Cech Posted November 20, 2017 Share Posted November 20, 2017 I've finally made it up! But there are is one more thing that I would suggest you to add. Since any AV will detect lazagne.exe file as a malicious file, it would be much better if you could either crypt it on your way so you can make it FUD or if you could add a few commands to the payload that will disable the AV before the payload starts the .exe file. Link to comment Share on other sites More sharing options...
Struthian Posted November 25, 2017 Share Posted November 25, 2017 I solved it by editing e.cmd so that it formats a legit file name. You can see my post in the other Password Grabber thread. Failure to create the directory was the clue. It never gets to the point it runs Lazagne. e.cmd Link to comment Share on other sites More sharing options...
InfoSecREDD Posted November 25, 2017 Share Posted November 25, 2017 Since you all are having SOO much issues with AV's not letting files execute.. I'll let you know a lil trick from my "Bad Days"... Anti-Viruses can NOT scan network drives. Turn this payload into a SMB server and you won't have any issues. I'm currently working on another project at the moment otherwise I would make a "alternate" payload for you guys. But atleast give you guys a heads up. Also you can re-compile the code with some small variations in the code to recreate the md5 hash the program signature creates, to bypass AV's temporarily. That's all the info you're getting from me.. ? Link to comment Share on other sites More sharing options...
RazerBlade Posted November 25, 2017 Author Share Posted November 25, 2017 6 minutes ago, Ar1k88 said: Since you all are having SOO much issues with AV's not letting files execute.. I'll let you know a lil trick from my "Bad Days"... Anti-Viruses can NOT scan network drives. Turn this payload into a SMB server and you won't have any issues. I'm currently working on another project at the moment otherwise I would make a "alternate" payload for you guys. But atleast give you guys a heads up. Also you can re-compile the code with some small variations in the code to recreate the md5 hash the program signature creates, to bypass AV's temporarily. That's all the info you're getting from me.. ? I know. But I also know that I have had troubles to succesfully execute a payload that uses SMB. Therefore I chosse USB even tough there are many advandatages to use SMB like not having to mount the USB, being able to check if creds are grabbed succesfully and to avoid AV. Link to comment Share on other sites More sharing options...
InfoSecREDD Posted November 25, 2017 Share Posted November 25, 2017 13 minutes ago, RazerBlade said: I know. But I also know that I have had troubles to succesfully execute a payload that uses SMB. Therefore I chosse USB even tough there are many advandatages to use SMB like not having to mount the USB, being able to check if creds are grabbed succesfully and to avoid AV. Yeah, If you give me a week or so, I might be able to come up with a secondary SMB Mode for this payload. Right now I'm working on the dangerous part of the Bunny... Deleting MBR's, Locking system files, etc etc... But shouldn't take too long to develop something for this. Especially with the help of the community. - But rather more if you want to go that route also.. Link to comment Share on other sites More sharing options...
cyb3rwr3ck Posted December 16, 2017 Share Posted December 16, 2017 Anybody who has already tried to convert the .exe to a string and run it in-memory via powershell to get rid of the AV problem? Link to comment Share on other sites More sharing options...
TTommy Posted December 27, 2017 Share Posted December 27, 2017 On 11/17/2017 at 8:31 AM, Cech said: The AV is not detecting it and here are the following files that I have in the switch directory (d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md), but again...once I plug it in the USB is starting to work and then I get empty directories :S d.exe should be d.cmd e.exe should be e.cmd You may want to set up a lab and step through each of the commands in the script to see what they do and understand how the script works then modify it to meet your specific use case. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted December 27, 2017 Share Posted December 27, 2017 lazagne.exe cannot be ran in memory. I can't think of the term for it but is a packed file being the python environment and the python module files are all compressed inside. The exe extracts these files to temp files on disk and runs them. If you inject it, it cannot find itself it extract itself and breaks. I tried already. Pukes. Lazagne in its python form will have to be rewritten with obfuscation before py2exeing it so when it extracts, the py code is still not seen. I been peeking at lazagne project to see what it does to find Powershell replacements for each thing it does. Reason is you only have a choice of obfuscating the way I wrote above or redoing in Powershell, obfuscating as you go. Hmm, maybe keeping lazagne in python pieces and somehow getting a mobile python environment to run and launch a loader that will download each of those files in referential order to preserve dependencies (encrypted) and then decrypt and execute as strings each of those to load the modules into memory before running the final command to execute it. Link to comment Share on other sites More sharing options...
PieMCo Posted September 3, 2019 Share Posted September 3, 2019 Hi, Password Grabber doesn't work (AV detected Lazagne), someone knows another similar payload? Link to comment Share on other sites More sharing options...
korang Posted September 4, 2019 Share Posted September 4, 2019 Then I disagree that it does not work. it works, but whatever AV you tried against has a signature for that application. Link to comment Share on other sites More sharing options...
JamesG Posted November 8, 2019 Share Posted November 8, 2019 Does the user need to be logged in to get this to work? Or can this run from a locked screen? Thanks! JG Link to comment Share on other sites More sharing options...
kuyaya Posted November 8, 2019 Share Posted November 8, 2019 You obviously cant run this from a locked machine. Just look at the payload.... Link to comment Share on other sites More sharing options...
kuyaya Posted November 8, 2019 Share Posted November 8, 2019 On 9/3/2019 at 11:29 PM, PieMCo said: Hi, Password Grabber doesn't work (AV detected Lazagne), someone knows another similar payload? That's obvious. Just make another payload which disables antivirus or better, make an exclusion. Then run the passwordgrabber payload Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.