Skip to content
Please note that GitHub no longer supports Internet Explorer.

We recommend upgrading to the latest Microsoft Edge, Google Chrome, or Firefox.

Learn more
Windows passwords decryption from dump files
Python PowerShell
Branch: master
Clone or download
AlessandroZ Merge pull request #15 from anonymouz4/master
Couple Bug Fixes, new mem dump ps1
Latest commit d0938ee Jan 23, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LaZagneForensic bug fixes, added history dump if available Jan 22, 2019
dump Update dump.ps1 Jan 22, 2019
pictures first commit Feb 1, 2018
CHANGELOG first commit Feb 1, 2018
LICENSE first commit Feb 1, 2018
README.md update README Mar 15, 2018
requirements.txt updating to the new construct synthax Mar 20, 2018

README.md

The LaZagne Project !!!

Description

The LaZagne project is back !!!

LaZagne uses an internal Windows function called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.

LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod and Elie Bursztein for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.

Note: The main problem is that to decrypt these passwords, the user Windows passwords is needed.

Installation

pip install -r requirements.txt

Usage

First way - Dump configuration files from the remote host

PS C:\Users\test\Desktop> Import-Module .\dump.ps1
PS C:\Users\test\Desktop> Dump
Folder dump created successfully !
python dump.py
  • Launch Lazagne with password if you have it
python laZagneForensic.py all -remote /tmp/dump -password 'ZapataVive'
  • Launch Lazagne without password
python laZagneForensic.py all -remote /tmp/dump

Second way - Mount a disk on your filesystem

  • The file should be mounted on your filesystem
test:~$ ls /tmp/disk/
total 769M
drwxr-xr-x 2 root root    0 févr.  1 14:05 ProgramData
-rwxr-xr-x 1 root root 256M févr.  1 14:05 swapfile.sys
-rwxr-xr-x 1 root root 512M févr.  1 14:05 pagefile.sys
drwxr-xr-x 2 root root    0 janv. 31 00:35 System Volume Information
dr-xr-xr-x 2 root root    0 janv. 26 10:17 Program Files (x86)
dr-xr-xr-x 2 root root    0 janv. 25 18:13 Program Files
drwxr-xr-x 2 root root    0 janv. 19 10:09 Windows
drwxr-xr-x 2 root root    0 janv. 16 15:52 Homeware
drwxr-xr-x 2 root root    0 janv.  9 17:33 PerfLogs
drwxr-xr-x 2 root root    0 nov.  22 20:37 Recovery
drwxr-xr-x 2 root root 4,0K nov.  22 20:31 Documents and Settings
dr-xr-xr-x 2 root root    0 nov.  22 20:31 Users
  • Launch Lazagne with password if you have it
python laZagneForensic.py all -local /tmp/disk -password 'ZapataVive'
  • Launch Lazagne without password
python laZagneForensic.py all -local /tmp/disk

Note: Use -v for verbose mode and -vv for debug mode.

Supported software

Note: Check the following image to understand which passwords you could decrypt without needed the user windows password. All credentials found will be tested as Windows password in case of the user re-uses the same password.

The LaZagne project

Donation

Do not hesitate to support my work doing a donation, I will appreciate a lot:

  • Via BTC: 16zJ9wTXU4f1qfMLiWvdY3woUHtEBxyriu

Special thanks

  • Jean-Michel Picod and Elie Bursztein for DPAPICK
  • Francesco Picasso for Windows DPAPI laboratory
  • Jean-Christophe Delaunay - Jiss/Fist0urs from the Synacktiv team for their work

Recommended articles related to DPAPI


Alessandro ZANNI
zanni.alessandro@gmail.com
You can’t perform that action at this time.