Papotito123
commented
3 years ago Hello: Well my Chrome logins ,Vault, Credentials and CREDHIST history were wipe. Why and how? I doesn't have a straight answer. In last times I have been upgraded to Win 1909.But I'm sure I tested lazagne,mimikatz,NTHASH,and some nirsoft tools to be sure things were good. All tools worked good and retrieved all. Lasts days I installed WLS(Ubuntu) to test something. Then I used WUL 1.6(Windows Login Unlocker from joker-2013) ,also NTPWEDIT to Unlock and change password to Administrator hidden account.
At last I used the utilman trick to get a cmd at login screen and I test to change TESTACCOUNT user password with, net user TESTACCOUNT newpassword , And did well. Is supposed that this could wipe my Chrome logins ,Vault, Credentials and CREDHIST history ?
So I saved again IE login, Chrome logins and were retrieved by lazagne and mimi. CREDHIST history still looks like empty.'
But the hashhdump still gives error(I tested older versions and still error): ------------------- Hashdump passwords -----------------
[!] Traceback (most recent call last): File "lazagne\config\run.py", line 45, in run_module File "lazagne\softwares\windows\hashdump.py", line 12, in run File "lazagne\softwares\windows\creddump7\win32\hashdump.py", line 295, in dump_file_hashes File "lazagne\softwares\windows\creddump7\win32\hashdump.py", line 281, in dump_hashes File "lazagne\softwares\windows\creddump7\win32\hashdump.py", line 257, in get_user_hashes UnboundLocalError: local variable 'lmhash' referenced before assignment
Sorry.Thanks. And any info much appreciated.
Hello: I had Win 1809 x64 but for some reason it upgrades to Win 10 1909 x64(11/11/2020). User account is local user. Using lazagne latest code compiled. AVAST antivirus is Disabled.
lazagne.exe all -vvv , this errors shows:
------------------- Hashdump passwords -----------------
[!] Traceback (most recent call last): File "lazagne\config\run.py", line 45, in run_module File "lazagne\softwares\windows\hashdump.py", line 12, in run File "lazagne\softwares\windows\creddump7\win32\hashdump.py", line 295, in dump_file_hashes File "lazagne\softwares\windows\creddump7\win32\hashdump.py", line 281, in dump_hashes File "lazagne\softwares\windows\creddump7\win32\hashdump.py", line 257, in get_user_hashes UnboundLocalError: local variable 'lmhash' referenced before assignment
------------------- Credman passwords -----------------
[!] No passwords found
------------------- Vault passwords -----------------
[!] No passwords found
------------------- Google chrome passwords -----------------
[!] Database found: C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User Data\Default\Login Data [!] Temporary db copied: C:\Users\TESTAC~1\AppData\Local\Temp\xkyqbfavj
------------------- Wsl passwords ----------------- <<< I installed WSL(Ubuntu) [+] Hash found !!! Hash: $6$wWVMzgzj$ZIWu4Bww6Fxbd2IiKHDr8Hv2N2O6iGuzPCvGCaiU4/knHsOybLLwo63S51GwizSnNEdIcajPk06CS/Pk8p/RG0:18586:0:99999:7::: Login: name
elapsed time = 431.9999680519104
I found this service , lsalso.exe (Credential Guard & Key Guard) being running. I think is first time.
I also ran mimikatz and doesn't retrieve Chrome login ,doesn't retrieve CREDHIST history,retrieve user password as TBAL{68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9}
The only tool that grabs Chrome login is ChromePass but also WebBrowserPassView didn't grab Chrome logins.
Any info much appreciated