Jump to content
Hak5 Forums
RazerBlade

[PAYLOAD] PasswordGrabber

Recommended Posts

I'll give it a shot an then post my.results

Share this post


Link to post
Share on other sites

I just ran this against my test machine and was very impressed with how much data it pulled back.  I'm trying to run the cachedump creds through hashcat to see if I can crack them but I am uncertain what format they need to be in.  Hashcat doesn't recognize the format at (what I assume they are) DCC2 (2100 in hashcat), but I changed the format to "$DCC2$10240$username%hashvalue" after doing some googling, and hashcat is running now as 2100.  Is that the correct input for these?

 

I haven't tried running the Hashdump hashes yet but I have the same question there - how should I format these for hashcat?

 

Thanks for your help, and for putting this program together, it works very well.

Share this post


Link to post
Share on other sites

I had to read through what Lazagne was.  It looks to do procedures similar to mimikatz to get creds.  MS killed those methods in their Creator update for Windows 10 that was pushed not too long ago.  If you are updated, thinks like mimikatz and powerdump have cease to function.  Process injection looks to be a no go too with protected processes which some password stealers do.  Looks like MS is getting their act together except they collect more now too.  :-(

They rescrambled the Rubix cube and added more sides, looks like it is time to start solving again.

Share this post


Link to post
Share on other sites

Well thats sad to hear. Sadly I can't do anything about it but works well on all windows up to creators update so you have to get lucky. Also Antivirus can sometimes block LaZagne from running so if you want to run it you need to obfuscate it or compile it yourself. 

Share this post


Link to post
Share on other sites

Working on win10 1703 for me with latest bb fw..unsure why Defender didn't flag the exe. Darren says the client AV may purge the exe in the latest hak5 youtube video. Anyone make a workaround yet to prevent AV deletion of the binary by means of relocating to a write protected area?

Also, can someone add something to purge the Windows event viewer? Apparently that is where Defender logs are stored on Win10.

Share this post


Link to post
Share on other sites

So, since I saw this payload was on the new Hak5 show, (I always said they should showcase payloads to keep interest sparked and give some kind of incentive to produce cool stuff.) I decided to peek at it.  I already have a ton of payloads in my arsenal that does these so when I see a payload that does what I already am doing, it usually takes me some time to get to it to check it out.

Anyway, I decided to look into ways to obfuscate this thing and make it more streamline.  Well, I ran into a snag.  Apparently, this executable is a pyinstaller executable.  I haven't tried to handle one of those before so I tried and failed.  I could not inject this thing worth a man in the moon.  It is classified as not being a true PE.  Hmm.  I see this happens with .NET apps too before I realize they are .NET and inject differently.  I have not checked to see if this thing is actually .NET in some way but if not then if the spirit hits me I may scramble through the source code and do a .NET compatible conversion so on Windows more can be done with it to hide it..like reflections assembly loading.

So, an idea some people have thrown at me that will not work...

Encrypt the executable on the drive, copy and run it. : Will not work.  Although it is safe as an encrypted file, I have to decrypt it eventually and when I do I will have it in memory so how do I run it if i cannot inject it?  it is still a pyinstaller executable.-  I will still need to write it back to disk in english to run which will fire off AV then.

After going through some of the py files in the project last night, the guy did such a clean job you could recreate this project with practically same file structure in .NET.  Not going to say it is a piece of cake and will take no time.  Just saying almost all the methodology is right there, just have to "port" it.  Since you can do it in .NET, you could just script it all in Powershell too though it will be a huge script or a bunch of medium to large interdependent scripts.

 

Another way is to modify the py files and for parts you think are being seen as bad, turn them into obfuscated strings to be executed as py commands.  Easiest way to obfuscate is string substitution for commands and code blocks.

Share this post


Link to post
Share on other sites

It would be great if someone could obfuscate it in someone. Darren mentioned in the video to use read only storage and exfiltrate the files via network. I have thought of that but the easiest way would be to just add a exfil partion on the bunny where stuff can be written and have the primary partion read only

Share this post


Link to post
Share on other sites
3 hours ago, RazerBlade said:

It would be great if someone could obfuscate it in someone. Darren mentioned in the video to use read only storage and exfiltrate the files via network. I have thought of that but the easiest way would be to just add a exfil partion on the bunny where stuff can be written and have the primary partion read only

so if we will edit the payload t be RO the script could still write to the loot text file?

JMX

Share this post


Link to post
Share on other sites
6 hours ago, JediMasterX said:

so if we will edit the payload t be RO the script could still write to the loot text file?

JMX

Nope.  That is why Darren mention using smb to to upload.  At that point, might as well make it all smb delivery and retrieval.

Share this post


Link to post
Share on other sites
12 hours ago, PoSHMagiC0de said:

Nope.  That is why Darren mention using smb to to upload.  At that point, might as well make it all smb delivery and retrieval.

Actually.. Only time Windows will scan the directory for Lazagne, is when the directory is opened.. if you let the BashBunny folders alone, it won't remove the EXE.. I've been experimenting with VERY malicious files.. Therefore just don't open the BashBunny on your Target computer..

 

Ar1k88

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×