python3 -m pip install -r requirements.txt
Source: Penetration Testing