Merge pull request AlessandroZ#399 from alxchk/master

Various fixes
JuryA · May 20, 2019 · f9df6a6 · f9df6a6
2 parents c831eb1 + 83619e8
commit f9df6a6
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 34 deletions.
diff --git a/Windows/lazagne/config/DPAPI/blob.py b/Windows/lazagne/config/DPAPI/blob.py
@@ -2,7 +2,7 @@
 # -*- coding: utf-8 -*-
 
 """
-Code based from these two awesome projects: 
+Code based from these two awesome projects:
 - DPAPICK 	: https://bitbucket.org/jmichel/dpapick
 - DPAPILAB 	: https://github.com/dfirfpi/dpapilab
 """
@@ -97,7 +97,7 @@ def decrypt(self, masterkey, entropy=None, strongPassword=None):
                     self.cleartext = b"".join([cipher.decrypt(self.cipherText[i:i + AES_BLOCK_SIZE]) for i in
                                                range(0, len(self.cipherText), AES_BLOCK_SIZE)])
                 else:
-                    cipher = self.cipherAlgo.module.new(key, CBC, "\x00" * int(self.cipherAlgo.ivLength))
+                    cipher = self.cipherAlgo.module(key, CBC, "\x00" * self.cipherAlgo.ivLength)
                     self.cleartext = cipher.decrypt(self.cipherText)
 
                 padding = char_to_int(self.cleartext[-1])

diff --git a/Windows/lazagne/config/DPAPI/crypto.py b/Windows/lazagne/config/DPAPI/crypto.py
@@ -207,6 +207,7 @@ def CryptDeriveKey(h, cipherAlgo, hashAlgo):
     ipad = b"".join(chr_or_byte(char_to_int(h[i]) ^ 0x36) for i in range(int(hashAlgo.blockSize)))
     opad = b"".join(chr_or_byte(char_to_int(h[i]) ^ 0x5c) for i in range(int(hashAlgo.blockSize)))
     k = hashlib.new(hashAlgo.name, ipad).digest() + hashlib.new(hashAlgo.name, opad).digest()
+    k = k[:cipherAlgo.keyLength]
     k = cipherAlgo.do_fixup_key(k)
     return k
 

diff --git a/Windows/lazagne/config/winstructure.py b/Windows/lazagne/config/winstructure.py
@@ -1,6 +1,7 @@
 # Vault Structure has been taken from mimikatz
 from ctypes.wintypes import *
 from ctypes import *
+
 import sys
 import os
 
@@ -32,7 +33,7 @@
 CRED_TYPE_GENERIC = 0x1
 CRED_TYPE_DOMAIN_VISIBLE_PASSWORD = 0x4
 
-# Regedit 
+# Regedit
 HKEY_CURRENT_USER = -2147483647
 HKEY_LOCAL_MACHINE = -2147483646
 KEY_READ = 131097
@@ -144,18 +145,18 @@ class VAULT_BYTE_BUFFER(Structure):
 
 class DATA(Structure):
     _fields_ = [
-        # ('boolean', 		BOOL),
-        # ('short', 			SHORT),
-        # ('unsignedShort', 	WORD),
-        # ('int', 			LONG),
-        # ('unsignedInt', 	ULONG),
-        # ('double', 			DOUBLE),
+        # ('boolean',       BOOL),
+        # ('short',             SHORT),
+        # ('unsignedShort',     WORD),
+        # ('int',           LONG),
+        # ('unsignedInt',   ULONG),
+        # ('double',            DOUBLE),
         ('guid', GUID),
         ('string', LPWSTR),
         ('byteArray', VAULT_BYTE_BUFFER),
         ('protectedArray', VAULT_BYTE_BUFFER),
         ('attribute', PVAULT_CREDENTIAL_ATTRIBUTEW),
-        # ('Sid', 			PSID)
+        # ('Sid',           PSID)
         ('sid', DWORD)
     ]
 
@@ -181,12 +182,12 @@ class Flag(Structure):
 
 class VAULT_ITEM_DATA(Structure):
     _fields_ = [
-        # ('schemaElementId', 	DWORD),
-        # ('unk0', 				DWORD),
-        # ('Type', 				VAULT_ELEMENT_TYPE),
-        # ('type', 				Flag),
-        # ('type', 				DWORD * 14),
-        # ('unk1', 				DWORD),
+        # ('schemaElementId',   DWORD),
+        # ('unk0',              DWORD),
+        # ('Type',              VAULT_ELEMENT_TYPE),
+        # ('type',              Flag),
+        # ('type',              DWORD * 14),
+        # ('unk1',              DWORD),
         ('data', DATA),
     ]
 
@@ -213,17 +214,17 @@ class VAULT_ITEM_WIN8(Structure):
 
 
 # class VAULT_ITEM_WIN7(Structure):
-# 	_fields_ = [
-# 		('id', 				GUID),
-# 		('pName', 			PWSTR),
-# 		('pResource', 		PVAULT_ITEM_DATA),
-# 		('pUsername', 		PVAULT_ITEM_DATA),
-# 		('pPassword', 		PVAULT_ITEM_DATA), 
-# 		('LastWritten', 	FILETIME), 
-# 		('Flags', 			DWORD),  
-# 		('cbProperties', 	DWORD),
-# 		('Properties', 		PVAULT_ITEM_DATA),
-# 	]
+#   _fields_ = [
+#       ('id',              GUID),
+#       ('pName',           PWSTR),
+#       ('pResource',       PVAULT_ITEM_DATA),
+#       ('pUsername',       PVAULT_ITEM_DATA),
+#       ('pPassword',       PVAULT_ITEM_DATA),
+#       ('LastWritten',     FILETIME),
+#       ('Flags',           DWORD),
+#       ('cbProperties',    DWORD),
+#       ('Properties',      PVAULT_ITEM_DATA),
+#   ]
 # PVAULT_ITEM_WIN7 = POINTER(VAULT_ITEM_WIN7)
 
 class OSVERSIONINFOEXW(Structure):
@@ -567,6 +568,8 @@ def Win32CryptUnprotectData(cipherText, entropy=False, is_current_user=True, use
     if python_version == 2:
         cipherText = str(cipherText)
 
+    decrypted = None
+
     if is_current_user:
         bufferIn = c_buffer(cipherText, len(cipherText))
         blobIn = DATA_BLOB(len(cipherText), bufferIn)
@@ -577,15 +580,32 @@ def Win32CryptUnprotectData(cipherText, entropy=False, is_current_user=True, use
             blobEntropy = DATA_BLOB(len(entropy), bufferEntropy)
 
             if CryptUnprotectData(byref(blobIn), None, byref(blobEntropy), None, None, 0, byref(blobOut)):
-                return getData(blobOut).decode("utf-8")
+                decrypted = getData(blobOut).decode("utf-8")
 
         else:
             if CryptUnprotectData(byref(blobIn), None, None, None, None, 0, byref(blobOut)):
-                return getData(blobOut).decode("utf-8")
+                decrypted = getData(blobOut).decode("utf-8")
+
+    if not decrypted:
+        can_decrypt = True
+        if not (user_dpapi and user_dpapi.unlocked):
+            from lazagne.config.dpapi_structure import are_masterkeys_retrieved
+            can_decrypt = are_masterkeys_retrieved()
+
+        if can_decrypt:
+            decrypted = user_dpapi.decrypt_encrypted_blob(cipherText)
+            if decrypted is False:
+                decrypted = None
+        else:
+            raise ValueError('MasterKeys not found')
+
+    if not decrypted:
+        if not user_dpapi:
+            raise ValueError('DPApi unavailable')
+        elif not user_dpapi.unlocked:
+            raise ValueError('DPApi locked')
 
-    elif user_dpapi and user_dpapi.unlocked:
-        # entropy should be an hex value
-        return user_dpapi.decrypt_encrypted_blob(cipherText, entropy_hex=entropy)
+    return decrypted
 
 
 def get_os_version():

diff --git a/Windows/lazagne/softwares/browsers/mozilla.py b/Windows/lazagne/softwares/browsers/mozilla.py
@@ -93,6 +93,7 @@ def get_firefox_profiles(self, directory):
                         profile_path = os.path.join(directory, cp.get(section, 'Path').strip())
 
                     if profile_path:
+                        profile_path.replace('/', '\\')
                         profile_list.append(profile_path)
 
         except Exception as e:

diff --git a/Windows/lazagne/softwares/wifi/wifi.py b/Windows/lazagne/softwares/wifi/wifi.py
@@ -1,4 +1,4 @@
-# -*- coding: utf-8 -*- 
+# -*- coding: utf-8 -*-
 import os
 import sys
 import traceback
@@ -91,7 +91,7 @@ def run(self):
                                             self.error(traceback.format_exc())
                                             values['INFO'] = '[!] Password not found.'
 
-                                if values and values['Authentication'] != 'open':
+                                if values and values.get('Authentication') != 'open':
                                     pwd_found.append(values)
 
                 constant.wifi_password = True