diff --git a/.gitbook/assets/HEKATOMB.PNG b/.gitbook/assets/HEKATOMB.PNG new file mode 100644 index 000000000..19ea6b2db Binary files /dev/null and b/.gitbook/assets/HEKATOMB.PNG differ diff --git a/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md index 325316528..e1e3f78fb 100644 --- a/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md +++ b/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md @@ -173,6 +173,18 @@ dpapi::chrome /in:"c:\users\spotless.offense\appdata\local\Google\Chrome\User Da You can find an example of how to encrypt and decrypt data with DAPI using mimikatz and C++ in [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c)\ You can find an example on how to encrypt and decrypt data with DPAPI using C# in [https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection) +## HEKATOMB + +[**HEKATOMB**](https://github.com/Processus-Thief/HEKATOMB) is a tool that automates the extraction of all users and computers from the LDAP directory and the extraction of domain controller backup key through RPC. The script will then resolve all computers ip address and perform a smbclient on all computers to retrieve all DPAPI blobs of all users and decrypt everything with domain backup key. + +```python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp``` + +With extracted from LDAP computers list you can find every sub network even if you didn't know them ! + +"Because Domain Admin rights are not enough. Hack them all." + +![](<../../.gitbook/assets/HEKATOMB.png>) + ## DonPAPI [**DonPAPI**](https://github.com/login-securite/DonPAPI) can dump secrets protected by DPAPI automatically.