code refactoring + bug fix

Author: AlessandroZ

Windows/laZagne.py

@@ -111,7 +111,7 @@ def clean_args(arg):
     PPoptional = argparse.ArgumentParser(
         add_help=False,
         formatter_class=lambda prog: argparse.HelpFormatter(prog,
-                                                            max_help_position=constant.MAX_HELP_POSITION)
+                                                            max_help_position=constant.max_help)
     )
     PPoptional._optionals.title = 'optional arguments'
     PPoptional.add_argument('-v', dest='verbose', action='count', default=0, help='increase verbosity level')
@@ -122,7 +122,7 @@ def clean_args(arg):
     PWrite = argparse.ArgumentParser(
         add_help=False,
         formatter_class=lambda prog: argparse.HelpFormatter(prog,
-                                                            max_help_position=constant.MAX_HELP_POSITION)
+                                                            max_help_position=constant.max_help)
     )
     PWrite._optionals.title = 'Output'
     PWrite.add_argument('-oN', dest='write_normal', action='store_true', default=None,
@@ -138,7 +138,7 @@ def clean_args(arg):
         add_help=False,
         formatter_class=lambda prog: argparse.HelpFormatter(
             prog,
-            max_help_position=constant.MAX_HELP_POSITION)
+            max_help_position=constant.max_help)
     )
     PPwd._optionals.title = 'Windows User Password'
     PPwd.add_argument('-password', dest='password', action='store',
@@ -151,7 +151,7 @@ def clean_args(arg):
         all_categories[c]['parser'] = argparse.ArgumentParser(
             add_help=False,
             formatter_class=lambda prog: argparse.HelpFormatter(prog,
-                                                                max_help_position=constant.MAX_HELP_POSITION)
+                                                                max_help_position=constant.max_help)
         )
         all_categories[c]['parser']._optionals.title = all_categories[c]['help']
 
@@ -170,7 +170,7 @@ def clean_args(arg):
                         add_help=False,
                         formatter_class=lambda prog: argparse.HelpFormatter(
                             prog,
-                            max_help_position=constant.MAX_HELP_POSITION)
+                            max_help_position=constant.max_help)
                     )
                     tmp_subparser._optionals.title = sub['title']
                     if 'type' in sub:

Windows/lazagne/config/DPAPI/masterkey.py

@@ -13,6 +13,7 @@
 from .eater import DataStruct, Eater
 from collections import defaultdict
 
+import codecs
 import hashlib
 import struct
 import os
@@ -414,10 +415,9 @@ def try_credential_hash(self, sid, pwdhash=None):
                     if mk.decrypted:
                         mkf.decrypted = True
                         self.nb_mkf_decrypted += 1
-
-                        yield True, u'{hash} ok for masterkey {masterkey}'.format(hash=pwdhash, masterkey=mk.guid)
+                        yield True, u'{hash} ok for masterkey {masterkey}'.format(hash=codecs.encode(pwdhash, 'hex'), masterkey=mkf.guid)
                     else:
-                        yield False, u'{hash} not ok for masterkey {masterkey}'.format(hash=pwdhash, masterkey=mk.guid)
+                        yield False, u'{hash} not ok for masterkey {masterkey}'.format(hash=codecs.encode(pwdhash, 'hex'), masterkey=mkf.guid)
 
     def try_system_credential(self):
         """

Windows/lazagne/config/change_privileges.py

@@ -2,19 +2,20 @@
 # Original code from https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py
 
 import sys
-import psutil
+import traceback
+
 from lazagne.config.write_output import print_debug
 from lazagne.config.winstructure import *
 
 import os
 
 
-def get_token_sid(hToken):
+def get_token_info(hToken):
     """
-    Retrieve SID from Token
+    Retrieve SID and user owner from Token
     """
     dwSize = DWORD(0)
-    pStringSid = LPSTR()
+    pStringSid = LPWSTR()
     TokenUser = 1
 
     if GetTokenInformation(hToken, TokenUser, byref(TOKEN_USER()), 0, byref(dwSize)) == 0:
@@ -23,11 +24,12 @@ def get_token_sid(hToken):
             GetTokenInformation(hToken, TokenUser, address, dwSize, byref(dwSize))
             pToken_User = cast(address, POINTER(TOKEN_USER))
             if pToken_User.contents.User.Sid:
-                ConvertSidToStringSidA(pToken_User.contents.User.Sid, byref(pStringSid))
+                ConvertSidToStringSid(pToken_User.contents.User.Sid, byref(pStringSid))
+                owner, domaine, _ = LookupAccountSidW(None, pToken_User.contents.User.Sid)
                 if pStringSid:
                     sid = pStringSid.value
                     LocalFree(address)
-                    return sid
+                    return sid, owner
     return False
 
 
@@ -69,55 +71,37 @@ def enable_privilege(privilegeStr, hToken=None):
 
 def get_debug_privilege():
     """
-    Enable Debug privilege on token
+    Enable SE Debug privilege on token
     """
-    if enable_privilege("SeDebugPrivilege"):
-        return True
-    else:
-        return False
+    return RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE)
 
 
 def list_sids():
     """
     List all SID by process
     """
     sids = []
-
-    for proc in psutil.process_iter():
-        try:
-            pinfo = proc.as_dict(attrs=['pid', 'username', 'name'])
-        except psutil.NoSuchProcess:
+    for pid in EnumProcesses():
+        if pid <= 4:
             continue
-        except WindowsError as e:
-            if e.winerror == 1722:  # WindowsError: [Error 1722] The RPC server is unavailable
-                continue
 
-        if pinfo['pid'] <= 4:
-            continue
-        if pinfo['username'] is None:
-            continue
         try:
-            hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, False, int(pinfo['pid']))
-            if not hProcess:
-                continue
-
-            hToken = HANDLE(INVALID_HANDLE_VALUE)
-            if not hToken:
-                continue
-
-            OpenProcessToken(hProcess, tokenprivs, byref(hToken))
-            if not hToken:
-                continue
-
-            token_sid = get_token_sid(hToken)
-            if not token_sid:
-                continue
-            sids.append((pinfo['pid'], pinfo['name'], token_sid, pinfo['username'].decode(sys.getfilesystemencoding())))
+            hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, False, pid)
+            if hProcess:
+                hToken = HANDLE(INVALID_HANDLE_VALUE)
+                if hToken:
+                    OpenProcessToken(hProcess, tokenprivs, byref(hToken))
+                    if hToken:
+                        token_sid, owner = get_token_info(hToken)
+                        if token_sid and owner:
+                            pname = ''
+                            sids.append((pid, pname, token_sid, owner.decode(sys.getfilesystemencoding())))
+                        CloseHandle(hToken)
+                CloseHandle(hProcess)
 
-            CloseHandle(hToken)
-            CloseHandle(hProcess)
         except Exception as e:
-            print_debug('ERROR', u'{error}'.format(error=e))
+            print_debug('DEBUG', traceback.format_exc())
+            continue
 
     return list(sids)
 
@@ -145,18 +129,20 @@ def get_sid_token(token_sid):
                     break
         return False
 
-    pids = [int(x) for x in psutil.pids() if int(x) > 4]
-    for pid in pids:
+    for pid in EnumProcesses():
+        if pid <= 4:
+            continue
+
         try:
             hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, False, int(pid))
             if hProcess:
                 hToken = HANDLE(INVALID_HANDLE_VALUE)
                 if hToken:
                     OpenProcessToken(hProcess, tokenprivs, byref(hToken))
                     if hToken:
-                        if get_token_sid(hToken) == token_sid:
-                            print
-                            print_debug('INFO', u'Using PID: ' + str(pid))
+                        sid, owner = get_token_info(hToken)
+                        if sid == token_sid:
+                            print_debug('INFO', u'Impersonate token from pid: ' + str(pid))
                             CloseHandle(hProcess)
                             return hToken
                     CloseHandle(hToken)
@@ -213,6 +199,8 @@ def impersonate_token(hToken):
                 CloseHandle(hToken)
                 if ImpersonateLoggedOnUser(hTokendupe):
                     return hTokendupe
+    else:
+        print_debug('DEBUG', 'Get debug privilege failed')
     return False
 
 

Windows/lazagne/config/constant.py

@@ -5,49 +5,56 @@
 import time
 import os
 
-date 	= time.strftime("%d%m%Y_%H%M%S")
-tmp  	= tempfile.gettempdir()
+date = time.strftime("%d%m%Y_%H%M%S")
+tmp = tempfile.gettempdir()
 
 
 class constant():
-	folder_name 			= '.'
-	file_name_results 		= 'credentials_{current_time}'.format(current_time=date) # The extention is added depending on the user output choice
-	MAX_HELP_POSITION		= 27
-	CURRENT_VERSION 		= '2.3.2'
-	output 					= None
-	file_logger 			= None
-	modules_dic				= {}
-	nb_password_found 		= 0   # Total password found
-	password_found 			= []  # Tab containing all passwords used for dictionary attack
-	stdout_result 			= []  # Tab containing all results by user
-
-	finalResults			= {}
-	profile 				= {
-								'APPDATA'			: u'{drive}:\\Users\\{user}\\AppData\\Roaming\\',
-								'USERPROFILE'		: u'{drive}:\\Users\\{user}\\',
-								'HOMEDRIVE'			: u'{drive}:',
-								'HOMEPATH'			: u'{drive}:\\Users\\{user}',
-								'ALLUSERSPROFILE'	: u'{drive}:\\ProgramData', 
-								'COMPOSER_HOME'		: u'{drive}:\\Users\\{user}\\AppData\\Roaming\\Composer\\', 
-								'LOCALAPPDATA'		: u'{drive}:\\Users\\{user}\\AppData\\Local',
-							}
-	username 				= u''
-	keepass 				= {}
-	hives 					= {
-								'sam' 		:  	os.path.join(tmp, ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))])),
-								'security'	: 	os.path.join(tmp, ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))])),
-								'system'	: 	os.path.join(tmp, ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))]))
-							}
-	quiet_mode 				= False
-	st 						= None  	# Standard output
-	drive					= u'C'
-	user_dpapi				= None
-	system_dpapi 			= None
-	lsa_secrets				= None
-	is_current_user 		= False 	# If True, Windows API are used otherwise dpapi is used
-	user_password 			= None
-	wifi_password 			= False 	# Check if the module as already be done
-	module_to_exec_at_end	= {
-								"winapi": [],
-								"dpapi" : [],
-							}
+    folder_name = '.'
+    file_name_results = 'credentials_{current_time}'.format(
+        current_time=date
+    )  # The extension is added depending on the user output choice
+    max_help = 27
+    CURRENT_VERSION = '2.4'
+    output = None
+    modules_dic = {}
+    nb_password_found = 0  # Total password found
+    password_found = []  # Tab containing all passwords used for dictionary attack
+    stdout_result = []  # Tab containing all results by user
+    pypykatz_result = {}
+    finalResults = {}
+    profile = {
+        'APPDATA': u'{drive}:\\Users\\{user}\\AppData\\Roaming\\',
+        'USERPROFILE': u'{drive}:\\Users\\{user}\\',
+        'HOMEDRIVE': u'{drive}:',
+        'HOMEPATH': u'{drive}:\\Users\\{user}',
+        'ALLUSERSPROFILE': u'{drive}:\\ProgramData',
+        'COMPOSER_HOME': u'{drive}:\\Users\\{user}\\AppData\\Roaming\\Composer\\',
+        'LOCALAPPDATA': u'{drive}:\\Users\\{user}\\AppData\\Local',
+    }
+    username = u''
+    keepass = {}
+    hives = {
+        'sam': os.path.join(
+            tmp,
+            ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))])),
+        'security': os.path.join(
+            tmp,
+            ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))])),
+        'system': os.path.join(
+            tmp,
+            ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))]))
+    }
+    quiet_mode = False
+    st = None  # Standard output
+    drive = u'C'
+    user_dpapi = None
+    system_dpapi = None
+    lsa_secrets = None
+    is_current_user = False  # If True, Windows API are used otherwise dpapi is used
+    user_password = None
+    wifi_password = False  # Check if the module as already be done
+    module_to_exec_at_end = {
+        "winapi": [],
+        "dpapi": [],
+    }

Windows/lazagne/config/dpapi_structure.py

@@ -10,7 +10,33 @@
 from lazagne.config.constant import constant
 from lazagne.softwares.windows.lsa_secrets import LSASecrets
 
+import getpass
 import os
+import sys
+
+
+def are_masterkeys_retrieved():
+    """
+    Before running modules using DPAPI, we have to retrieve masterkeys
+    otherwise, we do not realize these checks
+    """
+    current_user = constant.username
+    if constant.pypykatz_result.get(current_user, None):
+        password = constant.pypykatz_result[current_user].get('Password', None)
+        pwdhash = constant.pypykatz_result[current_user].get('Shahash', None)
+
+        # Create one DPAPI object by user
+        constant.user_dpapi = UserDpapi(password=password, pwdhash=pwdhash)
+
+    if not constant.user_dpapi or not constant.user_dpapi.unlocked:
+        # constant.user_password represents the password entered manually by the user
+        constant.user_dpapi = UserDpapi(password=constant.user_password)
+
+        # Add username to check username equals passwords
+        constant.user_dpapi.check_credentials([constant.username] + constant.password_found)
+
+    # Return True if at least one masterkey has been decrypted
+    return constant.user_dpapi.unlocked
 
 
 def manage_response(ok, msg):

Windows/lazagne/config/execute_cmd.py

@@ -76,7 +76,7 @@ def save_hives():
                 info = subprocess.STARTUPINFO()
                 info.dwFlags = STARTF_USESHOWWINDOW
                 info.wShowWindow = SW_HIDE
-                p = subprocess.Popen(command, startupinfo=info, stderr=subprocess.STDOUT,
+                p = subprocess.Popen(command, startupinfo=info, stdin=subprocess.PIPE, stderr=subprocess.STDOUT,
                                      stdout=subprocess.PIPE, universal_newlines=True)
                 results, _ = p.communicate()
             except Exception as e: