Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Allow Specific User Selection #75

Open
covertivy opened this issue Jul 12, 2024 · 2 comments
Open

Feature Request: Allow Specific User Selection #75

covertivy opened this issue Jul 12, 2024 · 2 comments

Comments

@covertivy
Copy link

covertivy commented Jul 12, 2024
edited
Loading

Background

This is less of a bug and more of a "program behavior" request.
As I run DonPAPI on a target, I encounter many junk accounts that exist on the remote machine's Users folder.
This was partially mitigated with the new "false positive" folders in each triage class.
However, usually when getting loot from a machine, there are more junk folders than can be expected to deal with.
This is an issue since we cannot expect to deal with every possible "false positive" we encounter.
So, I suggest an addition of a user selection prompt / flag, which will allow users to select specific windows users for enumeration.

Possible Implementations

Interactive prompting

This is obviously not ideal when we want to iterate over many machines but it might be useful to add.

Found 4 User Folders (Bob, Alice, John Doe, Trash), please select one or more (delimited by '^'):
> Bob^John Doe

Startup Parameter

donpapi -u admin -p admin -t 1.2.3.4 --windows-users "Bob" "John Doe"

Summary

This is obviously not an urgent matter but it is certainly a "nice to have" feature.
Thank you for reading, I wish you all the best!
@zblurx
Copy link
Collaborator

zblurx commented Jul 15, 2024
edited
Loading

Hi, thank you for the feature idea. I don't like the idea of a selection prompt, because like you said, when running on 500+ targets, it can be annoying. Also, users home directory name can be inconsistent between multiple computers : sometime it is user or sometimes user.domain or even user.workstation_name, so hard to add a functional whitelist.
Maybe we could add a blacklist, in order to add multiple false positive, but I'm also thinking about a --only-domain-user to target only user that seems to be domain joined. What do you think ?

@covertivy
Copy link
Author

I don't think there is any difference between a blacklist and a whitelist - this is because in either case we predict an unknown folder name, the only difference is that when using a whitelist of allowed folders we can limit the gathering to a specific user on the machine.
This is especially useful for when you have a Terminal Server that many users use to RDP to and we only really want the domain users that we find interesting.
This will allow donpapi to be used for more "surgical" looting as opposed to a spray, extending the use-cases and speed of execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@covertivy @zblurx