Add SystemDPAPIdump.py example

[clavoillotte]

This PR adds a new example, SystemDPAPIdump.py, which automates extraction of DPAPI credentials for the SYSTEM user on a remote host.

Currently it extracts and decrypts DPAPI credentials files (used by the task scheduler, amongst others) and SCCM client credentials (following @gentilkiwi's publication and implementation), using a combination of WMI (SCCM), SMB client (retrieve files) and remote registry (retrieve DPAPI keys) features from the library.

Process:

• list and retrieve SCCM client secrets using WMI
• list and retrieve DPAPI credential files from the SYSTEM user profile using SMB
• parse retrieved credentials to obtain a list of masterkeys required for decryption
• retrieve required masterkey files using SMB
• dumps LSA Secrets to obtain dpapi_userkey (unless provided with -userkey, e.g. when previously obtained)
• cleanup (end of remote operations)
• decrypt masterkeys using dpapi_userkey
• decrypt credentials/secrets using masterkeys

Has some error management to attempt cleanup even if something goes wrong, and tries to not perform unneeded operations.
Reuses code from secretsdump.py, wmiquery.py, dpapi.py, and smbclient.py.

[mpgn]

Hello,

Quick question, why SYSTEM instead of the current user used to log to the target ? My idea, the probability of using DPAPI is more in favor of the user instead of SYSTEM no ?

Sorry, it was about SCCM, my bad :)

[clavoillotte]

Hi,

The initial use case for this script was dumping scheduled tasks credentials, which are stored in the SYSTEM user profile. I added SCCM when gentilkiwi published his code as the requirements are close enough.
The idea was to dump what we can remotely with only local admin access and no code execution, but if you also have user credentials (or are willing to execute code on that host), you could certainly do something similar with user secrets as well.