Code Monkey home page Code Monkey logo

lazagneforensic's Introduction

The LaZagne Project !!!

Description

The LaZagne project is back !!!

LaZagne uses an internal Windows function called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.

LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod and Elie Bursztein for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.

Note: The main problem is that to decrypt these passwords, the user Windows passwords is needed.

Installation

  • Requires python2 (Not compatible with python3)
  • Requires pip2: if not installed : 
    sudo wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python2 ./get-pip.py
sudo apt install python2-dev
pip2 install markerlib
pip2 install distribute
pip2 install -r requirements.txt

Usage

First way - Dump configuration files from the remote host

PS C:\Users\test\Desktop> Import-Module .\dump.ps1
PS C:\Users\test\Desktop> Dump
Folder dump created successfully !

python dump.py
  • Launch Lazagne with password if you have it
python laZagneForensic.py all -remote /tmp/dump -password 'ZapataVive'
  • Launch Lazagne without password
python laZagneForensic.py all -remote /tmp/dump

Second way - Mount a disk on your filesystem

  • The file should be mounted on your filesystem
test:~$ ls /tmp/disk/
total 769M
drwxr-xr-x 2 root root    0 févr.  1 14:05 ProgramData
-rwxr-xr-x 1 root root 256M févr.  1 14:05 swapfile.sys
-rwxr-xr-x 1 root root 512M févr.  1 14:05 pagefile.sys
drwxr-xr-x 2 root root    0 janv. 31 00:35 System Volume Information
dr-xr-xr-x 2 root root    0 janv. 26 10:17 Program Files (x86)
dr-xr-xr-x 2 root root    0 janv. 25 18:13 Program Files
drwxr-xr-x 2 root root    0 janv. 19 10:09 Windows
drwxr-xr-x 2 root root    0 janv. 16 15:52 Homeware
drwxr-xr-x 2 root root    0 janv.  9 17:33 PerfLogs
drwxr-xr-x 2 root root    0 nov.  22 20:37 Recovery
drwxr-xr-x 2 root root 4,0K nov.  22 20:31 Documents and Settings
dr-xr-xr-x 2 root root    0 nov.  22 20:31 Users
  • Launch Lazagne with password if you have it
python laZagneForensic.py all -local /tmp/disk -password 'ZapataVive'
  • Launch Lazagne without password
python laZagneForensic.py all -local /tmp/disk

Note: Use -v for verbose mode and -vv for debug mode.

Supported software

Note: Check the following image to understand which passwords you could decrypt without needed the user windows password. All credentials found will be tested as Windows password in case of the user re-uses the same password.

The LaZagne project

Donation

Do not hesitate to support my work doing a donation, I will appreciate a lot:

  • Via BTC: 16zJ9wTXU4f1qfMLiWvdY3woUHtEBxyriu

Special thanks

  • Jean-Michel Picod and Elie Bursztein for DPAPICK
  • Francesco Picasso for Windows DPAPI laboratory
  • Jean-Christophe Delaunay - Jiss/Fist0urs from the Synacktiv team for their work

Recommended articles related to DPAPI

Alessandro ZANNI
[email protected]

lazagneforensic's People

Contributors

alessandroz avatar anonymouz4 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

securycore rhankare minkione topotam izogain chrr0m4n kzwkt techlord-rce datadrug qsdj jilir tuian ognz zshell gmmik3 ykankaya retalieight m00zh33 h1d3r giantbranchcollect cryptedwolf bharshbarger xpulsar team-firebugs moriarty2016 3453-315h y0d4a rich-roth w00t3k codingeverysolution expertasif fjh658 hackmycontrolsystem tekk shubham0490 jothatron vaginessa awesome-pentest-gadgets hawngeek seabreg liulongxiao rabitw ashr peterg75 ro9ueadmin k0rz3n osogama mesutozsoycom raystyle 5up3rc n4rr34n6 dipsec attackgithub sts0mrg0 med8bra explife0011 mjgrey 0x0kasaku johndoex1 chenliang100 danil-furzik l9sk enkor250 bigbigx blackjacktoken ccf19881030 linuxl0s3r cutff u53r55 imulmul atropineal sonsu hello-xbugs classodua kaisaryousuf techris45 binobrown satheeshbabu 5l1v3r1 duongquang1701i hkguge masterscott quinn-yan lotus321 chhajershrenik jume2003 utkr98jais rakhithjk clyphy asdlei99 fadinglr nosorry zha0 ttuanhung pycoder1 richlysakowski ding-cat jxpsx skyn9ne jrandomsage

lazagneforensic's Issues

Error when dumping

Dumping overall works great, but this error pops up every time:

config/DPAPI/masterkey.py", line 186, in get_password
return self.keys.get(guid, [])['password']
TypeError: list indices must be integers, not str

Migration to python3

Hello,

It would be very nice to have a portage to python3

Thanks for your amazing job

Error

Sorry to keep spamming your mail with this issues, but I've found that the forensic version could be more helpfull to me. However, when runing it I get this error:

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|
		
Traceback (most recent call last):
  File "laZagneForensic.py", line 380, in <module>
    for r in runLaZagne(category_choosed=category_choosed, password=constant.user_password, pwdhash=constant.user_pwdhash):
  File "laZagneForensic.py", line 259, in runLaZagne
    constant.user_dpapi = Decrypt_DPAPI(password=password, pwdhash=pwdhash)
  File "/root/Desktop/LaZagneForensic/LaZagneForensic/lazagne/config/dpapi.py", line 40, in __init__
    masterkeydir 	= os.path.join(protect_folder, self.sid)
  File "/usr/lib/python2.7/posixpath.py", line 68, in join
    if b.startswith('/'):
AttributeError: 'NoneType' object has no attribute 'startswith'

Do i need some extra operation before running it ?

Thanks

Problem installing LaZagne Forensic on Windows 10

I am trying to test out the LaZagne Forensic script on Windows 10 but can't seem to install it without error.

I run the following command (does not work without full path in quote):

pip install -r "C:\temp\LaZagneForensic-master\requirements.txt"

It start downloading and installing but fail. What am I missing? Is there a list of requirement for a Windows 10 machine? Or is there a standalone version that I have missed for the Forensic version?

Thank you

Here's the log from when I try to install the script.

C:\temp\LaZagneForensic-master\LaZagneForensic>pip install -r "C:\temp\LaZagneForensic-master\requirements.txt"
Collecting https://github.com/williballenthin/python-registry/archive/master.zip (from -r C:\temp\LaZagneForensic-master\requirements.txt (line 4))
Downloading https://github.com/williballenthin/python-registry/archive/master.zip (11.4MB)
100% |████████████████████████████████| 11.4MB 3.3MB/s
Collecting pycrypto (from -r C:\temp\LaZagneForensic-master\requirements.txt (line 1))
Using cached https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz
Collecting pyasn1 (from -r C:\temp\LaZagneForensic-master\requirements.txt (line 2))
Using cached https://files.pythonhosted.org/packages/ba/fe/02e3e2ee243966b143657fb8bd6bc97595841163b6d8c26820944acaec4d/pyasn1-0.4.2-py2.py3-none-any.whl
Collecting construct==2.9.39 (from -r C:\temp\LaZagneForensic-master\requirements.txt (line 3))
Using cached https://files.pythonhosted.org/packages/8e/6b/213a77e314a44c2656c2a9bb950ca7068e617ea87881b5150e007b5c14c9/construct-2.9.39.tar.gz
Collecting enum34 (from python-registry==1.2.0->-r C:\temp\LaZagneForensic-master\requirements.txt (line 4))
Using cached https://files.pythonhosted.org/packages/af/42/cb9355df32c69b553e72a2e28daee25d1611d2c0d9c272aa1d34204205b2/enum34-1.1.6-py3-none-any.whl
Collecting unicodecsv (from python-registry==1.2.0->-r C:\temp\LaZagneForensic-master\requirements.txt (line 4))
Using cached https://files.pythonhosted.org/packages/6f/a4/691ab63b17505a26096608cc309960b5a6bdf39e4ba1a793d5f9b1a53270/unicodecsv-0.14.1.tar.gz
Installing collected packages: pycrypto, pyasn1, construct, enum34, unicodecsv, python-registry
Running setup.py install for pycrypto ... error
Complete output from command "c:\users\USERACCOUNT\appdata\local\programs\python\python36-32\python.exe" -u -c "import setuptools, tokenize;file='C:\Users\USERACCOUNT1\AppData\Local\Temp\pip-install-eebp84s5\pycrypto\setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record C:\Users\USERACCOUNT1\AppData\Local\Temp\pip-record-6ylourdh\install-record.txt --single-version-externally-managed --compile:
running install
running build
running build_py
creating build
creating build\lib.win32-3.6
creating build\lib.win32-3.6\Crypto
copying lib\Crypto\pct_warnings.py -> build\lib.win32-3.6\Crypto
copying lib\Crypto_init_.py -> build\lib.win32-3.6\Crypto
creating build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\hashalgo.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\HMAC.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\MD2.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\MD4.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\MD5.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\RIPEMD.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\SHA.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\SHA224.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\SHA256.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\SHA384.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash\SHA512.py -> build\lib.win32-3.6\Crypto\Hash
copying lib\Crypto\Hash_init_.py -> build\lib.win32-3.6\Crypto\Hash
creating build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\AES.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\ARC2.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\ARC4.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\blockalgo.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\Blowfish.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\CAST.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\DES.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\DES3.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\PKCS1_OAEP.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\PKCS1_v1_5.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher\XOR.py -> build\lib.win32-3.6\Crypto\Cipher
copying lib\Crypto\Cipher_init_.py -> build\lib.win32-3.6\Crypto\Cipher
creating build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util\asn1.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util\Counter.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util\number.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util\py3compat.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util\randpool.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util\RFC1751.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util\winrandom.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util_number_new.py -> build\lib.win32-3.6\Crypto\Util
copying lib\Crypto\Util_init_.py -> build\lib.win32-3.6\Crypto\Util
creating build\lib.win32-3.6\Crypto\Random
copying lib\Crypto\Random\random.py -> build\lib.win32-3.6\Crypto\Random
copying lib\Crypto\Random_UserFriendlyRNG.py -> build\lib.win32-3.6\Crypto\Random
copying lib\Crypto\Random_init_.py -> build\lib.win32-3.6\Crypto\Random
creating build\lib.win32-3.6\Crypto\Random\Fortuna
copying lib\Crypto\Random\Fortuna\FortunaAccumulator.py -> build\lib.win32-3.6\Crypto\Random\Fortuna
copying lib\Crypto\Random\Fortuna\FortunaGenerator.py -> build\lib.win32-3.6\Crypto\Random\Fortuna
copying lib\Crypto\Random\Fortuna\SHAd256.py -> build\lib.win32-3.6\Crypto\Random\Fortuna
copying lib\Crypto\Random\Fortuna_init_.py -> build\lib.win32-3.6\Crypto\Random\Fortuna
creating build\lib.win32-3.6\Crypto\Random\OSRNG
copying lib\Crypto\Random\OSRNG\fallback.py -> build\lib.win32-3.6\Crypto\Random\OSRNG
copying lib\Crypto\Random\OSRNG\nt.py -> build\lib.win32-3.6\Crypto\Random\OSRNG
copying lib\Crypto\Random\OSRNG\posix.py -> build\lib.win32-3.6\Crypto\Random\OSRNG
copying lib\Crypto\Random\OSRNG\rng_base.py -> build\lib.win32-3.6\Crypto\Random\OSRNG
copying lib\Crypto\Random\OSRNG_init_.py -> build\lib.win32-3.6\Crypto\Random\OSRNG
creating build\lib.win32-3.6\Crypto\SelfTest
copying lib\Crypto\SelfTest\st_common.py -> build\lib.win32-3.6\Crypto\SelfTest
copying lib\Crypto\SelfTest_init_.py -> build\lib.win32-3.6\Crypto\SelfTest
creating build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\common.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_AES.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_ARC2.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_ARC4.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_Blowfish.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_CAST.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_DES.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_DES3.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_pkcs1_15.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_pkcs1_oaep.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher\test_XOR.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
copying lib\Crypto\SelfTest\Cipher_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Cipher
creating build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\common.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_HMAC.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_MD2.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_MD4.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_MD5.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_RIPEMD.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_SHA.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_SHA224.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_SHA256.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_SHA384.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash\test_SHA512.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
copying lib\Crypto\SelfTest\Hash_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Hash
creating build\lib.win32-3.6\Crypto\SelfTest\Protocol
copying lib\Crypto\SelfTest\Protocol\test_AllOrNothing.py -> build\lib.win32-3.6\Crypto\SelfTest\Protocol
copying lib\Crypto\SelfTest\Protocol\test_chaffing.py -> build\lib.win32-3.6\Crypto\SelfTest\Protocol
copying lib\Crypto\SelfTest\Protocol\test_KDF.py -> build\lib.win32-3.6\Crypto\SelfTest\Protocol
copying lib\Crypto\SelfTest\Protocol\test_rfc1751.py -> build\lib.win32-3.6\Crypto\SelfTest\Protocol
copying lib\Crypto\SelfTest\Protocol_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Protocol
creating build\lib.win32-3.6\Crypto\SelfTest\PublicKey
copying lib\Crypto\SelfTest\PublicKey\test_DSA.py -> build\lib.win32-3.6\Crypto\SelfTest\PublicKey
copying lib\Crypto\SelfTest\PublicKey\test_ElGamal.py -> build\lib.win32-3.6\Crypto\SelfTest\PublicKey
copying lib\Crypto\SelfTest\PublicKey\test_importKey.py -> build\lib.win32-3.6\Crypto\SelfTest\PublicKey
copying lib\Crypto\SelfTest\PublicKey\test_RSA.py -> build\lib.win32-3.6\Crypto\SelfTest\PublicKey
copying lib\Crypto\SelfTest\PublicKey_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\PublicKey
creating build\lib.win32-3.6\Crypto\SelfTest\Random
copying lib\Crypto\SelfTest\Random\test_random.py -> build\lib.win32-3.6\Crypto\SelfTest\Random
copying lib\Crypto\SelfTest\Random\test_rpoolcompat.py -> build\lib.win32-3.6\Crypto\SelfTest\Random
copying lib\Crypto\SelfTest\Random\test__UserFriendlyRNG.py -> build\lib.win32-3.6\Crypto\SelfTest\Random
copying lib\Crypto\SelfTest\Random_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Random
creating build\lib.win32-3.6\Crypto\SelfTest\Random\Fortuna
copying lib\Crypto\SelfTest\Random\Fortuna\test_FortunaAccumulator.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\Fortuna
copying lib\Crypto\SelfTest\Random\Fortuna\test_FortunaGenerator.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\Fortuna
copying lib\Crypto\SelfTest\Random\Fortuna\test_SHAd256.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\Fortuna
copying lib\Crypto\SelfTest\Random\Fortuna_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\Fortuna
creating build\lib.win32-3.6\Crypto\SelfTest\Random\OSRNG
copying lib\Crypto\SelfTest\Random\OSRNG\test_fallback.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\OSRNG
copying lib\Crypto\SelfTest\Random\OSRNG\test_generic.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\OSRNG
copying lib\Crypto\SelfTest\Random\OSRNG\test_nt.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\OSRNG
copying lib\Crypto\SelfTest\Random\OSRNG\test_posix.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\OSRNG
copying lib\Crypto\SelfTest\Random\OSRNG\test_winrandom.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\OSRNG
copying lib\Crypto\SelfTest\Random\OSRNG_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Random\OSRNG
creating build\lib.win32-3.6\Crypto\SelfTest\Util
copying lib\Crypto\SelfTest\Util\test_asn1.py -> build\lib.win32-3.6\Crypto\SelfTest\Util
copying lib\Crypto\SelfTest\Util\test_Counter.py -> build\lib.win32-3.6\Crypto\SelfTest\Util
copying lib\Crypto\SelfTest\Util\test_number.py -> build\lib.win32-3.6\Crypto\SelfTest\Util
copying lib\Crypto\SelfTest\Util\test_winrandom.py -> build\lib.win32-3.6\Crypto\SelfTest\Util
copying lib\Crypto\SelfTest\Util_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Util
creating build\lib.win32-3.6\Crypto\SelfTest\Signature
copying lib\Crypto\SelfTest\Signature\test_pkcs1_15.py -> build\lib.win32-3.6\Crypto\SelfTest\Signature
copying lib\Crypto\SelfTest\Signature\test_pkcs1_pss.py -> build\lib.win32-3.6\Crypto\SelfTest\Signature
copying lib\Crypto\SelfTest\Signature_init_.py -> build\lib.win32-3.6\Crypto\SelfTest\Signature
creating build\lib.win32-3.6\Crypto\Protocol
copying lib\Crypto\Protocol\AllOrNothing.py -> build\lib.win32-3.6\Crypto\Protocol
copying lib\Crypto\Protocol\Chaffing.py -> build\lib.win32-3.6\Crypto\Protocol
copying lib\Crypto\Protocol\KDF.py -> build\lib.win32-3.6\Crypto\Protocol
copying lib\Crypto\Protocol_init_.py -> build\lib.win32-3.6\Crypto\Protocol
creating build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey\DSA.py -> build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey\ElGamal.py -> build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey\pubkey.py -> build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey\RSA.py -> build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey_DSA.py -> build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey_RSA.py -> build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey_slowmath.py -> build\lib.win32-3.6\Crypto\PublicKey
copying lib\Crypto\PublicKey_init_.py -> build\lib.win32-3.6\Crypto\PublicKey
creating build\lib.win32-3.6\Crypto\Signature
copying lib\Crypto\Signature\PKCS1_PSS.py -> build\lib.win32-3.6\Crypto\Signature
copying lib\Crypto\Signature\PKCS1_v1_5.py -> build\lib.win32-3.6\Crypto\Signature
copying lib\Crypto\Signature_init_.py -> build\lib.win32-3.6\Crypto\Signature
Skipping optional fixer: buffer
Skipping optional fixer: idioms
Skipping optional fixer: set_literal
Skipping optional fixer: ws_comma
running build_ext
warning: GMP or MPIR library not found; Not building Crypto.PublicKey._fastmath.
building 'Crypto.Random.OSRNG.winrandom' extension
creating build\temp.win32-3.6
creating build\temp.win32-3.6\Release
creating build\temp.win32-3.6\Release\src
C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Tools\MSVC\14.13.26128\bin\HostX86\x86\cl.exe /c /nologo /Ox /W3 /GL /DNDEBUG /MD -Isrc/ -Isrc/inc-msvc/ "-Ic:\users\USERACCOUNT\appdata\local\programs\python\python36-32\include" "-Ic:\users\USERACCOUNT\appdata\local\programs\python\python36-32\include" "-IC:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Tools\MSVC\14.13.26128\include" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\shared" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\um" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\winrt" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\cppwinrt" /Tcsrc/winrand.c /Fobuild\temp.win32-3.6\Release\src/winrand.obj
winrand.c
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(26): error C2061: syntax error: identifier 'intmax_t'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(27): error C2061: syntax error: identifier 'rem'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(27): error C2059: syntax error: ';'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(28): error C2059: syntax error: '}'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(30): error C2061: syntax error: identifier 'imaxdiv_t'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(30): error C2059: syntax error: ';'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(40): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(41): error C2146: syntax error: missing ')' before identifier '_Number'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(41): error C2061: syntax error: identifier '_Number'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(41): error C2059: syntax error: ';'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(42): error C2059: syntax error: ')'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(45): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(46): error C2146: syntax error: missing ')' before identifier '_Numerator'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(46): error C2061: syntax error: identifier '_Numerator'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(46): error C2059: syntax error: ';'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(46): error C2059: syntax error: ','
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(48): error C2059: syntax error: ')'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(50): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(56): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(63): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(69): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(76): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(82): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(89): error C2143: syntax error: missing '{' before '__cdecl'
C:\Program Files (x86)\Windows Kits\10\include\10.0.16299.0\ucrt\inttypes.h(95): error C2143: syntax error: missing '{' before '__cdecl'
error: command 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Tools\MSVC\14.13.26128\bin\HostX86\x86\cl.exe' failed with exit status 2

----------------------------------------

Command ""c:\users\USERACCOUNT\appdata\local\programs\python\python36-32\python.exe" -u -c "import setuptools, tokenize;file='C:\Users\USERACCOUNT1\AppData\Local\Temp\pip-install-eebp84s5\pycrypto\setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record C:\Users\USERACCOUNT1\AppData\Local\Temp\pip-record-6ylourdh\install-record.txt --single-version-externally-managed --compile" failed with error code 1 in C:\Users\USERACCOUNT~1\AppData\Local\Temp\pip-install-eebp84s5\pycrypto\

Probelm when decrypting Win7 32bit system passwords !!

I mount a disk (-locale disk_path) with Win7 32bit installed in it , and used -password option , laZagneF "didn't find the wifi password" , he claims he found it (and it's None) , I'm running Linux 64bit to decrypt , maybe the difference in architecture could be a cause , since I used to decrypt wifi password of Win7 64 with LaZagneF .

logs :

....

User : myUser

[!] myPassWord ok for master key X
[!] myPassWord not ok for master key Y
....
---------- Wifi passwords ------

[+] Password found
Auth ... WPA2PSK
Wifi : mySSID
Password : None

zimbra desktop

can you add a feature to dump zimbra-desktop email account passwords?

StreamError: could not read enough bytes, expected 8, found 7 (Chrome passwords)

I am stuck here, getting the StreamError as described in the subject. The full error can be seen in the output below.

Hoping someone could give me a hint to what I am doing wrong....?

Thanks for sharing your project by the way,

Mark

Here is my setup:

I have mounted an EWF file using ewfmount like this:

mkdir /mnt/e01
ewfmount /file/path/to/xx.E01 /mnt/e01

mkdir /mnt/mp
mount /mnt/e01/ewf1 /mnt/mp -o ro,loop,show_sys_files,offset=$((239616*512))

Here is the content of the windows file system:
ls -alh /mnt/mp/
total 9.9G
drwxrwxrwx 1 root root 4.0K Sep 28 10:59 .
drwxr-xr-x 14 root root 4.0K Oct 5 11:23 ..
-rwxrwxrwx 1 root root 2.5K Sep 28 11:54 '$AttrDef'
-rwxrwxrwx 1 root root 0 Sep 28 11:54 '$BadClus'
-rwxrwxrwx 1 root root 7.5M Sep 28 11:54 '$Bitmap'
-rwxrwxrwx 1 root root 8.0K Sep 28 11:54 '$Boot'
lrwxrwxrwx 2 root root 13 Sep 28 10:59 'Documents and Settings' -> /mnt/mp/Users
-rwxrwxrwx 2 root root 8.0K Sep 28 10:59 DumpStack.log.tmp
drwxrwxrwx 1 root root 0 Sep 28 11:54 '$Extend'
-rwxrwxrwx 1 root root 7.9G Sep 28 12:24 hiberfil.sys
-rwxrwxrwx 1 root root 64M Sep 28 11:54 '$LogFile'
-rwxrwxrwx 1 root root 4.0K Sep 28 11:54 '$MFTMirr'
-rwxrwxrwx 1 root root 1.9G Sep 28 10:59 pagefile.sys
drwxrwxrwx 1 root root 0 Dec 7 2019 PerfLogs
drwxrwxrwx 1 root root 4.0K Sep 28 12:14 ProgramData
drwxrwxrwx 1 root root 4.0K Sep 28 12:20 'Program Files'
drwxrwxrwx 1 root root 4.0K Sep 28 12:20 'Program Files (x86)'
lrwxrwxrwx 2 root root 21 Sep 28 10:59 Programmer -> '/mnt/mp/Program Files'
drwxrwxrwx 1 root root 0 Sep 28 10:59 Recovery
drwxrwxrwx 1 root root 0 Sep 28 12:06 '$Recycle.Bin'
---------- 1 root root 0 Sep 28 11:54 '$Secure'
-rwxrwxrwx 1 root root 16M Sep 28 10:59 swapfile.sys
drwxrwxrwx 1 root root 4.0K Sep 28 11:01 'System Volume Information'
-rwxrwxrwx 1 root root 128K Sep 28 11:54 '$UpCase'
drwxrwxrwx 1 root root 4.0K Sep 28 12:22 Users
-rwxrwxrwx 1 root root 0 Sep 28 11:54 '$Volume'
drwxrwxrwx 1 root root 16K Sep 28 12:02 Windows

And here is the failing command for extracting data using lazagne forensics and the password (I have created the Windows installation, so we know the password in advance).

mba@mba-ThinkPad-T450s:~/myproject/src$ python2.7 lf/LaZagneForensic/LaZagneForensic/laZagneForensic.py all -vv -local /mnt/mp -password 'Kirkemus'

|====================================================================|
| |
| The LaZagne Project |
| |
| ! BANG BANG ! |
| |
|====================================================================|

########## User: ovelse21offline ##########

[!] Kirkemus ok for masterkey a0d2ea99-ab04-4a7a-bb26-51e28e18df34
[!] [+] System masterkey decrypted for 1bf990f9-d699-49a6-9a8b-d594e9883ad3
[!] [+] System masterkey decrypted for ccb68759-69a6-49e4-8059-31e2d620fae8
------------------- Pidgin passwords -----------------

[!] Pidgin not found.
[!] No passwords found

------------------- Thunderbird passwords -----------------

[!] Thunderbird not found.
[!] No passwords found

------------------- Apachedirectorystudio passwords -----------------

[!] Apachedirectorystudio not found.
[!] No passwords found

------------------- Filezilla passwords -----------------

[!] Filezilla not found.
[!] No passwords found

------------------- Firefox passwords -----------------

[!] Profile path found: /mnt/mp/Users/ovelse21offline/AppData/Roaming/Mozilla/Firefox/Profiles/0dnz79y8.default
Traceback (most recent call last):
File "lf/LaZagneForensic/LaZagneForensic/laZagneForensic.py", line 100, in run_module
pwdFound = module.run(title.capitalize()) # run the module
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/softwares/browsers/mozilla.py", line 364, in run
key = self.get_key(profile)
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/softwares/browsers/mozilla.py", line 73, in get_key
key_data = self.readBsddb(os.path.join(profile, 'key3.db'))
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/softwares/browsers/mozilla.py", line 132, in readBsddb
with open(name, 'rb') as f:
IOError: [Errno 2] No such file or directory: u'/mnt/mp/Users/ovelse21offline/AppData/Roaming/Mozilla/Firefox/Profiles/0dnz79y8.default/key3.db'

------------------- Dbvis passwords -----------------

[!] Dbvis not found.
[!] No passwords found

------------------- Robomongo passwords -----------------

[!] No passwords found

------------------- Sqldeveloper passwords -----------------

[!] Sqldeveloper not found.
[!] No passwords found

------------------- Squirrel passwords -----------------

[!] Squirrel not found.
[!] No passwords found

------------------- Windows passwords -----------------

[+] Password found !!!
Login: ovelse21offline
Password: Kirkemus

------------------- Chrome passwords -----------------

[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/PepperFlash/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/BrowserMetrics/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/BrowserMetrics-spare.pma/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/CertificateRevocation/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/chrome_shutdown_ms.txt/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Crashpad/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/CrashpadMetrics-active.pma/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Crowd Deny/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Default/Login Data
[!] Traceback (most recent call last):
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/softwares/browsers/chrome.py", line 70, in run
password = constant.user_dpapi.decrypt_blob(result[2])
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/config/dpapi.py", line 96, in decrypt_blob
blob = DPAPIBlob(dpapi_blob)
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/config/DPAPI/blob.py", line 15, in init
self.dpapiblob = DPAPI_BLOB_STRUCT.parse(dpapiblob)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 260, in parse
return self.parse_stream(io.BytesIO(data), **contextkw)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 268, in parse_stream
return self._parsereport(stream, context, "(parsing)")
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 1891, in _parse
subobj = sc._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 2376, in _parse
return self.subcon._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 1891, in _parse
subobj = sc._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 2376, in _parse
return self.subcon._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 1891, in _parse
subobj = sc._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 2376, in _parse
return self.subcon._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 747, in _parse
return _read_stream(stream, length)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 84, in _read_stream
raise StreamError("could not read enough bytes, expected %d, found %d" % (length, len(data)))
StreamError: could not read enough bytes, expected 8, found 7

[!] Traceback (most recent call last):
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/softwares/browsers/chrome.py", line 70, in run
password = constant.user_dpapi.decrypt_blob(result[2])
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/config/dpapi.py", line 96, in decrypt_blob
blob = DPAPIBlob(dpapi_blob)
File "/home/mba/polenta/src/lf/LaZagneForensic/LaZagneForensic/lazagne/config/DPAPI/blob.py", line 15, in init
self.dpapiblob = DPAPI_BLOB_STRUCT.parse(dpapiblob)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 260, in parse
return self.parse_stream(io.BytesIO(data), **contextkw)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 268, in parse_stream
return self._parsereport(stream, context, "(parsing)")
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 1891, in _parse
subobj = sc._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 2376, in _parse
return self.subcon._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 1891, in _parse
subobj = sc._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 2376, in _parse
return self.subcon._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 1891, in _parse
subobj = sc._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 2376, in _parse
return self.subcon._parsereport(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 280, in _parsereport
obj = self._parse(stream, context, path)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 893, in _parse
data = _read_stream(stream, self.length)
File "/home/mba/.local/lib/python2.7/site-packages/construct/core.py", line 84, in _read_stream
raise StreamError("could not read enough bytes, expected %d, found %d" % (length, len(data)))
StreamError: could not read enough bytes, expected 2, found 1

[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/FileTypePolicies/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/First Run/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Floc/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/GrShaderCache/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Last Browser/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Last Version/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Local State/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/MEIPreload/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Module Info Cache/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/OriginTrials/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/pnacl/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/RecoveryImproved/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Safe Browsing/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/SafetyTips/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/ShaderCache/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/SSLErrorAssistant/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/Subresource Filter/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/SwReporter/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/ThirdPartyModuleList64/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/TLSDeprecationConfig/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/TrustTokenKeyCommitments/Login Data
[!] Cookie dump not enabled
[!] History export not enabled
[!] User database not found: /mnt/mp/Users/ovelse21offline/AppData/Local/Google/Chrome/User Data/WidevineCdm/Login Data
[!] No passwords found

------------------- Opera passwords -----------------

[!] Opera not found.
[!] No passwords found

------------------- Coccoc passwords -----------------

[!] Coccoc not found.
[!] No passwords found

------------------- Tortoise passwords -----------------

[!] Tortoise not found.
[!] No passwords found

------------------- Credentials passwords -----------------

[!] No passwords found

------------------- Vault passwords -----------------

[!] No passwords found

########## User: SYSTEM ##########

------------------- Ftpnavigator passwords -----------------

[!] Ftpnavigator not found.
[!] No passwords found

------------------- Unattended passwords -----------------

[!] No passwords found

------------------- Sysvault passwords -----------------

[!] No .vcrd file found. Nothing to decrypt.
[!] Policy file not found: /mnt/mp/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Vault/UserProfileRoaming/Policy.vpol
[!] No passwords found

------------------- Cachedump passwords -----------------

[!] No passwords found

------------------- Lsasecrets passwords -----------------

NL$KM
0000 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
0010 C3 7D 43 24 8E 18 72 C4 DE 97 7F 3E A4 65 F2 A8 .}C$..r....>.e..
0020 BB 9E C0 AC 00 E8 27 4D F3 58 E5 47 22 E4 E1 FB ......'M.X.G"...
0030 70 3A 98 B3 7C 84 45 10 4A EC 89 15 6F EA 66 11 p:..|.E.J...o.f.
0040 3A 6F 24 EE EA D9 38 A1 1A 32 0A 7E 83 D1 5A 0B :o$...8..2.~..Z.
0050 93 3F 50 35 FA 9C 00 AA 69 15 59 49 36 C3 76 DB .?P5....i.YI6.v.

DPAPI_SYSTEM
0000 2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,...............
0010 01 00 00 00 F7 C2 0E 1B BA 86 A3 7B FE 02 51 63 ...........{..Qc
0020 26 F4 47 D4 2D 1F F0 54 8C 81 51 93 6F 3F D4 CE &.G.-..T..Q.o?..
0030 E5 E5 F9 0F E8 8F C6 F9 FA 33 00 DB 00 00 00 00 .........3......

DefaultPassword
0000 1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 4F 00 34 00 4D 00 46 00 4C 00 30 00 44 00 39 00 O.4.M.F.L.0.D.9.
0020 34 00 31 00 52 00 39 00 4C 00 42 00 00 00 00 00 4.1.R.9.L.B.....

------------------- Hashes passwords -----------------

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Gæst:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ovelse21offline:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

------------------- Wifi passwords -----------------

[+] Password found !!!
Authentication: WPA2PSK
Wifi: Galaxy A402420
Password: pkew5783

[+] 2 passwords found.

elapsed time = 1.06723499298

General Question

@AlessandroZ
Do you think it is a good idea if I include a memory dump (only lsass) in the dump.ps1 file?

So people that run it as system could automatically decrypt the files of the current logged in users.

As an example this short script would be perfectly small, lightweight and av-undetectable, that could automatically create a mem_dump file without any dependencies.

Decrypt Chrome Cookies

In the same directory as the "Login Data" File, there is also the Cookies File.

As far as I know, it uses the same Encryption Method (Win CryptUnprotectData()).

Would it be possible to just also decrypt this file, since I would assume that it's not a huge effort but would really help out?

Update:
Since it doesn't seem to be much activity on this project any more, I've tried to write my own module.
Decrypting works fine, problem is how they can be imported again.
Does anybody know if I can encrypt them again with a dpapi blob from a different user, or does anyone have a better idea on how to import them to a different machine?

PS v2 .replace - Win7

.replace doesn't work in PS V2 (windows updates do not upgrade PS beyond the default v2 in win7)

Can't decrypt Chrome-Passwords

  • I have the plain text user password for the home account, shown below:
########## User: home ##########

[!] mypass ok for masterkey 18ee7d95-4178-48da-a4dd-ba5f5409cc53
[!] mypass ok for masterkey 6b6ecdc3-1dd0-4d9e-b70d-62055eeda39e
[!] mypass ok for masterkey 0061afb8-aea1-4218-b3c0-88e84e8ee6e1
...
  • Chrome saved password. I know this, because when viewing the Login Data with some sqlite viewer, it shows the log-in username and the encrypted password.

But the decryption in this script always fails

What can be the reason?

HASHES instead of plaintext passwords?

Is it possible to use the hashes instead of needing the plaintext password to decrypt the dumped passwords?

In the script I've found the -pwdhash argument, it says:

Windows user hash (not NTLM hash)

So which hash type does it require?

problem with laZagneFORensic

PS C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic> python laZagneForensic.py all -remote /tmp/dump
Traceback (most recent call last):
File "laZagneForensic.py", line 16, in
from lazagne.config.dpapi import Decrypt_DPAPI
File "C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic\lazagne\config\dpapi.py", line 4, in <module
from lazagne.config.DPAPI.masterkey import *
File "C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic\lazagne\config\DPAPI\masterkey.py", line 11,
dule>
from structures import *
File "C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic\lazagne\config\DPAPI\structures.py", line 12
module>
'data' / String(this.length, encoding='UTF_16_LE'),
NameError: name 'String' is not defined
PS C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic>

PS C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic> python laZagneForensic.py all -remote /tmp/dump -pass
word 'mypassoword'
Traceback (most recent call last):
File "laZagneForensic.py", line 16, in
from lazagne.config.dpapi import Decrypt_DPAPI
File "C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic\lazagne\config\dpapi.py", line 4, in
from lazagne.config.DPAPI.masterkey import *
File "C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic\lazagne\config\DPAPI\masterkey.py", line 11, in <
module>
from structures import *
File "C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic\lazagne\config\DPAPI\structures.py", line 124, in

'data' / String(this.length, encoding='UTF_16_LE'),
NameError: name 'String' is not defined
PS C:\Users\prueba\Desktop\LaZagneForensic-master\LaZagneForensic

#################################################
I not understand because not work, i really all dependency .
######################################################
###################################
regards.
###########################

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.