search

AlessandroZ / LaZagne

Credentials recovery project
GNU Lesser General Public License v3.0
9.43k stars 2.02k forks source link

Just a question ... #482

Closed Papotito123 closed 4 years ago

Papotito123 commented 4 years ago

Hello: I noticed in latest lazagne git that for other users the Chrome password is showing some bytes, as this:

########## User: othersuser ########## ====> local account ------------------- Google chrome passwords -----------------

[!] Unable to find MK for blob b'9cde3a19-5d21-426e-8c43-0ff4d9b5d457' [!] Database found: C:\Users\othersuser\AppData\Local\Google\Chrome\User Data\Default\Login Data [!] Temporary db copied: C:\Users\TESTAC~1\AppData\Local\Temp\wlmblskbh [!] Unable to find MK for blob b'7b9f7d6e-f87b-41e6-863c-d881d1155b85' [+] Password found !!! URL: https://login.live.com/ppsecure/post.srf Login: xxxxxxx@hotmail.com Password: b"\x01\x00\x00\x00\xd0\x8c\x9d\xdf\x01\x15\xd1\x11\x8cz\x00\xc0O\xc2\x97\xeb\x01\x00\x00\x00n}\x9f{{\xf8\xe6A\x86<\xd8\x81\xd1\x15[\x85\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x10f\x00\x00\x00\x01\x00\x00 \x00\x00\x00\x8f\xa3\n9\xe3\x00\xfd\x0f1\xdd\x1dW\x1e\xf7\x9c\x0c:\x8d1\x83\xde\xc1]\x89\xf7\x0e\xf3v86c\xe5\x00\x00\x00\x00\x0e\x80\x00\x00\x00\x02\x00\x00 \x00\x00\x00\x7f\x9b\xc2\xcc_\xa1\xc3\xf9\x8c\xc7|\x18\xf5\x84!\x13\x9c\xcaag\xb8\xf5\xf9D\x0c\xd9YuxI\xefH\x10\x00\x00\x00\x0b\x174\x97#\xdb4\xa5E\xf0)\x82u\x82\xe9\xa8@\x00\x00\x001\x83#\xfbM\xb56\x86*\xc9\xbd\xcf\xdb\xb8\xf0\x96p\xa3P\xb6\x0b-H\xd5E\xdb\x9at\xdcn\x17\xe3\xcf\xa0\xf2\xe9$\x15q\xf4\xe7\x03&k\xa0\xe2\xf5nEWI\xd4-d,\xbe'.\x99\x05L\x85\x84\xd7"

########## User: anotheruser ########## ===> MicrosoftAccount ------------------- Google chrome passwords -----------------

[!] Unable to find MK for blob b'bb0fd3d0-3daa-4d06-aa93-a282eea027db' [!] Database found: C:\Users\anotheruser\AppData\Local\Google\Chrome\User Data\Default\Login Data [!] Temporary db copied: C:\Users\TESTAC~1\AppData\Local\Temp\hvttolsmy [+] Password found !!! URL: https://login.live.com/ppsecure/post.srf Login: qqqqqqqqq@hotmail.com Password: b'v10\xb8C\x91\x86#\x9b\xd8K.A*)\x8c\x0e\x12\xdd\xcc\xba\xa4O(=\xd0uN\xc6h\x11\xd3\xd6\x9f\x88lo\x15?\x83T_\xa9Q'

Can I used this bytes? to get plain-text passwords?

Be careful and wash your hands.

Thanks in advanced.

Papotito123 commented 4 years ago

Hello: @byehack, you did change( byehack@787875a ) to get this line: if password_bytes not in [None, False]: in Windows/lazagne/softwares/browsers/chromium_based.py , to get something like this;

########## User: otheruser ########## ------------------- Google chrome passwords -----------------

[!] Unable to find MK for blob b'bb0fd3d0-3daa-4d06-aa93-a282eea027db' [!] Database found: C:\Users\anotheruser\AppData\Local\Google\Chrome\User Data\Default\Login Data [!] Temporary db copied: C:\Users\TESTAC~1\AppData\Local\Temp\hvttolsmy [+] Password found !!! URL: https://login.live.com/ppsecure/post.srf Login: qqqqqqqqq@hotmail.com Password: b'v10\xb8C\x91\x86#\x9b\xd8K.A*)\x8c\x0e\x12\xdd\xcc\xba\xa4O(=\xd0uN\xc6h\x11\xd3\xd6\x9f\x88lo\x15?\x83T_\xa9Q'

The blob GUID name gave are the right ones(with mimikatz can be retrieved Chrome Login or at least try) , But this bytes? (b'v10\xb8C\x91\ ..) are not showing when User password(wdigest Enabled) is not retrieved as userpassword but as Password: TBAL{68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9}.

I checked which format are this bytes? (b'v10\xb8C\x91\ ..) trying to decrypt online but format are not recognized . Any info much appreciated.

And just to inform the behaviour of your fix.

Keep safe and wash your hands.

Thanks in advanced.

Papotito123 commented 4 years ago

Hello: As I understand by reading some info, this are the password in scrambled form due to need of the decrypted Masterkey to get plain-text output

If I am wrong, please hit me with the right info .

Thanks in advanced.

AlessandroZ commented 4 years ago

Hi @Papotito123,

What I always recommend is retrieving the password from the application to understand if it's an error of if it's normal. For example, here you are talking about chrome password, go to chrome setting, search for passwords and check it in plain text: https://www.trishtech.com/2013/11/view-saved-chrome-passwords/

If you don't find this entry, I think chrome managed it in a weird way and you should not have to take it in consideration. If you retrieved in on plaintext, you will be able to compare it with you retrieved value.

Some windows passwords could be found checking the credential manager: https://www.wikihow.com/View-Your-Passwords-in-Credential-Manager-on-Windows

In your output, what I understand: [!] Unable to find MK for blob b'bb0fd3d0-3daa-4d06-aa93-a282eea027db' means that no MK (master key) has been found to decrypt your blob (encrypted password from chrome). So instead of stopping it, it uses the windows api to decrypt it (as you're logged into your session, the windows api does not need any masterkey to decrypt it). The retrieved password seems weird so I think it's not used anymore (in my point of view).

I close the issue. If you find a problem, open a new one. Thanks again.

Hope it helped. Have a nice day.