Jump to content

[PAYLOAD] PasswordGrabber


RazerBlade

Recommended Posts

  • 3 weeks later...
  • 2 months later...

I just ran this against my test machine and was very impressed with how much data it pulled back.  I'm trying to run the cachedump creds through hashcat to see if I can crack them but I am uncertain what format they need to be in.  Hashcat doesn't recognize the format at (what I assume they are) DCC2 (2100 in hashcat), but I changed the format to "$DCC2$10240$username%hashvalue" after doing some googling, and hashcat is running now as 2100.  Is that the correct input for these?

 

I haven't tried running the Hashdump hashes yet but I have the same question there - how should I format these for hashcat?

 

Thanks for your help, and for putting this program together, it works very well.

Link to comment
Share on other sites

I had to read through what Lazagne was.  It looks to do procedures similar to mimikatz to get creds.  MS killed those methods in their Creator update for Windows 10 that was pushed not too long ago.  If you are updated, thinks like mimikatz and powerdump have cease to function.  Process injection looks to be a no go too with protected processes which some password stealers do.  Looks like MS is getting their act together except they collect more now too.  :-(

They rescrambled the Rubix cube and added more sides, looks like it is time to start solving again.

Link to comment
Share on other sites

Well thats sad to hear. Sadly I can't do anything about it but works well on all windows up to creators update so you have to get lucky. Also Antivirus can sometimes block LaZagne from running so if you want to run it you need to obfuscate it or compile it yourself. 

Link to comment
Share on other sites

  • 1 month later...
  • 2 months later...

Working on win10 1703 for me with latest bb fw..unsure why Defender didn't flag the exe. Darren says the client AV may purge the exe in the latest hak5 youtube video. Anyone make a workaround yet to prevent AV deletion of the binary by means of relocating to a write protected area?

Also, can someone add something to purge the Windows event viewer? Apparently that is where Defender logs are stored on Win10.

Link to comment
Share on other sites

So, since I saw this payload was on the new Hak5 show, (I always said they should showcase payloads to keep interest sparked and give some kind of incentive to produce cool stuff.) I decided to peek at it.  I already have a ton of payloads in my arsenal that does these so when I see a payload that does what I already am doing, it usually takes me some time to get to it to check it out.

Anyway, I decided to look into ways to obfuscate this thing and make it more streamline.  Well, I ran into a snag.  Apparently, this executable is a pyinstaller executable.  I haven't tried to handle one of those before so I tried and failed.  I could not inject this thing worth a man in the moon.  It is classified as not being a true PE.  Hmm.  I see this happens with .NET apps too before I realize they are .NET and inject differently.  I have not checked to see if this thing is actually .NET in some way but if not then if the spirit hits me I may scramble through the source code and do a .NET compatible conversion so on Windows more can be done with it to hide it..like reflections assembly loading.

So, an idea some people have thrown at me that will not work...

Encrypt the executable on the drive, copy and run it. : Will not work.  Although it is safe as an encrypted file, I have to decrypt it eventually and when I do I will have it in memory so how do I run it if i cannot inject it?  it is still a pyinstaller executable.-  I will still need to write it back to disk in english to run which will fire off AV then.

After going through some of the py files in the project last night, the guy did such a clean job you could recreate this project with practically same file structure in .NET.  Not going to say it is a piece of cake and will take no time.  Just saying almost all the methodology is right there, just have to "port" it.  Since you can do it in .NET, you could just script it all in Powershell too though it will be a huge script or a bunch of medium to large interdependent scripts.

 

Another way is to modify the py files and for parts you think are being seen as bad, turn them into obfuscated strings to be executed as py commands.  Easiest way to obfuscate is string substitution for commands and code blocks.

Link to comment
Share on other sites

It would be great if someone could obfuscate it in someone. Darren mentioned in the video to use read only storage and exfiltrate the files via network. I have thought of that but the easiest way would be to just add a exfil partion on the bunny where stuff can be written and have the primary partion read only

Link to comment
Share on other sites

3 hours ago, RazerBlade said:

It would be great if someone could obfuscate it in someone. Darren mentioned in the video to use read only storage and exfiltrate the files via network. I have thought of that but the easiest way would be to just add a exfil partion on the bunny where stuff can be written and have the primary partion read only

so if we will edit the payload t be RO the script could still write to the loot text file?

JMX

Link to comment
Share on other sites

12 hours ago, PoSHMagiC0de said:

Nope.  That is why Darren mention using smb to to upload.  At that point, might as well make it all smb delivery and retrieval.

Actually.. Only time Windows will scan the directory for Lazagne, is when the directory is opened.. if you let the BashBunny folders alone, it won't remove the EXE.. I've been experimenting with VERY malicious files.. Therefore just don't open the BashBunny on your Target computer..

 

Ar1k88

Link to comment
Share on other sites

  • 3 weeks later...

Well, JackRabbit uses powershell scripts to gather the credentials, LaZagne that Passwordgrabber depends on, uses python compiled as an exe. I find passwordgrabber much more reliable than the powershell scripts. Password grabber grabs all of these programs: https://github.com/AlessandroZ/LaZagne/blob/master/pictures/softwares.png

What JackRabbit grabs depends on what PS script is being used.

Link to comment
Share on other sites

For some reason i am only getting empty directories and an empty text file

I made sure to remove the REM from in front of xcopy yet it still seems as if lazagne is not running or if it's merely not copying to the text file and i made sure to add the windows standalone lazagne into the folder

Link to comment
Share on other sites

3 hours ago, dragmus31 said:

For some reason i am only getting empty directories and an empty text file

I made sure to remove the REM from in front of xcopy yet it still seems as if lazagne is not running or if it's merely not copying to the text file and i made sure to add the windows standalone lazagne into the folder

I managed to fix this problem by making a few modifications to the e.cmd file all i did was drop the V after the -v in the cmd that runs laZagne.exe i also did so fiddling around and managed to make it so it outputs to the proper file for organizational purposes the modded e.cmd file is attached to this post if you want to see what was modified 

e.cmd

Link to comment
Share on other sites

  • 2 weeks later...

The AV is not detecting it and here are the following files that I have in the switch directory (d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md), but again...once I plug it in the USB is starting to work and then I get empty directories :S

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...