Closed byehack closed 4 years ago
example:
get the "USERNAME" and "SID" in cmd:
whoami /user
next use mimikatz with these commands:
get "guidMasterKey" of 5BB92D656BA6E6CE1EE47785491784B9 file with:
dpapi::cred /in:C:\Users\<USERNAME>\AppData\Local\Microsoft\Credentials\5BB92D656BA6E6CE1EE47785491784B9 /unprotect
get "masterkey_key" with:
dpapi::masterkey /in:C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Protect\<SID>\<guidMasterKey> /rpc /password:<CURRENT_USER_PASSWORD>
decode the "5BB92D656BA6E6CE1EE47785491784B9" file:
dpapi::cred /in:C:\Users\<USERNAME>\AppData\Local\Microsoft\Credentials\5BB92D656BA6E6CE1EE47785491784B9 /unprotect /masterkey:<masterkey key>
Hi @byehack,
You have different ways to get passwords stored on the credential files:
Lazagne does the same as mimikatz concerning these points.
- You have the windows session password: you can pass it to lazagne as a parameter
i use this: lazagne.exe all -password CURRENT_USER_PWD
but still not working.
Lazagne does the same as mimikatz concerning these points.
are you sure?
Please try -password using python 2.7. I have done many tests and it worked. Check using the verbose mode to see if the password entered is well tested with the masterkey files.
Python 3 needs is supported but still need more tests right now.
Concerning mimikatz, it cannot retrieved your credentials files without your windows session password or from your masterkey fond.
i'm using your released version 2.4.3 in admin mode with -password MYPASS
and not working.
my system is 64bit.
i also compiled your source with py2.7 64bit and pyinstaller but is still not working.
I will take a look but right now it's complicated for me.
i tested in multiple systems but still not works!
@AlessandroZ states that this feature works in python2. Let's assume that he is right :-)
First, as @AlessandroZ clarified, LaZagne tries to decrypt Vault with user's password in module vaultfiles.py. Second, in https://github.com/AlessandroZ/LaZagne/pull/451#issuecomment-569441746 you provided result of execution on python 3.8.0. There is exception in vaultfiles. I think, this is not a coincidence :-)
I am sure, that the problem is that you use python3, not python2. Me to :-). As @AlessandroZ said, this code is not fully compatible with python3. Exact this exception occurres because _self.attributesnum is float, not int in https://github.com/AlessandroZ/LaZagne/blob/54d5d9ced03b0b8c3bff509b4dd1bb63b6eddf97/Windows/lazagne/config/DPAPI/vault.py#L205. This caused by difference in result of devide operator in python2 and python3.
Sorry, I am not familiar with windows-domains, so I really do not want to setup domain infrastructure to test this issue. I am sure this is overkill. Lets try to solve this issue like this: I created branch https://github.com/MyLoginOnGitHub/LaZagne/tree/try-to-help-byehack. Follow this branch, try to run it on your machine with domain and post results here. I've already tried to solve this exception, but other exceptions could be occurred.
@byehack, I've created issue in my fork. Post your results here so as not to make long conversations here https://github.com/MyLoginOnGitHub/LaZagne/issues/4
@byehack, I've created issue in my fork. Post your results here so as not to make long conversations here MyLoginOnGitHub#4
ok. but here is still open! when the problem solved. i close this issue.
Continue in MyLoginOnGitHub#4
Vault files decryption are ok now, so I close this issue.
see https://www.nirsoft.net/utils/credentials_file_view.html
we can use current user password to decrypt windows vaults and credfiles without admin access or run python 32bit in 64bit systems.
also in mimikatz we can decrypt CRED_TYPE_DOMAIN_PASSWORD with "/password:XXX". see here and an example at here