zblurx / dploot Goto Github PK
View Code? Open in Web Editor NEWDPAPI looting remotely in Python
License: MIT License
DPAPI looting remotely in Python
License: MIT License
Hey @zblurx,
While packaging and testing the provisional python3-dploot
package, I noticed the Debian throwing SyntaxWarning
for the following files/lines:
dploot/triage/sccm.py:90
dploot/triage/sccm.py:91
dploot/triage/sccm.py:92
dploot/triage/sccm.py:117
I wanted to bring this to your attention to see if this is something fixable.
$ sudo apt install ./python3-dploot_2.6.0-0kali2_amd64.deb
[...]
/usr/lib/python3/dist-packages/dploot/triage/sccm.py:90: SyntaxWarning: invalid escape sequence '\['
regex_naa = b"CCM_NetworkAccessAccount.*<PolicySecret Version=\"1\"><!\[CDATA\[(.*?)\]\]><\/PolicySecret>.*<PolicySecret Version=\"1\"><!\[CDATA\[(.*?)\]\]><\/PolicySecret>"
/usr/lib/python3/dist-packages/dploot/triage/sccm.py:91: SyntaxWarning: invalid escape sequence '\['
regex_task = b"</SWDReserved>.*<PolicySecret Version=\"1\"><!\[CDATA\[(.*?)\]\]><\/PolicySecret>"
/usr/lib/python3/dist-packages/dploot/triage/sccm.py:92: SyntaxWarning: invalid escape sequence '\['
regex_collection = b"CCM_CollectionVariable\x00\x00(.*?)\x00\x00.*<PolicySecret Version=\"1\"><!\[CDATA\[(.*?)\]\]><\/PolicySecret>"
/usr/lib/python3/dist-packages/dploot/triage/sccm.py:117: SyntaxWarning: invalid escape sequence '\['
regex = "<PolicySecret Version=\"1\"><!\[CDATA\[(.*?)\]\]><\/PolicySecret>"
[...]
If it is, would it be possible to post the fix under tag 2.6.1
?
Hey @zblurx,
While packaging dploot
for Kali Linux, I discovered the following warning:
$ dploot -h
/usr/lib/python3/dist-packages/dploot/triage/certificates.py:12: CryptographyDeprecationWarning: Use PrivateKeyTypes instead
from cryptography.hazmat.primitives.asymmetric.types import PRIVATE_KEY_TYPES
usage: dploot [-h] [-debug] [-quiet]
{certificates,credentials,masterkeys,vaults,backupkey,rdg,triage,machinemasterkeys,machinecredentials,machinevaults,machinecertificates,machinetriage,browser,wifi}
...
DPAPI looting remotely in Python
[...]
If this warning could be addressed and released as v2.1.5
, it'd be great, and I'd sincerely appreciate it.
Thanks in advance.
facing some error
[*] Connected to 192.168.0.104 as marvel.local\amit.prajapati (admin)
[*] Triage SYSTEM masterkeys
[-] Got error: 'HashRecords'
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/dploot/entry.py", line 74, in main
actionsoptions.action
File "/usr/local/lib/python3.11/dist-packages/dploot/action/machinecertificates.py", line 86, in entry
a.run()
File "/usr/local/lib/python3.11/dist-packages/dploot/action/machinecertificates.py", line 50, in run
self.masterkeys = triage.triage_system_masterkeys()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/dploot/triage/masterkeys.py", line 64, in triage_system_masterkeys
LSA.dumpSecrets()
File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 1721, in dumpSecrets
value = self.getValue('\Policy\Secrets\{}\{}\default'.format(key,valueType))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 1192, in getValue
value = self.__registryHive.getValue(keyValue)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 460, in getValue
key = self.findKey(regKey)
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 378, in findKey
res = self.__findSubKey(parentKey, subKey)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 299, in __findSubKey
data = lf['HashRecords']
~~^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/structure.py", line 169, in getitem
return self.fields[key]
~~~~~~~~~~~^^^^^
KeyError: 'HashRecords'
This error blocked my installation until I found this workaround:
https://bugs.launchpad.net/lxml/+bug/1894350
Can this be used to dump local browser credentials and cookies? In post exploitation phase
Error when using Kerberos ccache key file for authentication:
proxychains dploot triage -d 'domain.com' -u 'user' -no-pass -use-kcache -kdcHost FQDN.domain.com targetfqdn.domain.com -pvk DPAPI-backupkey.pvk -debug
[-] Got error: 'Namespace' object has no attribute 'aes'
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/dploot/entry.py", line 74, in main
actions[options.action](options)
File "/usr/local/lib/python3.10/dist-packages/dploot/action/triage.py", line 150, in entry
a = TriageAction(options)
File "/usr/local/lib/python3.10/dist-packages/dploot/action/triage.py", line 24, in __init__
self.target = Target.from_options(options)
File "/usr/local/lib/python3.10/dist-packages/dploot/lib/target.py", line 34, in from_options
and options.aes is None
AttributeError: 'Namespace' object has no attribute 'aes'
Hi @zblurx , could you please take a look at this issue, is it due to old chrome version?
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/dploot/triage/browser.py", line 111, in triage_browsers
user_credentials, user_cookies=self.triage_browsers_for_user(user, gather_cookies)
File "/usr/local/lib/python3.8/dist-packages/dploot/triage/browser.py", line 123, in triage_browsers_for_user
return self.triage_chrome_browsers_for_user(user=user, gather_cookies=gather_cookies)
File "/usr/local/lib/python3.8/dist-packages/dploot/triage/browser.py", line 170, in triage_chrome_browsers_for_user
query = cursor.execute(
sqlite3.OperationalError: Could not decode to UTF-8 column 'encrypted_value' with text 'v10B}*\ufffd\ufffdC\ufffd8\ufffd#\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd%L@\ufffd^X\ufffd\ufffdc\ufffd\ufffdl\ufffd'\ufffd\ufffdI'
--- Logging error ---
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/dploot/triage/browser.py", line 111, in triage_browsers
user_credentials, user_cookies=self.triage_browsers_for_user(user, gather_cookies)
File "/usr/local/lib/python3.8/dist-packages/dploot/triage/browser.py", line 123, in triage_browsers_for_user
return self.triage_chrome_browsers_for_user(user=user, gather_cookies=gather_cookies)
File "/usr/local/lib/python3.8/dist-packages/dploot/triage/browser.py", line 170, in triage_chrome_browsers_for_user
query = cursor.execute(
sqlite3.OperationalError: Could not decode to UTF-8 column 'encrypted_value' with text 'v10B}*\ufffd\ufffdC\ufffd8\ufffd#\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd%L@\ufffd^X\ufffd\ufffdc\ufffd\ufffdl\ufffd'\ufffd\ufffdI'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.8/logging/__init__.py", line 1088, in emit
stream.write(msg + self.terminator)
UnicodeEncodeError: 'latin-1' codec can't encode characters in position 73-74: ordinal not in range(256)
Call stack:
File "/usr/local/bin/dploot", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.8/dist-packages/dploot/entry.py", line 74, in main
actions[options.action](options)
File "/usr/local/lib/python3.8/dist-packages/dploot/action/browser.py", line 90, in entry
a.run()
File "/usr/local/lib/python3.8/dist-packages/dploot/action/browser.py", line 62, in run
credentials, cookies = triage.triage_browsers(gather_cookies=self.options.show_cookies)
File "/usr/local/lib/python3.8/dist-packages/dploot/triage/browser.py", line 118, in triage_browsers
logging.debug(str(e))
Message: "Could not decode to UTF-8 column 'encrypted_value' with text 'v10B}*\x18\ufffd\ufffdC\ufffd8\ufffd\x1a#\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd%L@\ufffd^X\ufffd\ufffdc\ufffd\u
I think dploot cannot fetch Chrome (and sometimes Edge) data on newer systems because of the new paths, maybe there are all the information you need in login-securite/DonPAPI#40 ? :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.