Retrieve passwords from Vault in windows7

MyLoginOnGitHub commented 4 years ago

As mentioned in https://github.com/AlessandroZ/LaZagne/pull/451, now for Windows 7 the module Vault.py is only collects usernames, not passwords.

Password's collecting for Win 7 fails for some reason on function VaultGetItem (https://github.com/MyLoginOnGitHub/LaZagne/blob/7727bc3bab2d228e5257804088f7f56202d2828d/Windows/lazagne/softwares/windows/vault.py#L48) with status code 87 (ERROR_INVALID_PARAMETER), https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499-).

Now code done as in following, but it fails. https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Get-VaultCredential.ps1 https://github.com/byt3bl33d3r/SILENTTRINITY/blob/master/silenttrinity/core/teamserver/modules/boo/src/dumpVaultCredentials.boo https://github.com/danieljoos/winvault/blob/master/syscall.go

Tested on python 3.6, Windows 7

byehack commented 4 years ago

duplicate of https://github.com/AlessandroZ/LaZagne/issues/438

byehack commented 4 years ago

can't decypt vaults also in win7 or above. the problem in winstructures.py. i could get some passwords on changed it. but still the rdp passwords can't gathered. myfork : https://github.com/byehack/LaZagne

Papotito123 commented 4 years ago

Hello: byehack,MyLoginOnGitHub,laZagne dev : I ran latest laZagne.py(fix vault crash). Hashdump now retrieve real hash.I verified with mines and retrieved are true.

In ---- Vault passwords -- ,show with no password,like this; (I have a Web Credential saved,Edge-Outlook email account )

------------------- Vault passwords -----------------

[-] Password not found !!! URL: https://login.live.com/ Login: ccccccccccc Name: Internet Explorer

------------------- Windows passwords -----------------

In the other hand, in --- Vaultfiles passwords ---- ,shows the Web Credential saved(Edge-Outlook mail) with password retrieved like this;

------------------- Vaultfiles passwords -----------------

[!] Unable to decrypt blob. Unable to decrypt master key [!] Policy file not found: C:\Users\TESTACCOUNT\AppData\Local\Microsoft\Vault\UserProfileRoaming\Policy.vpol [+] Password found !!! URL: https://login.live.com/ Login: --------------.com Password: xxxxxxxxxxxxx File: C:\Users\TESTACCOUNT\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\50E3595CBC444897BF5534B9C2A1A13A5DDFCA33.vcrd

########## User: Administrator ##########

In Windows Credential Manager > Web Credentials > Web Passwords , it shows as, Saved :By Internet Explorer

laZagne.py is running fast.

Here's my raw cmd output:

Papotito123_latest lazagne-fix vault crash_raw cmd.txt

Thanks again to all.

byehack commented 4 years ago

In ---- Vault passwords -- ,show with no password,like this;

yes this is big problem. at first i said to @AlessandroZ to fix this, but still we couldn't do this.

AlessandroZ commented 4 years ago

@Papotito123, try running it like that:

lazagne.py windows -password <user_passwd>

No need to run it with admin right, user_passwd should be your user windows password. It target only the current user so do not expect to retrieve password from other users. But you should see more passwords.

Papotito123 commented 4 years ago

Hello: AlessandroZ,this is cmd output of lazagne latest with lazagne.py windows -password ;

C:\Windows\system32>cd C:\Users\TESTACCOUNT\Desktop\Python37

C:\Users\TESTACCOUNT\Desktop\Python37>python "C:\lazona\Windows\laZagne.py" usage: laZagne.py [-h] [-version] {all,browsers,chats,databases,games,git,mails,maven,memory,multimedia,php,svn,sysadmin,windows,wifi} ...

====================================================================
The LaZagne Project

! BANG BANG !

====================================================================

positional arguments: {all,browsers,chats,databases,games,git,mails,maven,memory,multimedia,php,svn,sysadmin,windows,wifi} Choose a main command all Run all modules browsers Run browsers module chats Run chats module databases Run databases module games Run games module git Run git module mails Run mails module maven Run maven module memory Run memory module multimedia Run multimedia module php Run php module svn Run svn module sysadmin Run sysadmin module windows Run windows module wifi Run wifi module

optional arguments: -h, --help show this help message and exit -version laZagne version

C:\Users\TESTACCOUNT\Desktop\Python37>"C:\lazona\Windows\laZagne.py" -version Version 2.4.3

C:\Users\TESTACCOUNT\Desktop\Python37>"C:\lazona\Windows\laZagne.py" windows -password ccccccccccc

====================================================================
The LaZagne Project

! BANG BANG !

====================================================================

[+] System masterkey decrypted for 08be8fec-13ca-4ae0-8341-36b907e33d19 [+] System masterkey decrypted for 15e43b11-4cee-437f-928e-082807c02474 [+] System masterkey decrypted for 1e8bc276-41f3-493f-8fb4-32496443bb79 [+] System masterkey decrypted for 4e79d188-0323-4c0b-9796-0d9ffc89f045 [+] System masterkey decrypted for 55aa46c8-2bc6-496a-8888-482c24891036

########## User: SYSTEM ##########

------------------- Pypykatz passwords -----------------

[+] Password found !!! Domain: DESKTOP-2GHHNFK Password: ccccccccccc Shahash: 1a64c263388a957f3c40b29dcfea3bd994563c99 Nthash: ccccccccccc Login: TESTACCOUNT

------------------- Hashdump passwords -----------------

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:8a55595be989882a0c3636404e158620::: djEl:1001:aad3b435b51404eeaad3b435b51404ee:ccccccccccccccccccccccccccccccccc::: TESTACCOUNT:1002:aad3b435b51404eeaad3b435b51404ee:ccccccccccccccccccccccccccccccccc::: PROBANDO:1003:aad3b435b51404eeaad3b435b51404ee:ccccccccccccccccccccccccccccccccc:::

------------------- Lsa_secrets passwords -----------------

DPAPISYSTEM 0000 01 00 00 00 D5 52 00 CF D2 B0 DF DB F2 7B F7 38 .....R.......{.8 0010 0D 0A 51 03 23 30 AD 75 4F A9 C4 AB AC 1B BE 00 ..Q.#0.uO....... 0020 C9 64 50 9C ED C8 9F 7A 70 18 AB 5F .dP....zp..

L$_SQSA_S-1-5-21-337365419-192549521-2618175838-1001 0000 12 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 7B 00 22 00 76 00 65 00 72 00 73 00 69 00 6F 00 {.".v.e.r.s.i.o. 0020 6E 00 22 00 3A 00 31 00 2C 00 22 00 71 00 75 00 n.".:.1.,.".q.u. 0030 65 00 73 00 74 00 69 00 6F 00 6E 00 73 00 22 00 e.s.t.i.o.n.s.". 0040 3A 00 5B 00 7B 00 22 00 71 00 75 00 65 00 73 00 :.[.{.".q.u.e.s. 0050 74 00 69 00 6F 00 6E 00 22 00 3A 00 22 00 57 00 t.i.o.n.".:.".W. 0060 68 00 61 00 74 00 20 00 77 00 61 00 73 00 20 00 h.a.t. .w.a.s. . 0070 79 00 6F 00 75 00 72 00 20 00 66 00 69 00 72 00 y.o.u.r. .f.i.r. 0080 73 00 74 00 20 00 70 00 65 00 74 00 19 20 73 00 s.t. .p.e.t.. s. 0090 20 00 6E 00 61 00 6D 00 65 00 3F 00 22 00 2C 00 .n.a.m.e.?.".,. 00A0 22 00 61 00 6E 00 73 00 77 00 65 00 72 00 22 00 ".a.n.s.w.e.r.". 00B0 3A 00 22 00 6B 00 65 00 6C 00 69 00 74 00 61 00 :.".k.e.l.i.t.a. 00C0 22 00 7D 00 2C 00 7B 00 22 00 71 00 75 00 65 00 ".}.,.{.".q.u.e. 00D0 73 00 74 00 69 00 6F 00 6E 00 22 00 3A 00 22 00 s.t.i.o.n.".:.". 00E0 57 00 68 00 61 00 74 00 19 20 73 00 20 00 74 00 W.h.a.t.. s. .t. 00F0 68 00 65 00 20 00 6E 00 61 00 6D 00 65 00 20 00 h.e. .n.a.m.e. . 0100 6F 00 66 00 20 00 74 00 68 00 65 00 20 00 63 00 o.f. .t.h.e. .c. 0110 69 00 74 00 79 00 20 00 77 00 68 00 65 00 72 00 i.t.y. .w.h.e.r. 0120 65 00 20 00 79 00 6F 00 75 00 20 00 77 00 65 00 e. .y.o.u. .w.e. 0130 72 00 65 00 20 00 62 00 6F 00 72 00 6E 00 3F 00 r.e. .b.o.r.n.?. 0140 22 00 2C 00 22 00 61 00 6E 00 73 00 77 00 65 00 ".,.".a.n.s.w.e. 0150 72 00 22 00 3A 00 22 00 6D 00 61 00 79 00 61 00 r.".:.".m.a.y.a. 0160 67 00 75 00 65 00 7A 00 22 00 7D 00 2C 00 7B 00 g.u.e.z.".}.,.{. 0170 22 00 71 00 75 00 65 00 73 00 74 00 69 00 6F 00 ".q.u.e.s.t.i.o. 0180 6E 00 22 00 3A 00 22 00 57 00 68 00 61 00 74 00 n.".:.".W.h.a.t. 0190 19 20 73 00 20 00 74 00 68 00 65 00 20 00 6E 00 . s. .t.h.e. .n. 01A0 61 00 6D 00 65 00 20 00 6F 00 66 00 20 00 74 00 a.m.e. .o.f. .t. 01B0 68 00 65 00 20 00 66 00 69 00 72 00 73 00 74 00 h.e. .f.i.r.s.t. 01C0 20 00 73 00 63 00 68 00 6F 00 6F 00 6C 00 20 00 .s.c.h.o.o.l. . 01D0 79 00 6F 00 75 00 20 00 61 00 74 00 74 00 65 00 y.o.u. .a.t.t.e. 01E0 6E 00 64 00 65 00 64 00 3F 00 22 00 2C 00 22 00 n.d.e.d.?.".,.". 01F0 61 00 6E 00 73 00 77 00 65 00 72 00 22 00 3A 00 a.n.s.w.e.r.".:. 0200 22 00 6D 00 75 00 F1 00 6F 00 7A 00 20 00 72 00 ".m.u...o.z. .r. 0210 69 00 76 00 65 00 72 00 61 00 22 00 7D 00 5D 00 i.v.e.r.a.".}.]. 0220 7D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }...............

L$_SQSA_S-1-5-21-337365419-192549521-2618175838-1002 0000 E8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 7B 00 22 00 76 00 65 00 72 00 73 00 69 00 6F 00 {.".v.e.r.s.i.o. 0020 6E 00 22 00 3A 00 31 00 2C 00 22 00 71 00 75 00 n.".:.1.,.".q.u. 0030 65 00 73 00 74 00 69 00 6F 00 6E 00 73 00 22 00 e.s.t.i.o.n.s.". 0040 3A 00 5B 00 7B 00 22 00 71 00 75 00 65 00 73 00 :.[.{.".q.u.e.s. 0050 74 00 69 00 6F 00 6E 00 22 00 3A 00 22 00 57 00 t.i.o.n.".:.".W. 0060 68 00 61 00 74 00 20 00 77 00 61 00 73 00 20 00 h.a.t. .w.a.s. . 0070 79 00 6F 00 75 00 72 00 20 00 66 00 69 00 72 00 y.o.u.r. .f.i.r. 0080 73 00 74 00 20 00 70 00 65 00 74 00 19 20 73 00 s.t. .p.e.t.. s. 0090 20 00 6E 00 61 00 6D 00 65 00 3F 00 22 00 2C 00 .n.a.m.e.?.".,. 00A0 22 00 61 00 6E 00 73 00 77 00 65 00 72 00 22 00 ".a.n.s.w.e.r.". 00B0 3A 00 22 00 6B 00 65 00 6C 00 69 00 74 00 61 00 :.".k.e.l.i.t.a. 00C0 22 00 7D 00 2C 00 7B 00 22 00 71 00 75 00 65 00 ".}.,.{.".q.u.e. 00D0 73 00 74 00 69 00 6F 00 6E 00 22 00 3A 00 22 00 s.t.i.o.n.".:.". 00E0 57 00 68 00 61 00 74 00 19 20 73 00 20 00 74 00 W.h.a.t.. s. .t. 00F0 68 00 65 00 20 00 6E 00 61 00 6D 00 65 00 20 00 h.e. .n.a.m.e. . 0100 6F 00 66 00 20 00 74 00 68 00 65 00 20 00 63 00 o.f. .t.h.e. .c. 0110 69 00 74 00 79 00 20 00 77 00 68 00 65 00 72 00 i.t.y. .w.h.e.r. 0120 65 00 20 00 79 00 6F 00 75 00 20 00 77 00 65 00 e. .y.o.u. .w.e. 0130 72 00 65 00 20 00 62 00 6F 00 72 00 6E 00 3F 00 r.e. .b.o.r.n.?. 0140 22 00 2C 00 22 00 61 00 6E 00 73 00 77 00 65 00 ".,.".a.n.s.w.e. 0150 72 00 22 00 3A 00 22 00 6D 00 61 00 79 00 61 00 r.".:.".m.a.y.a. 0160 67 00 75 00 65 00 7A 00 22 00 7D 00 2C 00 7B 00 g.u.e.z.".}.,.{. 0170 22 00 71 00 75 00 65 00 73 00 74 00 69 00 6F 00 ".q.u.e.s.t.i.o. 0180 6E 00 22 00 3A 00 22 00 57 00 68 00 61 00 74 00 n.".:.".W.h.a.t. 0190 20 00 77 00 61 00 73 00 20 00 79 00 6F 00 75 00 .w.a.s. .y.o.u. 01A0 72 00 20 00 63 00 68 00 69 00 6C 00 64 00 68 00 r. .c.h.i.l.d.h. 01B0 6F 00 6F 00 64 00 20 00 6E 00 69 00 63 00 6B 00 o.o.d. .n.i.c.k. 01C0 6E 00 61 00 6D 00 65 00 3F 00 22 00 2C 00 22 00 n.a.m.e.?.".,.". 01D0 61 00 6E 00 73 00 77 00 65 00 72 00 22 00 3A 00 a.n.s.w.e.r.".:. 01E0 22 00 6C 00 75 00 69 00 73 00 69 00 74 00 6F 00 ".l.u.i.s.i.t.o. 01F0 22 00 7D 00 5D 00 7D 00 00 00 00 00 00 00 00 00 ".}.].}.........

L$_SQSA_S-1-5-21-337365419-192549521-2618175838-1003 0000 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 7B 00 22 00 76 00 65 00 72 00 73 00 69 00 6F 00 {.".v.e.r.s.i.o. 0020 6E 00 22 00 3A 00 31 00 2C 00 22 00 71 00 75 00 n.".:.1.,.".q.u. 0030 65 00 73 00 74 00 69 00 6F 00 6E 00 73 00 22 00 e.s.t.i.o.n.s.". 0040 3A 00 5B 00 7B 00 22 00 71 00 75 00 65 00 73 00 :.[.{.".q.u.e.s. 0050 74 00 69 00 6F 00 6E 00 22 00 3A 00 22 00 57 00 t.i.o.n.".:.".W. 0060 68 00 61 00 74 00 20 00 77 00 61 00 73 00 20 00 h.a.t. .w.a.s. . 0070 79 00 6F 00 75 00 72 00 20 00 66 00 69 00 72 00 y.o.u.r. .f.i.r. 0080 73 00 74 00 20 00 70 00 65 00 74 00 19 20 73 00 s.t. .p.e.t.. s. 0090 20 00 6E 00 61 00 6D 00 65 00 3F 00 22 00 2C 00 .n.a.m.e.?.".,. 00A0 22 00 61 00 6E 00 73 00 77 00 65 00 72 00 22 00 ".a.n.s.w.e.r.". 00B0 3A 00 22 00 74 00 6F 00 74 00 6F 00 22 00 7D 00 :.".t.o.t.o.".}. 00C0 2C 00 7B 00 22 00 71 00 75 00 65 00 73 00 74 00 ,.{.".q.u.e.s.t. 00D0 69 00 6F 00 6E 00 22 00 3A 00 22 00 57 00 68 00 i.o.n.".:.".W.h. 00E0 61 00 74 00 19 20 73 00 20 00 74 00 68 00 65 00 a.t.. s. .t.h.e. 00F0 20 00 6E 00 61 00 6D 00 65 00 20 00 6F 00 66 00 .n.a.m.e. .o.f. 0100 20 00 74 00 68 00 65 00 20 00 63 00 69 00 74 00 .t.h.e. .c.i.t. 0110 79 00 20 00 77 00 68 00 65 00 72 00 65 00 20 00 y. .w.h.e.r.e. . 0120 79 00 6F 00 75 00 20 00 77 00 65 00 72 00 65 00 y.o.u. .w.e.r.e. 0130 20 00 62 00 6F 00 72 00 6E 00 3F 00 22 00 2C 00 .b.o.r.n.?.".,. 0140 22 00 61 00 6E 00 73 00 77 00 65 00 72 00 22 00 ".a.n.s.w.e.r.". 0150 3A 00 22 00 61 00 74 00 6C 00 61 00 6E 00 74 00 :.".a.t.l.a.n.t. 0160 69 00 64 00 61 00 22 00 7D 00 2C 00 7B 00 22 00 i.d.a.".}.,.{.". 0170 71 00 75 00 65 00 73 00 74 00 69 00 6F 00 6E 00 q.u.e.s.t.i.o.n. 0180 22 00 3A 00 22 00 57 00 68 00 61 00 74 00 19 20 ".:.".W.h.a.t.. 0190 73 00 20 00 74 00 68 00 65 00 20 00 6E 00 61 00 s. .t.h.e. .n.a. 01A0 6D 00 65 00 20 00 6F 00 66 00 20 00 74 00 68 00 m.e. .o.f. .t.h. 01B0 65 00 20 00 66 00 69 00 72 00 73 00 74 00 20 00 e. .f.i.r.s.t. . 01C0 73 00 63 00 68 00 6F 00 6F 00 6C 00 20 00 79 00 s.c.h.o.o.l. .y. 01D0 6F 00 75 00 20 00 61 00 74 00 74 00 65 00 6E 00 o.u. .a.t.t.e.n. 01E0 64 00 65 00 64 00 3F 00 22 00 2C 00 22 00 61 00 d.e.d.?.".,.".a. 01F0 6E 00 73 00 77 00 65 00 72 00 22 00 3A 00 22 00 n.s.w.e.r.".:.". 0200 6B 00 69 00 6E 00 64 00 65 00 72 00 22 00 7D 00 k.i.n.d.e.r.".}. 0210 5D 00 7D 00 00 00 00 00 00 00 00 00 00 00 00 00 ].}.............

NL$KM 0000 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @............... 0010 6F 57 CE 23 F3 F1 16 C9 33 88 AD 26 B7 5E BF 60 oW.#....3..&.^. 0020 47 F8 6B 9C B3 7B 21 48 48 91 83 0A 4E 9D 84 AF G.k..{!HH...N... 0030 6D A7 4D BE 7C B7 B7 80 15 2A 82 8F 4A A4 A3 AD m.M.|....*..J... 0040 8A DA 05 5A FC 3B 68 F4 44 0B CF 00 79 27 27 60 ...Z.;h.D...y'' 0050 B7 F9 0B 80 91 AA 4D 41 26 59 10 B7 70 B2 16 9E ......MA&Y..p...

########## User: TESTACCOUNT ##########

------------------- Vault passwords -----------------

[-] Password not found !!! URL: https://login.live.com/ Login: ____.com Name: Internet Explorer

[+] ccccccccccc ok for masterkey 30b657d4-fe73-47c0-af94-7b2291f61463 [+] ccccccccccc ok for masterkey 3fdc4908-7639-4245-848e-b87fdd7b1cc9 [+] ccccccccccc ok for masterkey 6d9a5591-8966-4c86-a354-a44c33a272db [+] ccccccccccc ok for masterkey 7a404da4-b4d0-4d96-973e-5bad1b705b01 [+] ccccccccccc ok for masterkey bcec4086-ba45-4130-9165-23b6ba696cef ------------------- Vaultfiles passwords -----------------

[+] Password found !!! URL: https://login.live.com/ Login: ____.com Password: cccccccc File: C:\Users\TESTACCOUNT\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\50E3595CBC444897BF5534B9C2A1A13A5DDFCA33.vcrd

[+] 2 passwords have been found. For more information launch it again with the -v option

elapsed time = 7.718991041183472

C:\Users\TESTACCOUNT\Desktop\Python37>

As my latest post,In ---- Vault passwords -- ,shows with no password,but --- Vaultfiles passwords --- is sucessfull. As my latest post,in Windows Credential Manager > Web Credentials > Web Passwords , it shows as, Saved :By Internet Explorer

Thanks for keeping in touch.

Papotito123 commented 4 years ago

Hello: byehack,MyLoginOnGitHub,AlessandroZ,. I installed vbox and make a Win 10 1809 x64 Home VM. That's the output with latest lazagne; Papotito123_latest lazagne+VM login_raw cmd.txt

Thanks.

MyLoginOnGitHub commented 4 years ago

First,

In ---- Vault passwords -- ,shows with no password,but --- Vaultfiles passwords --- is sucessfull.

This issue is only about Vault passwords. Issue about Vaultfiles passwords has closed recently: #460. Vault passwords modue collects passwords without using user's password. As I understood, it also does not need for administrative privileges. It uses inbuilt Windows Vault API. The problem is this API is not documented and it is differ for Windows 7 and later versions.

Second. ATTENTION, @AlessandroZ Now in master (b2c7ff328d855a6e273949d62684b5926d153827) it does not retrive Vault passwords even in Wondows 10. In recent commit (9b4900351f31e4cceaed1b10560231548bd3f104) it collects successfully. My output: b2c7ff328d855a6e273949d62684b5926d153827: laZagne.py windows -vault -vvv

====================================================================
The LaZagne Project

! BANG BANG !

====================================================================

[!] Python 3.6.6 on Windows AMD64: Intel64 Family 6 Model 60 Stepping 3, GenuineIntel

########## User: Артем ##########

------------------- Vault passwords -----------------

[-] Password not found !!! URL: URL Login: LOGIN Name: Internet Explorer

[+] 0 passwords have been found.

elapsed time = 0.011008262634277344

9b4900351f31e4cceaed1b10560231548bd3f104: laZagne.py windows -vault -vvv

====================================================================
The LaZagne Project

! BANG BANG !

====================================================================

[!] Python 3.6.6 on Windows AMD64: Intel64 Family 6 Model 60 Stepping 3, GenuineIntel

########## User: Артем ##########

------------------- Vault passwords -----------------

[+] Password found !!! URL: URL Login: LOGIN Name: Internet Explorer Password: PASSWORD

[+] 1 passwords have been found.

elapsed time = 0.014009952545166016

MyLoginOnGitHub commented 4 years ago

The problem is in commit 82193b2f20ed9f54dd10de75598f472ee568dd42. I done local change in lines https://github.com/AlessandroZ/LaZagne/blob/b2c7ff328d855a6e273949d62684b5926d153827/Windows/lazagne/config/winstructure.py#L237 and https://github.com/AlessandroZ/LaZagne/blob/b2c7ff328d855a6e273949d62684b5926d153827/Windows/lazagne/config/winstructure.py#L255 to ('pPassword', PVAULT_ITEM_DATA), to undo this comment and password became found. I'm not quite understood, @AlessandroZ, what this commit has done for?

AlessandroZ commented 4 years ago

Hmmm, I see. I'm quite lost because I cannot manage to reproduce the error. But this commit was here to correct a crash that @byehack had: https://github.com/AlessandroZ/LaZagne/issues/460#issuecomment-570093132

So, I can remove this commit but I think the crash will occur again. I cannot reproduce the crash, so the debug is quite difficult for me to check.

Right now, I don't know what to do. :(

AlessandroZ commented 4 years ago

So doing some tests, I decided to restore the vault structure as before because I could not reproduce the crash. So now some vault passwords are retrieved using the API. However, I don't know why, not all passwords are retrieved, but neither mimikatz retrieved it...

If it's ok for you, this issue could be closed.

byehack commented 4 years ago

So, I can remove this commit but I think the crash will occur again.

100% the crash will be back if you remove that commit, on py3. i tested your last commit (https://github.com/AlessandroZ/LaZagne/commit/6c6949fade8221d41b8f2ecf7437a285ab77b67b) now and again crashed!

So now some vault passwords are retrieved using the API. However, I don't know why, not all passwords are retrieved, but neither mimikatz retrieved it...

this is our problem! we have two types in vault passwords: network creads and windows creds with https://github.com/AlessandroZ/LaZagne/commit/82193b2f20ed9f54dd10de75598f472ee568dd42 we can get network creds but still can't retrieve windows creds even with -password XXX parameter. i think the problem is from winstructure.py.

MyLoginOnGitHub commented 4 years ago

@byehack, Can you please post stacktrace of exception which raised in commit https://github.com/AlessandroZ/LaZagne/commit/6c6949fade8221d41b8f2ecf7437a285ab77b67b? It also be useful to post successful output in commit https://github.com/AlessandroZ/LaZagne/commit/82193b2f20ed9f54dd10de75598f472ee568dd42.

byehack commented 4 years ago

@byehack, Can you please post stacktrace of exception which raised in commit 6c6949f?

no i mean i using the latest commit and i thing the problem is from this commit: https://github.com/AlessandroZ/LaZagne/commit/ddcf3b4acd6b9217338b062b0354b7fab168f237. i use the latest commit on github and it crashed. but before https://github.com/AlessandroZ/LaZagne/commit/ddcf3b4acd6b9217338b062b0354b7fab168f237 and after https://github.com/AlessandroZ/LaZagne/commit/82193b2f20ed9f54dd10de75598f472ee568dd42 it didn't crash.

MyLoginOnGitHub commented 4 years ago

Ok, could you please post stacktrace of exception which raised in commit ddcf3b4? And please do not forget about successful output in commit 82193b2 where it didn't crash

Papotito123 commented 4 years ago

Hello: byehack,MyLoginOnGitHub,AlessandroZ,I ran latest lazagne code(Merge branch 'master' of https://github.com/AlessandroZ/LaZagne) with, laZagne.py" windows -password PASSWORD ,and there's some change in Vault as in these output. The output is quite long because is has some runs,with and without -vvv.

Papotito123_latest lazagne(Merge branch 'master' of httpsgithub.comAlessandroZLaZagne_raw cmd.txt

Aso I see pypypkatz is not working good.I have wdigest enabled in registry.

If i do pip install --upgrade pypypkatz . the traceback is like this(is in the output -at end; C:\Users\TESTACCOUNT\Desktop\Python37>"C:\lazy\Windows\laZagne.py" windows -password myrpassword -vvv

------------------- Pypykatz passwords -----------------

None 272482 ===> what are these 272416 997 81545 81499 996 57801 57688 54561 999 [!] Traceback (most recent call last): File "C:\lazy\Windows\lazagne\config\run.py", line 45, in run_module pwd_found = module.run() # run the module File "C:\lazy\Windows\lazagne\softwares\windows\ppypykatz.py", line 37, in run user = logon_sessions[logon_session].to_dict() AttributeError: 'dict' object has no attribute 'to_dict'

------------------- Mscache passwords -----------------

Thanks and hope this can be of help.

Papotito123 commented 4 years ago

hello: I run latest lazagne(Merge branch 'master' of https://github.com/AlessandroZ/LaZagne) with laZagne.py windows -credfiles -password mypassword:

C:\Users\TESTACCOUNT\Desktop\Python37>"C:\lazy\Windows\laZagne.py" windows -credfiles -password mypassword

====================================================================
The LaZagne Project

! BANG BANG !

====================================================================

[+] System masterkey decrypted for 08be8fec-13ca-4ae0-8341-36b907e33d19 [+] System masterkey decrypted for 15e43b11-4cee-437f-928e-082807c02474 [+] System masterkey decrypted for 1e8bc276-41f3-493f-8fb4-32496443bb79 [+] System masterkey decrypted for 4e79d188-0323-4c0b-9796-0d9ffc89f045 [+] System masterkey decrypted for 55aa46c8-2bc6-496a-8888-482c24891036 [+] mypassword ok for masterkey 30b657d4-fe73-47c0-af94-7b2291f61463 [+] mypassword ok for masterkey 3fdc4908-7639-4245-848e-b87fdd7b1cc9 [+] mypassword ok for masterkey 6d9a5591-8966-4c86-a354-a44c33a272db [+] mypassword ok for masterkey 7a404da4-b4d0-4d96-973e-5bad1b705b01 [+] mypassword ok for masterkey bcec4086-ba45-4130-9165-23b6ba696cef

########## User: TESTACCOUNT ##########

------------------- Credfiles passwords -----------------

[+] Password found !!! File: C:\Users\TESTACCOUNT\AppData\Roaming\Microsoft\Credentials\A6F8B67F4EE2434D447B1CE77E590E6A Domain: Domain:target=DESKTOP-WINVIRT Username: testuser Password: @ccountf0rtesT

[+] 1 passwords have been found. For more information launch it again with the -v option

elapsed time = 13.781094312667847

C:\Users\TESTACCOUNT\Desktop\Python37>

This account is for vbox Windows 10 1809 x64 VM. Is showing below Credential Manager > Windows Credentials > Windows Credentials > Internet or Network Address The Password is showing as dots.I assume is encrypted. But this latest lazagne recovered well. Also tested with NetworkPasswordDecryptor and grab the login info. Even I run latest mimikatz,and still fetch the vbox Windows 10 1809 x64 VM login.

Just to add info to the discussion.

Thanks.

MyLoginOnGitHub commented 4 years ago

@Papotito123 , thank you very much for outputs, but this is issue is only aboult Vault passwords. Not about Pypykatz passwords or Credfiles passwords. Could you please open another issues for Pypykatz passwords and for Credfiles passwords? I also want to mention that I did not understood what is wrong with Credfiles passwords: password has been found, and I did not understood what about some dots... Please, describe this in new issues.

Not to forget, @byehack, could you please post stacktrace of exception which raised in commit ddcf3b4? And please do not forget about successful output in commit 82193b2 where it didn't crash

byehack commented 4 years ago

Ok, could you please post stacktrace of exception which raised in commit ddcf3b4?

not any exception. crashed the process and exit from program.

byehack commented 4 years ago

Not to forget, @byehack, could you please post stacktrace of exception which raised in commit ddcf3b4? And please do not forget about successful output in commit 82193b2 where it didn't crash

output of both of them: output.txt

MyLoginOnGitHub commented 4 years ago

not any exception. crashed the process and exit from program.

I understood your problem now. That's so strange... What is you version of windows?

byehack commented 4 years ago

I understood your problem now. That's so strange... What is you version of windows?

win10-64bit

MyLoginOnGitHub commented 4 years ago

So strange... On my win10-x64 everythyng is fine. I think, It should to open another issue for this problem.

byehack commented 4 years ago

So strange... On my win10-x64 everythyng is fine. I think, It should to open another issue for this problem.

on py2 is ok but on py3 ... .

AlessandroZ commented 4 months ago

I close this old issue, but could be opened if it still a problem.

AlessandroZ / LaZagne

Retrieve passwords from Vault in windows7 #458