def runLaZagne(category_choosed='all'):

    # ------ Part used for user impersonation ------

    current_user = getpass.getuser().encode('utf-8', errors='ignore')
    if not current_user.endswith('$'):
        constant.finalResults = {'User': current_user}
        print '\n\n########## User: %s ##########\n' % current_user
        yield 'User', current_user
        set_env_variables()
        for r in runModule(category_choosed):
            yield r
        stdoutRes.append(constant.finalResults)

    # Check if admin to impersonate
    if ctypes.windll.shell32.IsUserAnAdmin() != 0:
        # --------- Impersonation using tokens ---------

        sids = ListSids()
        impersonateUsers = {}
        impersonated_user = [current_user]
        for sid in sids:
            # Not save the current user's SIDs
            if current_user != sid[3].split('\\', 1)[1]:
                impersonateUsers.setdefault(sid[3].split('\\', 1)[1],
                                            []).append(sid[2])

        for user in impersonateUsers:
            if 'service ' in user.lower() or ' service' in user.lower():
                continue

            print '\n\n########## User: %s ##########\n' % user.encode(
                'utf-8', errors='ignore')
            yield 'User', user

            constant.finalResults = {'User': user}
            for sid in impersonateUsers[user]:
                try:
                    set_env_variables(user, toImpersonate=True)
                    if not impersonate_sid_long_handle(sid, close=False):
                        continue
                    # time.sleep(3)

                    _cannot_be_impersonate_using_tokens = False
                    _need_system_privileges = False

                    if sid == "S-1-5-18":
                        _need_system_privileges = True
                    else:
                        impersonated_user.append(user)
                        _cannot_be_impersonate_using_tokens = True

                    # Launch module wanted
                    for r in runModule(
                            category_choosed,
                            need_system_privileges=_need_system_privileges,
                            cannot_be_impersonate_using_tokens=
                            _cannot_be_impersonate_using_tokens):
                        yield r

                    rev2self()
                    stdoutRes.append(constant.finalResults)
                    break
                except Exception, e:
                    print e
                    pass

        # --------- Impersonation browsing file system

        # Ready to check for all users remaining
        all_users = get_user_list_on_filesystem(impersonated_user)
        for user in all_users:
            set_env_variables(user, toImpersonate=True)
            print_debug(
                'INFO', '[!] Trying to impersonate user: %s' %
                user.encode('utf-8', errors='ignore'))
            print '\n\n########## User: %s ##########\n' % user.encode(
                'utf-8', errors='ignore')

            # Fix value by default for user environnment (appdata and userprofile)
            constant.finalResults = {'User': user}
            yield 'User', user

            # Retrieve passwords that need high privileges
            for r in runModule(category_choosed, not_need_to_be_in_env=True):
                yield r

            stdoutRes.append(constant.finalResults)
Exemple #2
0
                          help=dic[d]['help']).set_defaults(
                              func=dic[d]['func'], auditType=d)

# ------------------------------------------- Parse arguments -------------------------------------------
args = dict(parser.parse_args()._get_kwargs())
arguments = parser.parse_args()
start_time = time.time()
output()
verbosity()

# ------ Part used for user impersonation ------

currentUser = getpass.getuser()
argv = vars(arguments)['auditType']
current_filepath = sys.argv[0]
sids = ListSids()
isSystem = False
stopExecute = True
isChild = isChildProcess(current_filepath)

# File used to store output for all impersonated user
tmpFile = os.environ['ALLUSERSPROFILE'] + os.sep + 'JANQT1AD.json'

# Force a child process to write its result to a specific folder
if isChild:
    constant.folder_name = os.environ['ALLUSERSPROFILE']
    constant.file_name_results = 'JANQT1AD'

# Check if we have system privileges
for sid in sids:
    if sid[0] == os.getpid():
Exemple #3
0
def runLaZagne(category_choosed='all', password=None):

    # useful if this function is called from another tool
    if password:
        constant.user_password = password

    # ------ Part used for user impersonation ------

    constant.username = getpass.getuser()
    if not constant.username.endswith('$'):
        constant.finalResults = {'User': constant.username}
        print_user(constant.username)
        yield 'User', constant.username

        set_env_variables(user=constant.username)

        for r in runModule(category_choosed):
            yield r
        stdoutRes.append(constant.finalResults)

    # Check if admin to impersonate
    if ctypes.windll.shell32.IsUserAnAdmin() != 0:

        # --------- Impersonation using tokens ---------

        sids = ListSids()
        impersonateUsers = {}
        impersonated_user = [constant.username]

        for sid in sids:
            # Not save the current user's SIDs and not impersonate system user
            if constant.username != sid[3].split(
                    '\\', 1)[1] and sid[2] != 'S-1-5-18':
                impersonateUsers.setdefault(sid[3].split('\\', 1)[1],
                                            []).append(sid[2])

        for user in impersonateUsers:
            if 'service' in user.lower().strip():
                continue

            print_user(user)
            yield 'User', user

            constant.finalResults = {'User': user}
            for sid in impersonateUsers[user]:
                try:
                    set_env_variables(user, toImpersonate=True)
                    impersonate_sid_long_handle(sid, close=False)
                    impersonated_user.append(user)

                    # Launch module wanted
                    for r in runModule(category_choosed, registry_used=False):
                        yield r

                    rev2self()
                    stdoutRes.append(constant.finalResults)
                    break
                except Exception, e:
                    print e

        # --------- Impersonation browsing file system ---------

        # Ready to check for all users remaining
        all_users = get_user_list_on_filesystem(impersonated_user)
        for user in all_users:
            # Fix value by default for user environnment (appdata and userprofile)
            set_env_variables(user, toImpersonate=True)
            print_user(user)

            constant.username = user
            constant.finalResults = {'User': user}
            yield 'User', user

            # Retrieve passwords that need high privileges
            for r in runModule(category_choosed,
                               dpapi_used=False,
                               registry_used=False):
                yield r

            stdoutRes.append(constant.finalResults)

        # --------- Execute System modules ---------
        # System modules (hashdump, lsa secrets, etc.)
        constant.username = '******'
        constant.finalResults = {'User': constant.username}

        if logging.getLogger().isEnabledFor(logging.INFO):
            constant.st.print_user(constant.username)
        yield 'User', constant.username
        for r in runModule(category_choosed,
                           system_module=True,
                           dpapi_used=False):
            yield r

        stdoutRes.append(constant.finalResults)
Exemple #4
0
def runLaZagne():

    # ------ Part used for user impersonation ------

    current_user = getpass.getuser().encode('utf-8', errors='ignore')
    if not current_user.endswith('$'):
        constant.finalResults = {'User': current_user}
        print '\n\n########## User: %s ##########\n' % current_user
        set_env_variables()
        global creds
        creds = ''
        for r in runModule(category_choosed):
            yield r
            creds += str(r) + "\n"

        stdoutRes.append(constant.finalResults)

    # Check if admin to impersonate
    if ctypes.windll.shell32.IsUserAnAdmin() != 0:

        # --------- Impersonation using tokens ---------

        sids = ListSids()
        impersonateUsers = {}
        impersonated_user = [current_user]
        for sid in sids:
            # Not save the current user's SIDs
            if current_user != sid[3].split('\\', 1)[1]:
                impersonateUsers.setdefault(sid[3].split('\\', 1)[1],
                                            []).append(sid[2])

        for user in impersonateUsers:
            if 'service ' in user.lower() or ' service' in user.lower():
                continue

            print '\n\n########## User: %s ##########\n' % user.encode(
                'utf-8', errors='ignore')
            constant.finalResults = {'User': user}
            for sid in impersonateUsers[user]:
                try:
                    set_env_variables(user, toImpersonate=True)
                    if not impersonate_sid_long_handle(sid, close=False):
                        continue
                    # time.sleep(3)

                    _cannot_be_impersonate_using_tokens = False
                    _need_system_privileges = False

                    if sid == "S-1-5-18":
                        _need_system_privileges = True
                    else:
                        impersonated_user.append(user)
                        _cannot_be_impersonate_using_tokens = True

                    # Launch module wanted
                    for r in runModule(
                            category_choosed,
                            need_system_privileges=_need_system_privileges,
                            cannot_be_impersonate_using_tokens=
                            _cannot_be_impersonate_using_tokens):
                        pass

                    rev2self()
                    break
                except Exception, e:
                    print e
                    pass