DonPAPI: secrets dump remotely on multiple Windows computers, with defense evasion in mind

by ddos · July 8, 2024

DonPAPI

DonPAPI automates secrets dump remotely on multiple Windows computers, with defense evasion in mind.

Collected credentials:

Chromium browser Credentials, Cookies, and Chrome Refresh Token
Windows Certificates
Credential Manager
Firefox browser Credentials and Cookies
Mobaxterm Credentials
MRemoteNg Credentials
RDC Manager Credentials
Files on Desktop and Recent folder
SCCM Credentials
Vaults Credentials
VNC Credentials
Wifi Credentials

Authentication

Authentication works by specifying a domain with --domain, an username with --username, and eventually a password with --password, a hash with --hashes, an AES key with --aesKey or a Kerberos ticket in ccache format with -k (Impacket style). You can also authenticate through LAPS on the computer with --laps and the username of the local LAPS account as the value for this parameter.

Collection

By default, DonPAPI will collect:

Chromium: Chromium browser Credentials, Cookies and Chrome Refresh Token
Certificates: Windows Certificates
CredMan: Credential Manager
Firefox: Firefox browser Credentials and Cookies
MobaXterm: Mobaxterm Credentials
MRemoteNg: MRemoteNg Credentials
RDCMan: RDC Manager Credentials
Files: Files on Desktop and and Recent folder
SCCM: SCCM Credentials
Vaults: Vaults Credentials
VNC: VNC Credentials
Wifi: Wifi Credentials

You can specify each one you want to collect with --collectors (SharpHound style). If you use --fetch-pvk, DonPAPI will automatically fetch the Domain Backup Key of the AD domain and use it to decrypt masterkeys. Otherwise, you can bring one with --pvkfile. --pwdfile, --ntfile are used to feed DonPAPI with secrets in order to unlock masterkeys. But if you have freshly decrypted masterkeys, you can use --mkfile.

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal