mimikatz (wdigest password) module added

Former-commit-id: 03bfb4163c45a85228081d3862b803170dda8ae8 [formerly a3d6ee0] Former-commit-id: ff59e0ec8200a18243190cdc876ec3fcb2313183
AlessandroZ · Mar 21, 2018 · 0ba076e · 0ba076e
1 parent c7ec211
commit 0ba076e
Show file tree

Hide file tree

Showing 56 changed files with 963 additions and 408 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,4 +1,4 @@
-LaZagne 2.3.2 (13/03/2018)
+LaZagne 2.3.2 (21/03/2018)
 - Windows
 	* Big code review
 	* Lots of minor bug fixed
@@ -7,6 +7,11 @@ LaZagne 2.3.2 (13/03/2018)
 	* New modules added postgresql and psi-im (thanks to @m41nt41n3r)
 	* XP managed
 	* Adding support for newest firefox version. Awesome work from lclevy: https://github.com/lclevy/firepwd
+	* Adding Wdigest passwords (using mimikatz signature) 
+		* Works on Vista / Win7 x86 and x64
+		* Thanks to 
+			* n1nj4sec for https://github.com/n1nj4sec/memorpy/
+			* Francesco Picasso for https://github.com/RealityNet/hotoloti/blob/master/volatility/mimikatz.py
 
 - Linux
 	* Big code review

diff --git a/Windows/laZagne.py b/Windows/laZagne.py
@@ -14,7 +14,7 @@
 
 # Configuration
 from lazagne.config.write_output import parseJsonResultToBuffer, print_debug, StandartOutput
-from lazagne.config.changePrivileges import ListSids, rev2self, impersonate_sid_long_handle
+from lazagne.config.change_privileges import list_sids, rev2self, impersonate_sid_long_handle
 from lazagne.config.manageModules import get_categories, get_modules
 from lazagne.config.dpapi_structure import *
 from lazagne.config.constant import *
@@ -115,7 +115,7 @@ def launch_module(module, dpapi_used=True, registry_used=True, system_module=Fal
 			if args[i] and i in module:
 				modulesToLaunch.append(i)
 	except:
-		# if no args
+		# If no args
 		pass
 
 	# Launch all modules
@@ -142,7 +142,7 @@ def launch_module(module, dpapi_used=True, registry_used=True, system_module=Fal
 			)
 			continue
 
-		# run module
+		# Run module
 		for m in run_module(title=i, module=module[i]):
 			yield m
 
@@ -169,9 +169,9 @@ def runModule(category_choosed, dpapi_used=True, registry_used=True, system_modu
 			yield r
 
 	if constant.module_to_exec_at_end:
-		# these modules will need the windows user password to be able to decrypt dpapi blobs
+		# These modules will need the windows user password to be able to decrypt dpapi blobs
 		constant.dpapi = Decrypt_DPAPI(password=constant.user_password)
-		# add username to check username equals passwords
+		# Add username to check username equals passwords
 		constant.passwordFound.append(constant.username)
 		constant.dpapi.check_credentials(constant.passwordFound)
 
@@ -224,7 +224,7 @@ def get_user_list_on_filesystem(impersonated_user=[]):
 	return all_users
 
 def set_env_variables(user, toImpersonate=False):
-	# restore template path
+	# Restore template path
 	template_path = {
 		'APPDATA'			: u'{drive}:\\Users\\{user}\\AppData\\Roaming\\',
 		'USERPROFILE'		: u'{drive}:\\Users\\{user}\\',
@@ -262,7 +262,7 @@ def clean_temporary_files():
 
 def runLaZagne(category_choosed='all', password=None):
 
-	# useful if this function is called from another tool
+	# Useful if this function is called from another tool
 	if password:
 		constant.user_password = password
 
@@ -285,7 +285,7 @@ def runLaZagne(category_choosed='all', password=None):
 
 		# --------- Impersonation using tokens ---------
 
-		sids 				= ListSids()
+		sids 				= list_sids()
 		impersonateUsers 	= {}
 		impersonated_user 	= [constant.username]
 
@@ -403,6 +403,7 @@ def runLaZagne(category_choosed='all', password=None):
 				categories[c]['subparser'] += tmp
 
 	# ------------------------------------------- Print all -------------------------------------------
+
 	parents = [PPoptional] + all_subparser + [PPwd, PWrite]
 	dic = {'all':{'parents':parents, 'help':'Run all modules', 'func': runModule}}
 	for c in categories:

diff --git a/Windows/lazagne/config/DPAPI/masterkey.py b/Windows/lazagne/config/DPAPI/masterkey.py
@@ -40,8 +40,13 @@ def decrypt_with_password(self, sid, pwd):
 		Decrypts the masterkey with the given user's password and SID.
 		Simply computes the corresponding key, then calls self.decrypt_with_hash()
 		"""	
+		try:
+			pwd = pwd.encode("UTF-16LE")
+		except:
+			return
+
 		for algo in ["sha1", "md4"]:
-			self.decrypt_with_hash(sid=sid, pwdhash=hashlib.new(algo, pwd.encode("UTF-16LE")).digest())
+			self.decrypt_with_hash(sid=sid, pwdhash=hashlib.new(algo, pwd).digest())
 			if self.decrypted:
 				break
 
@@ -136,7 +141,7 @@ def __init__(self):
 				'password' 	: None, 	# contains cleartext password
 				'keys'		: [], 		# contains all decrypted mk keys
 			}
-		) 
+		)
 		self.mkfiles 			= []
 		self.credhists 			= {}
 		self.mk_dir 			= None
@@ -177,7 +182,7 @@ def get_master_keys(self, guid):
 		"""
 		Returns an array of Masterkeys corresponding to the given GUID.
 		"""
-		return self.keys.get(guid, [])['keys']
+		return self.keys.get(guid, {}).get('keys')
 
 	def get_password(self, guid):
 		"""

diff --git a/Windows/lazagne/config/changePrivileges.py b/Windows/lazagne/config/changePrivileges.py