search

AlessandroZ / LaZagne

Credentials recovery project
GNU Lesser General Public License v3.0
9.43k stars 2.02k forks source link

can not found yandex browser password #600

Closed QGB closed 2 years ago

QGB commented 2 years ago 
C:\test\github.com\AlessandroZ\LaZagne\releases\download\2.4.3>laZagne.exe browsers -yandexBrowser -vv

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|

[!] Python 2.7.16 on Windows AMD64: Intel64 Family 6 Model 61 Stepping 4, GenuineIntel

########## User: qgb ##########

 ------------------- Yandexbrowser passwords -----------------

[!] No passwords found

[+] 0 passwords have been found.

elapsed time = 0.00499987602234

C:\UserData\AppData\Local\YandexBrowser\Application\User Data\Default\Ya Login Data

MyLoginOnGitHub commented 2 years ago

Use the latest version of the project (master branch). The last release has been released almost three years ago.
By the way, @AlessandroZ, why not to consider to make new release?

QGB commented 2 years ago

browsers -yandexBrowser -vv

@MyLoginOnGitHub I clone the latest version code from github, but still not working

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|

[!] Python 3.7.4 on Windows AMD64: Intel64 Family 6 Model 61 Stepping 4, GenuineIntel

[+] System masterkey decrypted for 0490b561-f99d-4679-bf7a-f621...
[+] System masterkey decrypted for 096e0e37-c3cd-44a6-bc8a-cff6...
[+] System masterkey decrypted for 0b7e8ede-d4e8-4275-9448-86c4...
[+] System masterkey decrypted for 10e128ef-6756-47f0-9fde-0ef9...
[+] System masterkey decrypted for 2707ef11-5af6-447d-86f1-d8f3...
[+] System masterkey decrypted for 2f95a2ad-58eb-4ffb-9068-e395...
[+] System masterkey decrypted for 500caf93-e49b-4586-80e9-86ce...
[+] System masterkey decrypted for 50264f9b-c69b-44ad-9c16-e14d...
[+] System masterkey decrypted for 62e124b1-5ff2-4130-98d2-38de...
[+] System masterkey decrypted for 660d4839-da79-49f0-a726-8d0c...
[+] System masterkey decrypted for 864efab0-c0a4-4f4c-88f6-05b1...
[+] System masterkey decrypted for 8d60b624-20ff-4387-975d-8a82...
[+] System masterkey decrypted for 8e825111-1650-4d87-91bc-4074...
[+] System masterkey decrypted for 90948617-60de-4509-a5d4-3587...
[+] System masterkey decrypted for b8171581-d1c3-45d7-aaa7-4391...
[+] System masterkey decrypted for d71d8746-0bfe-4c38-bf98-8a49...
[+] System masterkey decrypted for eae04f26-09be-4bc9-a927-be9f...
[+] System masterkey decrypted for f60378dc-1bc9-4b5a-aecf-ca53...

########## User: SYSTEM ##########

[!] Temp sam removed: C:\Users\qgb\AppData\Local\Temp\rqhlbh
[!] Temp security removed: C:\Users\qgb\AppData\Local\Temp\jgutegdjxi
[!] Temp system removed: C:\Users\qgb\AppData\Local\Temp\yfclwvpycfwr

########## User: qgb ##########

 ------------------- Yandexbrowser passwords -----------------

[!] No passwords found

########## User: Administrator ##########

[-] Administrator not ok for masterkey 6135e307-4600-403c-aa50-eb61...
[-] Administrator not ok for masterkey e332ac4d-bbb2-486e-949b-2ffe...

[+] 0 passwords have been found.

elapsed time = 8.503089904785156
AlessandroZ commented 2 years ago

Hi ! Yandex is not supported, I have added the code I have started to write expecting someone could check it. Here is a description about Yandex: https://github.com/AlessandroZ/LaZagne/issues/483

@MyLoginOnGitHub, since travis is broken, I wanted to pass to github Workflow: https://github.com/AlessandroZ/LaZagne/blob/master/.github/workflows/WinCompile.yml but never finished the process. Sorry about it

QGB commented 2 years ago

@AlessandroZ I am using the old version yandex , what is the last yandex version that LaZagne supported?

AlessandroZ commented 2 years ago

None, as I said I put all code I had started at the time but without success. I let it to see if it could help people but I should remove it, it causes more confusion.

kokolbin commented 2 years ago

Hi, AlessandroZ. I have looked inside YaBrowser: when you get aes_gcm key(from DPAPI decryption of ) you can verify that this key is valid, you can decrypt "checker_state":{"encrypted_data"} with this key and the plain text should be "0x00". So the key is valid. But looking in YaPassmanData.logins.password_value and playing with length of saved password we can conclude that they(Ya) use the same algorithm AES_GCM to protect saved passwords: {nonce[12], ciphertext[SavedPasswordLength], tag[16]}, but when you try to decrypt cipher ciphertext with valid key - you get binary waste. First idea was to play with positions: {nonce, ciphertext, tag} ->{ciphertext, nonce, tag} ->... - no result So, the real action that can help us to understand how password are encrypted and stored is reversing the YaBrowser application, try to find the place where decrypting begin, breakepoint it and debug step by step.