DonPAPI: secrets dump remotely on multiple Windows computers, with defense evasion in mind


DonPAPI automates secrets dump remotely on multiple Windows computers, with defense evasion in mind.

Collected credentials:

  • Chromium browser Credentials, Cookies, and Chrome Refresh Token
  • Windows Certificates
  • Credential Manager
  • Firefox browser Credentials and Cookies
  • Mobaxterm Credentials
  • MRemoteNg Credentials
  • RDC Manager Credentials
  • Files on Desktop and Recent folder
  • SCCM Credentials
  • Vaults Credentials
  • VNC Credentials
  • Wifi Credentials


Authentication works by specifying a domain with --domain, an username with --username, and eventually a password with --password, a hash with --hashes, an AES key with --aesKey or a Kerberos ticket in ccache format with -k (Impacket style). You can also authenticate through LAPS on the computer with --laps and the username of the local LAPS account as the value for this parameter.


By default, DonPAPI will collect:

  • Chromium: Chromium browser Credentials, Cookies and Chrome Refresh Token
  • Certificates: Windows Certificates
  • CredMan: Credential Manager
  • Firefox: Firefox browser Credentials and Cookies
  • MobaXterm: Mobaxterm Credentials
  • MRemoteNg: MRemoteNg Credentials
  • RDCMan: RDC Manager Credentials
  • Files: Files on Desktop and and Recent folder
  • SCCM: SCCM Credentials
  • Vaults: Vaults Credentials
  • VNC: VNC Credentials
  • Wifi: Wifi Credentials

You can specify each one you want to collect with --collectors (SharpHound style). If you use --fetch-pvk, DonPAPI will automatically fetch the Domain Backup Key of the AD domain and use it to decrypt masterkeys. Otherwise, you can bring one with --pvkfile--pwdfile--ntfile are used to feed DonPAPI with secrets in order to unlock masterkeys. But if you have freshly decrypted masterkeys, you can use --mkfile.

Install & Use

DonPAPI Copyright (C) 2024 Login Sécurité