Credentials Recovery: The LaZagne Project

ID N0WHERE:27457
Type n0where
Reporter N0where
Modified 2017-09-20T04:12:37


The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.

Credentials Recovery lazagne Credentials Recovery Credentials Recovery


  • Launch all modules
    • cmd: laZagne.exe all
  • Launch a specific module
    • cmd: laZagne.exe
    • example: laZagne.exe browsers
    • help: laZagne.exe -h
  • Launch a specific software script
    • cmd: laZagne.exe
    • example: laZagne.exe browsers -f
    • help: laZagne.exe browsers -h
  • Write all passwords to a file (-w options)
    • cmd: laZagne.exe all -w

Supported software

  • Windows

(tested on Windows XP, 7 and 8 – 32 and 64 bits)

* ** browsers **
  * firefox 
  * chrome 
  * opera 
  * ie 
* ** chats **
  * skype 
  * pidgin 
  * jitsi 
* ** mails **
  * thunderbird 
  * outlook 
* ** adminsys **
  * filezilla 
  * puttycm 
  * winscp 
  * cyberduck 
  * coreFTP 
  * FTPNavigator 
* ** database **
  * sqldeveloper 
  * squirrel 
  * dbvisualizer 
* ** svn **
  * tortoise 
* ** wifi **
  * Wireless Network Password (Windows mechanism) 
* ** windows credentials **
  * Domain visible network (.Net Passport) 
  * Generic network credentials
  • Linux

    • browsers
    • firefox
    • opera
    • chats
    • pidgin
    • jitsi
    • mails
    • thunderbird
    • adminsys
    • filezilla
    • environment variables
    • database
    • sqldeveloper
    • squirrel
    • dbvisualizer
    • wifi
    • network manager
    • wallet
    • gnome keyring

User impersonnation

When laZagne is launched with admin privileges (UAC bypassed) or System, it manages to retrieve passwords from other users. It uses two ways to do that:

  • If a process from another user is launched (using runas or if many users are connected to the same host), it manages to steal a process token to launch laZagne with its privileges (this is the best way). It could retrieve passwords stored encrypted with the Windows API.
  • If no process has been launched but other user exists (visible on the file system in C:\Users…), it browses the file system in order to retrieve passwords from these users. However, it could not retrieve passwords encrypted with the Windows API (we have to be on the same context as the user to decrypt these passwords). Only few passwords could be retrieved (Firefox, Jitsi, Dbvis, etc.).

Build Your Own Credentials Recovery Script

It’s possible to write your own script for the software of your choice. Building your own module has become extremely easy.

To do that, some code standards are to be met:

  • Create a class using the name of the software containing 2 importants functions:
    • init: used to define all arguments used to launch the class.
    • run: will be the main function
  • Add on the file your class name and your import
  • The run function has to return an array of dictionnaries
    • ex: [{“Username”: “emiliano”, “Password”:”ZapaTa”, “URL”: “ “}]
  • Optional: you could use the function “print_debug” to print your output
    • ex: print_debug(“ERROR”, “Failed to load …”)
  • Use an existing script to understand what I have said 🙂


To compile the source code, some external libraries are required.

Credentials Recovery: The LaZagne Project