Jump to content
kuyaya

[PAYLOAD] LaZassword

Recommended Posts

I wrote a password grabber payload using Lazagne. I made a github repository, you can look it up here. I tried to make it as simple as possible. If there are any questions or advices for improvement, just post them here and I'll reply. Have fun with it!

  • Like 1

Share this post


Link to post
Share on other sites

Nice payload!

One issue is I'm pretty sure this will only work on a machine running Windows Defender.  When adding the exception for the drive letter this will not work if the system has Windows Defender disabled due to having something like AVG installed as AV program. 

I plan to mess around with the payload some and post back.

  • Like 1

Share this post


Link to post
Share on other sites
On 1/29/2020 at 3:04 PM, Cap_Sig said:

Nice payload!

One issue is I'm pretty sure this will only work on a machine running Windows Defender.  When adding the exception for the drive letter this will not work if the system has Windows Defender disabled due to having something like AVG installed as AV program. 

I plan to mess around with the payload some and post back.

Thank you 😄

Hmmmm....Do you know a way on how to turn off/make an exclusion on all AV's? I don't like scripts who just delete the whole AV, because that leaves many traces

Edited by kuyaya

Share this post


Link to post
Share on other sites

So I tried yours and Password Grabber, for some reason both are creating a folder "LaZassword" in loot folder but nothing there, empty..
Any chance I missed anything? (Yeah I'm a newbie)

Share this post


Link to post
Share on other sites
On 2/11/2020 at 1:53 AM, narko said:

So I tried yours and Password Grabber, for some reason both are creating a folder "LaZassword" in loot folder but nothing there, empty..
Any chance I missed anything? (Yeah I'm a newbie)

Yep, got a mistake in the payload, I'm sorry. Fixed it. Go to my github and try it again please.

But the password grabber payload shouldn't be creating a lazassword folder. It is normal for the password grabber payload not to work haha. I think you got the payload.txt mixed up.

Please inform me if you tried it again and tell me if it has worked or not.

 

Edited by kuyaya

Share this post


Link to post
Share on other sites

 

It is seems like everything is running, not in the background though.
After looking inside loot folder I saw a new folder empty folder 'Lazassword'.

Share this post


Link to post
Share on other sites
On 2/15/2020 at 9:48 PM, narko said:

 

It is seems like everything is running, not in the background though.
After looking inside loot folder I saw a new folder empty folder 'Lazassword'.

Is your issue solved? Or is it still persistent?

Share this post


Link to post
Share on other sites

Great, update is out! Now you can rely on the LED FINISH. I did this with a very easy while loop. You can look it up in the payload.txt. But that didn't work and I asked myself why. Then I did research and I found this post. This guy had the same idea as I. The reason it didn't work is, that if you create a file in the bunny while SSH, you can't see it in the explorer. Example: 
 

Quote

 

root@bunny:~# mount -o sync /dev/nandf /root/udisk
root@bunny:~# cd /root/udisk/loot
root@bunny:~/udisk/loot# ls
root@bunny:~/udisk/loot# nano testfile

root@bunny:~/udisk/loot# ls
testfile

 

Got it? Now, there should be a testfile in explorer, but there isn't. Try it yourself, if you don't belive me.

It also doesn't work the other way around. If you create a file in the loot folder by hand or with powershell (both does the same), it does show up in the bunny but the bunny can't recognize it. Example:

Quote

root@bunny:~# ls -l /root/udisk/loot/
ls: cannot access /root/udisk/loot/icreatedthisinexplorer.txt: No such file or directory
total 0
-????????? ? ? ? ?            ? icreatedthisinexplorer.txt


See that? It just doesn't work together. It doesn't work from bunny to explorer, and also from explorer to bunny.

The reason why this is even necessary is, that the while loop checks if there is a "done" file. If that isn't the case, it stays in LED ATTACK (yellow led). The second last part of the .ps1 file is, that it should create a "done" file in the /loot/LaZassword directory. But that wouldn't work, because the bunny wouldn't recognize it, as I explained above. That's why the last part of the .ps1 file is the ejection of the BB. Then the BB syncs with the explorer and recognizes the file, which breaks the loop, which then makes and LED FINISH. And you don't even have to laborious eject the BB by hand. That's great, isn't it?

When you eject the bunny, you can't access him through explorer anymore, but he can still run commands. You can also still connect with PuTTY, that's why this method works. After the ejection, the bunny deletes the done file (if not, the loop would only work 1 time because there would be a done file, even when the payload isn't finished yet) and does an LED FINISH.

@PoSHMagiC0de You brought me the solution, so I wrote you to the creds on my LaZassword payload. Is that okay for you? Please message me if not.

Edited by kuyaya

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...