
LaZagne – An open source application used to retrieve lots of passwords - TodWhinch
https://github.com/AlessandroZ/LaZagne
======
ben174
Accepting pull requests? I can think of a couple of pieces of software I could
contribute to the discoveries.

------
infinitone
Combine this with USBdriveby, and its just too easy.

~~~
swah
How do you mean this? Make USBdriveby download LaZagne from the internet, run
it and send the output somewhere?

~~~
echocage
Or just stick it into a usb, run LaZagne that's on the flash drive, then pull
the flash drive out and walk away.

~~~
toomuchtodo
Huh, I was thinking someone could buy up a ton of cheap usb sticks, load this
on there, have it autorun, and then have the payload sent to a server over
HTTPS in AWS (who is going to block HTTPS traffic to AWS? everyone runs out of
there) that would catch it and notify the attacker via webhook.

Then go sprinkle them around the SFBA.

~~~
j_s
Sorry for my ignorance... how does anything auto-run anymore?

~~~
GaiusCoffee
USBdriveby emulates a keyboard that types commands at inhuman speeds, and
since keyboards are plug and play.. you can probably guess what happens next
;)

~~~
swah
The thing is, only keyboards and mice run without any confirmation. Pendrives
normally open a explorer/finder window etc, no?

~~~
SnacksOnAPlane
I think the point is that this is a USB drive that looks to the computer like
a keyboard, so it will run without confirmation.

------
ocdtrekkie
This is pretty nifty. Obviously there's a lot of malicious uses for this, but
as someone who supports a lot of seniors with near inability to remember
passwords, this sort of thing has a practical use.

~~~
dragonwriter
Passwords which can be recovered with a tool by someone other than the user to
whom they belong, and passwords which tend to be forgotten by the user to whom
they belong, are two different failures of the whole function of passwords.

Its true that the first failure can be used to mitigate some of the visible
harm of the second, but any place that features a coincidence of the two
failures really should be taken as a particularly strong sign that, in that
place, _passwords of the type used are entirely the wrong tool for the job_.

~~~
ocdtrekkie
Sure, dragonwriter, I'm not contesting that. But I live in the "real world",
and this is a real world tool that will help me help users who, whether you
like it or not, fail at technology.

~~~
JoshTriplett
Do the users you're supporting set up accounts themselves, or do you set up
accounts for them?

~~~
ocdtrekkie
Usually the former.

------
zephyrus1985
Does this integrate Mimikatz to pull hashes ?

------
desuvader
Holy moly. Looks like I have some cleanup to do :|

