search

login-securite / DonPAPI

Dumping DPAPI credz remotely
GNU General Public License v3.0
930 stars 110 forks source link

Feature Request: Allow Specific User Selection #75

Open rkivys opened 1 month ago

rkivys commented 1 month ago

Background

This is less of a bug and more of a "program behavior" request.
As I run DonPAPI on a target, I encounter many junk accounts that exist on the remote machine's Users folder.
This was partially mitigated with the new "false positive" folders in each triage class.
However, usually when getting loot from a machine, there are more junk folders than can be expected to deal with.
This is an issue since we cannot expect to deal with every possible "false positive" we encounter.
So, I suggest an addition of a user selection prompt / flag, which will allow users to select specific windows users for enumeration.

Possible Implementations

Interactive prompting

This is obviously not ideal when we want to iterate over many machines but it might be useful to add.

Found 4 User Folders (Bob, Alice, John Doe, Trash), please select one or more (delimited by '^'):
> Bob^John Doe

Startup Parameter

donpapi -u admin -p admin -t 1.2.3.4 --windows-users "Bob" "John Doe"

Summary

This is obviously not an urgent matter but it is certainly a "nice to have" feature.
Thank you for reading, I wish you all the best!

zblurx commented 1 month ago

Hi, thank you for the feature idea. I don't like the idea of a selection prompt, because like you said, when running on 500+ targets, it can be annoying. Also, users home directory name can be inconsistent between multiple computers : sometime it is user or sometimes user.domain or even user.workstation_name, so hard to add a functional whitelist. Maybe we could add a blacklist, in order to add multiple false positive, but I'm also thinking about a --only-domain-user to target only user that seems to be domain joined. What do you think ?

rkivys commented 1 month ago

I don't think there is any difference between a blacklist and a whitelist - this is because in either case we predict an unknown folder name, the only difference is that when using a whitelist of allowed folders we can limit the gathering to a specific user on the machine.
This is especially useful for when you have a Terminal Server that many users use to RDP to and we only really want the domain users that we find interesting.
This will allow donpapi to be used for more "surgical" looting as opposed to a spray, extending the use-cases and speed of execution.