search

AlessandroZ / LaZagne

Credentials recovery project
GNU Lesser General Public License v3.0
9.52k stars 2.04k forks source link

Chrome 80.0.3987.122 login passwords with latest Alessandro git #479

Closed Papotito123 closed 4 years ago

Papotito123 commented 4 years ago

Hello: @AlessandroZ ,@byehack ; With the latest Alessandro git code wdigest passwords are recovered(also credman creds) ------------------- Pypykatz passwords -----------------

None [+] Password found !!! Type: wdigest_creds Domain: DESKTOP-2GHHNFK Password: zzzzzzzzzzzzzzzzzz Shahash: qqqqqqqqqqqqqqqqqqqq Nthash: qwqwqwqwqwqqww Login: TESTACCOUNT

[+] Password found !!! Type: credman_creds Domain: DESKTOP-WINVIRT Password: xxxxxxxxx Login: testuser

------------------- Mscache passwords -----------------

I see requirements.txt was changed and worked good.

But I still facing issue with Chrome 80.0.3987.122 login passwords.

------------------- Google chrome passwords -----------------

[!] Database found: C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User Data\Default\Login Data [!] Temporary db copied: C:\Users\TESTAC~1\AppData\Local\Temp\yyobpdbsm [+] xxxxxxxxxxxxxxxx ok for masterkey 30b657d4-fe73-47c0-af94-7b2291f61463 [+] xxxxxxxxxxxxxxxx ok for masterkey 3fdc4908-7639-4245-848e-b87fdd7b1cc9 [+] xxxxxxxxxxxxxxxx ok for masterkey 6d9a5591-8966-4c86-a354-a44c33a272db [+] xxxxxxxxxxxxxxxx ok for masterkey 7a404da4-b4d0-4d96-973e-5bad1b705b01 [+] xxxxxxxxxxxxxxxx ok for masterkey bcec4086-ba45-4130-9165-23b6ba696cef [+] xxxxxxxxxxxxxxxx ok for masterkey c4a0a02c-95b1-4de5-98e2-35f681af0d34 [-] xxxxxxxxxxxxxxxx not ok for masterkey cc11d09e-e1c7-48a9-964b-6fafd4b67917 [-] xxxxxxxxxxxxxxxx not ok for masterkey fe6826cc-98e5-4748-82c2-399234faaefc [!] Traceback (most recent call last): File "C:\laza\Windows\lazagne\softwares\browsers\chromium_based.py", line 140, in _export_credentials user_dpapi=constant.user_dpapi) File "C:\laza\Windows\lazagne\config\winstructure.py", line 625, in Win32CryptUnprotectData decrypted = user_dpapi.decrypt_encrypted_blob(cipherText) File "C:\laza\Windows\lazagne\config\dpapi_structure.py", line 132, in decrypt_encrypted_blob blob = DPAPIBlob(ciphered) File "C:\laza\Windows\lazagne\config\DPAPI\blob.py", line 49, in init DataStruct.init(self, raw) File "C:\laza\Windows\lazagne\config\DPAPI\eater.py", line 124, in init self.parse(Eater(raw, endianness="<")) File "C:\laza\Windows\lazagne\config\DPAPI\blob.py", line 66, in parse self.mkguid = b"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x" % data.eat("L2H8B") File "C:\laza\Windows\lazagne\config\DPAPI\eater.py", line 66, in eat v = struct.unpack_from(fmt, self.raw, self.ofs) struct.error: unpack_from requires a buffer of at least 16 bytes

[!] Traceback (most recent call last): File "C:\laza\Windows\lazagne\softwares\browsers\chromium_based.py", line 140, in _export_credentials user_dpapi=constant.user_dpapi) File "C:\laza\Windows\lazagne\config\winstructure.py", line 625, in Win32CryptUnprotectData decrypted = user_dpapi.decrypt_encrypted_blob(cipherText) File "C:\laza\Windows\lazagne\config\dpapi_structure.py", line 132, in decrypt_encrypted_blob blob = DPAPIBlob(ciphered) File "C:\laza\Windows\lazagne\config\DPAPI\blob.py", line 49, in init DataStruct.init(self, raw) File "C:\laza\Windows\lazagne\config\DPAPI\eater.py", line 124, in init self.parse(Eater(raw, endianness="<")) File "C:\laza\Windows\lazagne\config\DPAPI\blob.py", line 67, in parse self.flags = data.eat("L") File "C:\laza\Windows\lazagne\config\DPAPI\eater.py", line 66, in eat v = struct.unpack_from(fmt, self.raw, self.ofs) struct.error: unpack_from requires a buffer of at least 4 bytes

[+] Password found !!! URL: https://login.live.com/ppsecure/post.srf Login: nnnnnnnn@hotmail.com Password: vvvvvvvvvvv

Chrome Saved logins (new saved) are giving errors. The Chrome old-saved Login(I did it as a control for troubleshooting) was recovered good.

I tested with Chrome v80_password_grabber(suggested by Byehack) ,even after last Chrome update as 80.0.3987.132 , and recovered all Chrome Logins.

I tested with mimikatz latest and recovered all Chrome Loginds well but noticed that identify all recovered by * using BCrypt with AES-256-GCM even 1 Login is an old-saved.

Last-minute update: I didn't noticed but Chrome updated again.

From Google Chrome is up to date Version 80.0.3987.122 (Official Build) (64-bit)

To(right now ) Google Chrome is up to date Version 80.0.3987.132 (Official Build) (64-bit)

Thanks again.

byehack commented 4 years ago

hello. try with my repo and give me the feedback!

AlessandroZ commented 4 years ago

This is a weird error, it seems that the encrypted blob from chrome has changed because it fails when parsing. I should take a closer look to fix it well.

However, it should be fixed now.

byehack commented 4 years ago

However, it should be fixed now.

check this for make faster the app: https://github.com/byehack/LaZagne/commit/7469e2c85affeab4c18fe16debe4e998bb2bf8cb

Papotito123 commented 4 years ago

Hello: @AlessandroZ ,@byehack, Alessandro latest git(chromiun fix) works good.

Papotito123_Alessandro(6MAR2010).txt

Thanks for your work.

Papotito123 commented 4 years ago

Hello: Just to inform that I has issue after compiling latest Alessandro 2.4.3. I realized that was a pyinstaller issue.

When running lazagne.exe compiled it throws this: ModuleNotFoundError: No module named 'pkg_resources.py2_warn' [1004] Failed to execute script pyi_rth_pkgres

Searching for info ,I read some. That running pip install --upgrade setuptools , will upgrade to 45.0.0 and this is causing problems with pyinstaller 3.5/3.6. And a guy gives a solution by running > running pip install --upgrade setuptools==44.0.0 Downgrading to 44.0 and this worked.

I compiled latest Alessandro.py git and worked good.And fast.

Thanks.

Papotito123 commented 4 years ago

Hello: @byehack , However, it should be fixed now.

check this for make faster the app: byehack@7469e2c

I made the mods you suggest(take me some time to get it right).

Yes,is more fast. But I saw some differences in -vvv output. But are in the output blocks regarding to my other user accounts ;

########## User: otheruser ########## ===> local user -- and so on -- ------------------- Google chrome passwords -----------------

[!] Unable to find MK for blob b'9cde3a19-5d21-426e-8c43-0ff4d9b5d457' [!] Database found: C:\Users\othersuer\AppData\Local\Google\Chrome\User Data\Default\Login Data [!] Temporary db copied: C:\Users\TESTAC~1\AppData\Local\Temp\bgiyhvqyv [!] Unable to find MK for blob b'7b9f7d6e-f87b-41e6-863c-d881d1155b85' [!] Traceback (most recent call last): File "C:\laza\Windows\lazagne\softwares\browsers\chromium_based.py", line 149, in _export_credentials password = password_bytes.decode("utf-8") AttributeError: 'bool' object has no attribute 'decode'

[!] No passwords found

########## User: anotheruser ########## ===> MicrosoftAccount user --- and so on --- ------------------- Google chrome passwords -----------------

[!] Unable to find MK for blob b'bb0fd3d0-3daa-4d06-aa93-a282eea027db' [!] Database found: C:\Users\anotheruser\AppData\Local\Google\Chrome\User Data\Default\Login Data [!] Temporary db copied: C:\Users\TESTAC~1\AppData\Local\Temp\vuwxwglea [!] Traceback (most recent call last): File "C:\laza\Windows\lazagne\softwares\browsers\chromium_based.py", line 140, in _export_credentials user_dpapi=constant.user_dpapi) File "C:\laza\Windows\lazagne\config\winstructure.py", line 617, in Win32CryptUnprotectData return user_dpapi.decrypt_encrypted_blob(cipherText, entropy_hex=entropy) File "C:\laza\Windows\lazagne\config\dpapi_structure.py", line 132, in decrypt_encrypted_blob blob = DPAPIBlob(ciphered) File "C:\laza\Windows\lazagne\config\DPAPI\blob.py", line 49, in init DataStruct.init(self, raw) File "C:\laza\Windows\lazagne\config\DPAPI\eater.py", line 124, in init self.parse(Eater(raw, endianness="<")) File "C:\laza\Windows\lazagne\config\DPAPI\blob.py", line 68, in parse self.description = data.eat_length_and_string("L").replace(b"\x00", b"") File "C:\laza\Windows\lazagne\config\DPAPI\eater.py", line 81, in eat_length_and_string l = self.eat(fmt) File "C:\laza\Windows\lazagne\config\DPAPI\eater.py", line 66, in eat v = struct.unpack_from(fmt, self.raw, self.ofs) struct.error: unpack_from requires a buffer of at least 4 bytes

[!] No passwords found

With the Alessandro lazagne original winstructure.py when running -vvv , in this 2 accounts shows email account names(xxxxx@outlook.com) and the blob but saying didn't find the masterkey as this:

Papotito123_ByeHack(byehack@7469e2c ).txt

This MicrosoftAccount user account is taking me hard time because I'm trying to recover it's Chrome Logins but doing from another user account(using mimikatz) and never gives the Masterkey because throw an error.

Sorry for late post.

Thanks.

byehack commented 4 years ago

https://github.com/byehack/LaZagne/commit/787875a9744081f4913cc612348b17a42498501f

Papotito123 commented 4 years ago

Hello: There's something I noticed. Not all passwords displaying in -vvv are printed to output. Credfiles Passwords and VaultFiles Passwords sections are empty even passwords are in -vvv .cmd as this:

------------------- Credfiles passwords -----------------

[+] Password found !!! File: C:\Users\TESTACCOUNT\AppData\Roaming\Microsoft\Credentials\A6F8B67F4EE2434D447B1CE77E590E6A Domain: Domain:target=DESKTOP-WINVIRT Username: testuser Password: xxxxxxx

------------------- Vaultfiles passwords -----------------

[!] Unable to decrypt blob. Unable to decrypt master key [!] Policy file not found: C:\Users\TESTACCOUNT\AppData\Local\Microsoft\Vault\UserProfileRoaming\Policy.vpol [+] Password found !!! URL: https://login.live.com/ Login: aaaaaaa@hotmail.com Password: xxxxxxxxxx File: C:\Users\TESTACCOUNT\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\50E3595CBC444897BF5534B9C2A1A13A5DDFCA33.vcrd

These are not printed.

While -vvv cmd says 19 passwords recovered ,the output .txt says 15 passwords recovered.

Thanks again.

AlessandroZ commented 4 years ago

However, it should be fixed now.

check this for make faster the app: byehack@7469e2c

Yes I know it will go faster but if the getData failed, we tried harder to find the password. Maybe another way would be as @alxchk had suggested is to cache gid/sid/password on a tupple: https://github.com/AlessandroZ/LaZagne/pull/399

I close this issue.

For your other problem, please @Papotito123 open another issue, otherwise I'm lost. If you could explain a little more, I didn't understand the problem as well, are passwords printed on verbose mode and not on a normal mode ? etc.

Papotito123 commented 4 years ago

Hello: @byehack . byehack commented 2 days ago byehack/LaZagne@787875a

I tested your modification in Alessandro latest git code in -vvv mode and Chrome Logins for other users appears with not plain-text password but as blob?

Papotito123_Alessandro latest+byehack@787875a.txt

Can I use this to retrieve password ?

Thanks.

Papotito123 commented 4 years ago

Hello: @AlessandroZ , about some passwords printed on verbose mode and not on a normal mode ,don't worry. I ran again your latest git and all passwords are printed to a .txt

I thought these 2 blocks were with No password at first run, ------------------- Credfiles ----------------- and ------------------- Vaultfiles -----------------

but they show up in tge second run.

Sorry.

And thanks.