LaZagneForensic: Decrypt Windows Credentials from another host

The LaZagne Project !!!

Description

The LaZagne project is back !!!

LaZagne uses an internal Windows API called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.

LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.

Note: The main problem is that to decrypt these passwords, the user Windows passwords are needed.

Installation

git clone https://github.com/AlessandroZ/LaZagneForensic.git
cd LaZagneForensic
pip install -r requirements.txt

Usage

First way – Dump configuration files from the remote host

• Using the powershell script
  

PS C:\Users\test\Desktop> Import-Module .\dump.ps1

PS C:\Users\test\Desktop> Dump

File dump created successfully !

• Using the python script

python dump.py

• Launch Lazagne with password if you have it

python laZagneForensic.py all -remote /tmp/dump -password 'ZapataVive'

• Launch Lazagne without password

python laZagneForensic.py all -remote /tmp/dump

Second way – Mount a disk on your filesystem

• The file should be mounted on your filesystem

test:~$ ls /tmp/disk/

total 769M

drwxr-xr-x 2 root root    0 févr.  1 14:05 ProgramData

-rwxr-xr-x 1 root root 256M févr.  1 14:05 swapfile.sys

-rwxr-xr-x 1 root root 512M févr.  1 14:05 pagefile.sys

drwxr-xr-x 2 root root    0 janv. 31 00:35 System Volume Information

dr-xr-xr-x 2 root root    0 janv. 26 10:17 Program Files (x86)

dr-xr-xr-x 2 root root    0 janv. 25 18:13 Program Files

drwxr-xr-x 2 root root    0 janv. 19 10:09 Windows

drwxr-xr-x 2 root root    0 janv. 16 15:52 Homeware

drwxr-xr-x 2 root root    0 janv.  9 17:33 PerfLogs

drwxr-xr-x 2 root root    0 nov.  22 20:37 Recovery

drwxr-xr-x 2 root root 4,0K nov.  22 20:31 Documents and Settings

dr-xr-xr-x 2 root root    0 nov.  22 20:31 Users

• Launch Lazagne with password if you have it

python laZagneForensic.py all -local /tmp/disk -password 'ZapataVive'

• Launch Lazagne without password

python laZagneForensic.py all -local /tmp/disk

Note: Use -v for verbose mode and -vv for debug mode.

Supported software

Note: Check the following image to understand which passwords you could decrypt without needed the user windows password. All credentials found will be tested as Windows password in case of the user re-uses the same password.

Donation

Do not hesitate to support my work doing a donation, I will appreciate a lot:

• Via BTC: 16zJ9wTXU4f1qfMLiWvdY3woUHtEBxyriu

Source: https://github.com/AlessandroZ/