Jump to content

[PAYLOAD] PasswordGrabber


RazerBlade

Recommended Posts

I've finally made it up! But there are is one more thing that I would suggest you to add. 

 

Since any AV will detect lazagne.exe file as a malicious file, it would be much better if you could either crypt it on your way so you can make it FUD or if you could add a few commands to the payload that will disable the AV before the payload starts the .exe file.

Link to comment
Share on other sites

Since you all are having SOO much issues with AV's not letting files execute.. I'll let you know a lil trick from my "Bad Days"... 

 

Anti-Viruses can NOT scan network drives. Turn this payload into a SMB server and you won't have any issues. 

I'm currently working on another project at the moment otherwise I would make a "alternate" payload for you guys. But atleast give you guys a heads up.

Also you can re-compile the code with some small variations in the code to recreate the md5 hash the program signature creates, to bypass AV's temporarily.

 

That's all the info you're getting from me.. ?

Link to comment
Share on other sites

6 minutes ago, Ar1k88 said:

Since you all are having SOO much issues with AV's not letting files execute.. I'll let you know a lil trick from my "Bad Days"... 

 

Anti-Viruses can NOT scan network drives. Turn this payload into a SMB server and you won't have any issues. 

I'm currently working on another project at the moment otherwise I would make a "alternate" payload for you guys. But atleast give you guys a heads up.

Also you can re-compile the code with some small variations in the code to recreate the md5 hash the program signature creates, to bypass AV's temporarily.

 

That's all the info you're getting from me.. ?

I know. But I also know that I have had troubles to succesfully execute a payload that uses SMB. Therefore I chosse USB even tough there are many advandatages to use SMB like not having to mount the USB, being able to check if creds are grabbed succesfully and to avoid AV.

Link to comment
Share on other sites

13 minutes ago, RazerBlade said:

I know. But I also know that I have had troubles to succesfully execute a payload that uses SMB. Therefore I chosse USB even tough there are many advandatages to use SMB like not having to mount the USB, being able to check if creds are grabbed succesfully and to avoid AV.

Yeah, If you give me a week or so, I might be able to come up with a secondary SMB Mode for this payload.

Right now I'm working on the dangerous part of the Bunny... Deleting MBR's, Locking system files, etc etc... :wink:

But shouldn't take too long to develop something for this. Especially with the help of the community. - But rather more if you want to go that route also.. 

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...
On 11/17/2017 at 8:31 AM, Cech said:

The AV is not detecting it and here are the following files that I have in the switch directory (d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md), but again...once I plug it in the USB is starting to work and then I get empty directories :S

d.exe should be d.cmd

e.exe should be e.cmd

You may want to set up a lab and step through each of the commands in the script to see what they do and understand how the script works then modify it to meet your specific use case.

Link to comment
Share on other sites

lazagne.exe cannot be ran in memory.  I can't think of the term for it but is a packed file being the python environment and the python module files are all compressed inside.  The exe extracts these files to temp files on disk and runs them.  If you inject it, it cannot find itself it extract itself and breaks.  I tried already.  Pukes.  Lazagne in its python form will have to be rewritten with obfuscation before py2exeing it so when it extracts, the py code is still not seen.

I been peeking at lazagne project to see what it does to find Powershell replacements for each thing it does.  Reason is you only have a choice of obfuscating the way I wrote above or redoing in Powershell, obfuscating as you go.

Hmm, maybe keeping lazagne in python pieces and somehow getting a mobile python environment to run and launch a loader that will download each of those files in referential order to preserve dependencies (encrypted) and then decrypt and execute as strings each of those to load the modules into memory before running the final command to execute it. 

Link to comment
Share on other sites

  • 1 year later...
  • 2 months later...
On 9/3/2019 at 11:29 PM, PieMCo said:

Hi, Password Grabber doesn't work (AV detected Lazagne), someone knows another similar payload? 

That's obvious. Just make another payload which disables antivirus or better, make an exclusion. Then run the passwordgrabber payload

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...