DonPAPI: secrets dump remotely on multiple Windows computers, with defense evasion in mind
DonPAPI
DonPAPI automates secrets dump remotely on multiple Windows computers, with defense evasion in mind.
Collected credentials:
- Chromium browser Credentials, Cookies, and Chrome Refresh Token
- Windows Certificates
- Credential Manager
- Firefox browser Credentials and Cookies
- Mobaxterm Credentials
- MRemoteNg Credentials
- RDC Manager Credentials
- Files on Desktop and Recent folder
- SCCM Credentials
- Vaults Credentials
- VNC Credentials
- Wifi Credentials
Authentication
Authentication works by specifying a domain with --domain, an username with --username, and eventually a password with --password, a hash with --hashes, an AES key with --aesKey or a Kerberos ticket in ccache format with -k (Impacket style). You can also authenticate through LAPS on the computer with --laps and the username of the local LAPS account as the value for this parameter.
Collection
By default, DonPAPI will collect:
- Chromium: Chromium browser Credentials, Cookies and Chrome Refresh Token
- Certificates: Windows Certificates
- CredMan: Credential Manager
- Firefox: Firefox browser Credentials and Cookies
- MobaXterm: Mobaxterm Credentials
- MRemoteNg: MRemoteNg Credentials
- RDCMan: RDC Manager Credentials
- Files: Files on Desktop and and Recent folder
- SCCM: SCCM Credentials
- Vaults: Vaults Credentials
- VNC: VNC Credentials
- Wifi: Wifi Credentials
You can specify each one you want to collect with --collectors (SharpHound style). If you use --fetch-pvk, DonPAPI will automatically fetch the Domain Backup Key of the AD domain and use it to decrypt masterkeys. Otherwise, you can bring one with --pvkfile. --pwdfile, --ntfile are used to feed DonPAPI with secrets in order to unlock masterkeys. But if you have freshly decrypted masterkeys, you can use --mkfile.
Install & Use
DonPAPI Copyright (C) 2024 Login Sécurité
