After exploiting a vulnerable target, scooping up a victim’s credentials is actually a high priority for hackers, since most people reuse passwords. Those credentials can get hackers deeper into a network or various other accounts, however digging through the system by hand to find them is actually difficult. A missed stored password could mean missing a big opportunity. however the process can largely be automated with LaZagne.
LaZagne is actually Great for both hackers along with pentesters. along with the benefit of LaZagne is actually that will This specific works on Linux, Windows, along with macOS, so anyone can practice using This specific, along with This specific applies to almost every target. LaZagne is actually included inside remote access tool Pupy as a post exploitation module, however we can also use This specific on its own.
Don’t Miss: How to Use Pupy a Linux Remote Access Tool
There’s also a standalone Windows PE (Preinstallation Environment) of LaZagne, which makes an excellent addition to the windows-binaries folder in Kali Linux.
LaZagne is actually still in active development along with currently supports enumerating passwords through a large set of Windows applications. While definitely still useful, This specific’s a little bit lacking on Linux. A list of the supported applications is actually below.
There’s some interesting stuff on there that will many password recovery tools might overlook. For example, some games. The odds of running across a host with Rogue’s Tale installed might be low, however if This specific’s there, This specific’s Great to have a tool that will can recover a password for This specific. Having a shell is actually great, however having actual credentials is actually better! With that will said, let’s take a look at LaZagne.
Step 1: Get LaZagne
If you’re looking to use LaZagne on a Linux machine, Alessandro (the author) recommends using the Pupy module. He seems to be focusing his development time on the Windows type of LaZagne, so we’ll be grabbing the standalone Windows type here.
The reason for using the standalone type on Windows hosts is actually pretty straightforward — Python isn’t installed by default on Windows. Using the standalone type guarantees we will be able to use LaZagne across Windows hosts.
You can download the standalone type on GitHub. Once you have This specific, use the terminal to extract This specific along with move This specific to your windows-binaries folder in Kali Linux with the commands below.
cp laZagne.exe /usr/share/windows-binaries/
First, we unzip the archive, then change directories into the unzipped directory, then we copy LaZagne into the windows-binaries directory on our Kali Linux system.
at This specific point that will we have LaZagne in our windows-binaries collection, let’s take a look at actually using LaZagne.
Step 2: Enumerate Passwords
LaZagne is actually a post-exploitation tool, which means that will in order to use This specific, we’ll need to already have access to a host via a shell, or at the minimum, command execution.
LaZagne is actually non-interactive along with can be run in even the most bare-minimum of shells. Since the focus of This specific article is actually the standalone Windows PE, let’s go ahead along with have a look at some of the options.
There’s a lot of available modules here. In order to gather Wi-Fi or Windows credentials, we’ll need to run as administrator, however even without administrator access, we can still gather up some passwords.
Don’t Miss: How to Create Stronger Passwords
We could specify which module we want to use, however LaZagne includes a convenient all option. Obviously, I want all the passwords I can get my hands on, so I’ll be using LaZagne with the all option.
Looks like we collected quite a few credentials. Another interesting feature of LaZagne is actually a rudimentary brute-forcing capability. If LaZagne is actually passed a wordlist, This specific will attempt to brute-force Mozilla master passwords, system hashes, etc. To pass a dictionary file, simply add the path argument.
lazagne all -path wordlist.txt
that will’s all there is actually to This specific!
Step 3: Defend Against the Attack
As you can see, This specific only took a moment to pull several passwords. This specific tool shows how important This specific is actually to use secure passwords along with to never reuse passwords in various other accounts whenever possible. An attacker gaining access to one of your passwords shouldn’t mean they have access to all of your accounts.
Since This specific tool exists as part of a post-exploit framework, you can expect This specific to pop up in various other tools as an effective way of burrowing into a user’s system or life. To defend against This specific, This specific’s best to ensure you also ensure your antivirus is actually up to date, as one of our Null Byte users reports This specific’s almost instantly detected by most antivirus programs. You must be an administrator to do dump Windows hashes, so limiting access to admin accounts can also help.
Future Growth & Applications
This specific tool is actually a piece of cake to work with, along with This specific gets results, extracting passwords through web applications that will have been saved in browsers as well as databases, email accounts, wireless configurations, along with chat clients. The modular design means that will adding your own targets to This specific utility shouldn’t be too difficult.
This specific is actually a tool I’d personally like to see expanded to cover even more applications, along with I expect This specific will if development stays steady. I’m excited to see where This specific goes!
If you have any questions or comments, you can post away here, or you can also reach me on Twitter at @0xBarrow. As always, follow us on social media for more tips along with tricks!