use current user password to decrypt without admin access or use 32bit python on 64bit system.

[byehack]

see https://www.nirsoft.net/utils/credentials_file_view.html

we can use current user password to decrypt windows vaults and credfiles without admin access or run python 32bit in 64bit systems.

also in mimikatz we can decrypt CRED_TYPE_DOMAIN_PASSWORD with "/password:XXX". see here and an example at here

[byehack]

example:

get the "USERNAME" and "SID" in cmd: whoami /user

next use mimikatz with these commands:

get "guidMasterKey" of 5BB92D656BA6E6CE1EE47785491784B9 file with: dpapi::cred /in:C:\Users\<USERNAME>\AppData\Local\Microsoft\Credentials\5BB92D656BA6E6CE1EE47785491784B9 /unprotect

get "masterkey_key" with: dpapi::masterkey /in:C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Protect\<SID>\<guidMasterKey> /rpc /password:<CURRENT_USER_PASSWORD>

decode the "5BB92D656BA6E6CE1EE47785491784B9" file: dpapi::cred /in:C:\Users\<USERNAME>\AppData\Local\Microsoft\Credentials\5BB92D656BA6E6CE1EE47785491784B9 /unprotect /masterkey:<masterkey key>

[AlessandroZ]

Hi @byehack,

You have different ways to get passwords stored on the credential files:

• You have the windows session password: you can pass it to lazagne as a parameter
• You are able to read the windows passwords from lsass process
• Some credentials are readable calling the Windows API.

Lazagne does the same as mimikatz concerning these points.

[byehack]

• You have the windows session password: you can pass it to lazagne as a parameter

i use this: lazagne.exe all -password CURRENT_USER_PWD but still not working.

Lazagne does the same as mimikatz concerning these points.

are you sure?

[AlessandroZ]

Please try -password using python 2.7. I have done many tests and it worked. Check using the verbose mode to see if the password entered is well tested with the masterkey files.

Python 3 needs is supported but still need more tests right now.

Concerning mimikatz, it cannot retrieved your credentials files without your windows session password or from your masterkey fond.

[byehack]

i'm using your released version 2.4.3 in admin mode with -password MYPASS and not working. my system is 64bit.

i also compiled your source with py2.7 64bit and pyinstaller but is still not working.

[AlessandroZ]

I will take a look but right now it's complicated for me.

[byehack]

i tested in multiple systems but still not works!

[MyLoginOnGitHub]

@AlessandroZ states that this feature works in python2. Let's assume that he is right :-)

First, as @AlessandroZ clarified, LaZagne tries to decrypt Vault with user's password in module vaultfiles.py. Second, in https://github.com/AlessandroZ/LaZagne/pull/451#issuecomment-569441746 you provided result of execution on python 3.8.0. There is exception in vaultfiles. I think, this is not a coincidence :-)

I am sure, that the problem is that you use python3, not python2. Me to :-). As @AlessandroZ said, this code is not fully compatible with python3. Exact this exception occurres because _self.attributesnum is float, not int in https://github.com/AlessandroZ/LaZagne/blob/54d5d9ced03b0b8c3bff509b4dd1bb63b6eddf97/Windows/lazagne/config/DPAPI/vault.py#L205. This caused by difference in result of devide operator in python2 and python3.

Sorry, I am not familiar with windows-domains, so I really do not want to setup domain infrastructure to test this issue. I am sure this is overkill. Lets try to solve this issue like this: I created branch https://github.com/MyLoginOnGitHub/LaZagne/tree/try-to-help-byehack. Follow this branch, try to run it on your machine with domain and post results here. I've already tried to solve this exception, but other exceptions could be occurred.

[MyLoginOnGitHub]

@byehack, I've created issue in my fork. Post your results here so as not to make long conversations here https://github.com/MyLoginOnGitHub/LaZagne/issues/4

[byehack]

@byehack, I've created issue in my fork. Post your results here so as not to make long conversations here MyLoginOnGitHub#4

ok. but here is still open! when the problem solved. i close this issue.

Continue in MyLoginOnGitHub#4

[AlessandroZ]

Vault files decryption are ok now, so I close this issue.