Closed Papotito123 closed 3 years ago
Try to check how theses passwords are decrypted and how other tools decrypted it.
For windows credentials, Lazagne use 2 mechanisms:
So maybe the user password account has been found and all passwords are retrieved using it and all tools calls only the CryptUnprotectData function. I don't know.
Hello: I used a tool bypass Windows user login(local and Microsoft user) that works well.
While inside the OS after the bypass I ran some tools including mimikatz and lazagne to compare which info/passwords can be retrieved even in "bypass" mode that are the real ones.
Most of the passwords linked-attached to DPAPI were failed to be grabbed.
lazagne was the only tool that, although Pypykatz module captures the "bypassed hashes" , the HashDump module still catched the real NTLM hash of the real user.
Just a curious thing.
I forgot to mention.. Chrome(85.0.4183.102 (Official Build) (64-bit) passwords were not retrieved. But still Firefox(79.0 (64-bit)) can be.