Add new Yandex module: Yandex Browser DPAPI credential extraction

[pavelpashka1]

Description

• Adds a new yandex module that extracts saved passwords from Yandex Browser by decrypting DPAPI-protected encryption keys and the Ya Passman Data database

• Default mode decrypts the authenticated user's passwords; two extended modes allow attacking other users:

  • LSASS mode: dumps lsass via lsassy to obtain credentials for users with active sessions (domain + local)
  • BACKUPKEY mode: uses the DPAPI Domain Backup Key to decrypt any domain user's masterkeys (requires DA)

• Yandex Browser uses a custom encryption layer on top of Chromium's standard DPAPI scheme, which is not covered by existing modules or --dpapi

This PR was created with the assistance of AI Claude Code (Opus 4.6). The AI was used for code review, refactoring to match NetExec coding conventions. The core logic was developed and tested manually on real targets.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)

Setup guide for the review

Lab GOAD, host - CASTELBLACK with Yandex Browser and saved passwords without using a master password, DC - Winterfell

Screenshots:

Module --dpapi:

Module yandex default usage:

Module yandex via lsass dump :

Module yandex via backupkey dump:

Module yandex via backupkey file:

Checklist:

• I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
• I have performed a self-review of my own code (not an AI review)
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Hi and thanks for the PR.

Unfortunately, this is duplicate to #814. Besides, this is also duplicate to the lsassy module and dpapi decryption/key recovery etc should be done with dploot.

[pavelpashka1]

Hi and thanks for the PR.

Unfortunately, this is duplicate to #814. Besides, this is also duplicate to the lsassy module and dpapi decryption/key recovery etc should be done with dploot.

Hello, thank you! @NeffIsBack

I saw this PR. Unfortunately, it is not working and has limited functionality.
Using lsassy here is necessary to extend the ability to retrieve passwords of other users (the module you are referring to does not have this functionality).

Also, dploot worked poorly and unstably, so it was decided to use impacket instead. Since impacket is already listed as a dependency of netexec, I don't see any contradiction here.