Disclaimer: Do Not Use this program for illegal purposes!
LaZagne (https://github.com/AlessandroZ/LaZagne) uses an internal Windows API called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.
LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod for DPAPICK and Francesco Picasso for Windows DPAPI laboratory(https://github.com/dfirfpi/dpapilab).
Note: The main problem is that to decrypt these passwords, the user Windows passwords is needed.
git clone https://github.com/AlessandroZ/LaZagneForensic && cd LaZagneForensic
pip install -r requirements.txt
pip install pycrypto pyzt
First way - Dump configuration files from the remote host
Using the python script
Launch Lazagne with password if you have it
python laZagneForensic.py all -remote /tmp/dump -password 'ZapataVive'
Launch Lazagne without password
python laZagneForensic.py all -remote /tmp/dump