metasploit-payloads/c/meterpreter/source/extensions/priv/server/ntds_jet.h

#ifndef _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_NTDS_JET_H
#define _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_NTDS_JET_H
#include <esent.h>
#pragma comment(lib, "esent")

/*! @brief Typedef for the jetState struct. */
struct jetState{
	TCHAR ntdsPath[255];
	JET_INSTANCE jetEngine;
	JET_SESID jetSession;
	JET_DBID jetDatabase;
	JET_TABLEID jetTable;
};

/*! @brief Typedef for the ntdsColumns struct. */
struct ntdsColumns{
	JET_COLUMNDEF accountName;
	JET_COLUMNDEF accountType;
	JET_COLUMNDEF accountExpiry;
	JET_COLUMNDEF accountDescription;
	JET_COLUMNDEF accountControl;
	JET_COLUMNDEF encryptionKey;
	JET_COLUMNDEF lastLogon;
	JET_COLUMNDEF lastPasswordChange;
	JET_COLUMNDEF lmHash;
	JET_COLUMNDEF lmHistory;
	JET_COLUMNDEF logonCount;
	JET_COLUMNDEF ntHash;
	JET_COLUMNDEF ntHistory;
	JET_COLUMNDEF accountSID;
};

#define ACCOUNT_NAME_SIZE 128
#define ACCOUNT_DESC_SIZE 1024

/*! @brief Typedef for the ntdsAccount struct. */
struct ntdsAccount{
	char accountName[ACCOUNT_NAME_SIZE];
	char accountDescription[ACCOUNT_DESC_SIZE];
	DWORD accountRID;
	BOOL accountDisabled;
	BOOL accountLocked;
	BOOL noPassword;
	BOOL passNoExpire;
	BOOL passExpired;
	int logonCount;
	int numNTHistory;
	int numLMHistory;
	char expiryDate[30];
	char logonDate[30];
	char logonTime[30];
	char passChangeDate[30];
	char passChangeTime[30];
	char lmHash[33];
	char ntHash[33];
	char lmHistory[792];
	char ntHistory[792];
	unsigned char accountSID[28];
};


// UserAccountControl Flags
#define NTDS_ACCOUNT_DISABLED         0x00000002
#define NTDS_ACCOUNT_LOCKED           0x00000010
#define NTDS_ACCOUNT_NO_PASS          0x00000020
#define NTDS_ACCOUNT_PASS_NO_EXPIRE   0x00010000
#define NTDS_ACCOUNT_PASS_EXPIRED     0x00800000

JET_ERR engine_shutdown(struct jetState *ntdsState);
JET_ERR engine_startup(struct jetState *ntdsState);
JET_ERR find_first(struct jetState *ntdsState);
JET_ERR get_column_info(struct jetState *ntdsState, struct ntdsColumns *accountColumns);
JET_ERR get_PEK(struct jetState *ntdsState, struct ntdsColumns *accountColumns, struct encryptedPEK *pekEncrypted);
JET_ERR next_user(struct jetState *ntdsState, struct ntdsColumns *accountColumns);
JET_ERR open_database(struct jetState *ntdsState);
JET_ERR read_user(struct jetState *ntdsState, struct ntdsColumns *accountColumns, struct decryptedPEK *pekDecrypted, struct ntdsAccount *userAccount);
JET_ERR read_table(struct jetState *ntdsState, struct ntdsColumns *accountColumns, struct decryptedPEK *pekDecrypted);
JET_ERR read_user_hash_history(struct jetState *ntdsState, struct ntdsColumns *accountColumns, struct decryptedPEK *pekDecrypted, struct ntdsAccount *userAccount);
JET_ERR read_user_lm_hash(struct jetState *ntdsState, struct ntdsColumns *accountColumns, struct decryptedPEK *pekDecrypted, struct ntdsAccount *userAccount);
JET_ERR read_user_nt_hash(struct jetState *ntdsState, struct ntdsColumns *accountColumns, struct decryptedPEK *pekDecrypted, struct ntdsAccount *userAccount);
JET_ERR read_user_dates(struct jetState *ntdsState, struct ntdsColumns *accountColumns, struct decryptedPEK *pekDecrypted, struct ntdsAccount *userAccount);
void get_instance_name(char *name);
#endif
start migrating ntds code in moving the code chunks from the poc into the actual meterp project 2015-04-22 16:03:30 -05:00			`#ifndef _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_NTDS_JET_H`
			`#define _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_NTDS_JET_H`
			`#include <esent.h>`
			`#pragma comment(lib, "esent")`

add doxygen to new code added doygen style comments to the new NTDS functions and typedefs as requested by OJ. MSP-12356 2015-05-05 13:32:32 -05:00			`/! @brief Typedef for the jetState struct. /`
un typedef structs bcook says to not typedef structs and just use them as raw structs, so i have made that conversion here MSP-12356 2015-05-06 11:24:06 -05:00			`struct jetState{`
start migrating ntds code in moving the code chunks from the poc into the actual meterp project 2015-04-22 16:03:30 -05:00			`TCHAR ntdsPath[255];`
			`JET_INSTANCE jetEngine;`
			`JET_SESID jetSession;`
			`JET_DBID jetDatabase;`
			`JET_TABLEID jetTable;`
un typedef structs bcook says to not typedef structs and just use them as raw structs, so i have made that conversion here MSP-12356 2015-05-06 11:24:06 -05:00			`};`
start migrating ntds code in moving the code chunks from the poc into the actual meterp project 2015-04-22 16:03:30 -05:00
add doxygen to new code added doygen style comments to the new NTDS functions and typedefs as requested by OJ. MSP-12356 2015-05-05 13:32:32 -05:00			`/! @brief Typedef for the ntdsColumns struct. /`
un typedef structs bcook says to not typedef structs and just use them as raw structs, so i have made that conversion here MSP-12356 2015-05-06 11:24:06 -05:00			`struct ntdsColumns{`
start migrating ntds code in moving the code chunks from the poc into the actual meterp project 2015-04-22 16:03:30 -05:00			`JET_COLUMNDEF accountName;`
			`JET_COLUMNDEF accountType;`
			`JET_COLUMNDEF accountExpiry;`
			`JET_COLUMNDEF accountDescription;`
			`JET_COLUMNDEF accountControl;`
			`JET_COLUMNDEF encryptionKey;`
			`JET_COLUMNDEF lastLogon;`
			`JET_COLUMNDEF lastPasswordChange;`
			`JET_COLUMNDEF lmHash;`
			`JET_COLUMNDEF lmHistory;`
			`JET_COLUMNDEF logonCount;`
			`JET_COLUMNDEF ntHash;`
			`JET_COLUMNDEF ntHistory;`
			`JET_COLUMNDEF accountSID;`
un typedef structs bcook says to not typedef structs and just use them as raw structs, so i have made that conversion here MSP-12356 2015-05-06 11:24:06 -05:00			`};`
start migrating ntds code in moving the code chunks from the poc into the actual meterp project 2015-04-22 16:03:30 -05:00
free utf8 conversion strings and avoid non-null terminated values 2015-06-04 09:00:24 -05:00			`#define ACCOUNT_NAME_SIZE 128`
			`#define ACCOUNT_DESC_SIZE 1024`

add doxygen to new code added doygen style comments to the new NTDS functions and typedefs as requested by OJ. MSP-12356 2015-05-05 13:32:32 -05:00			`/! @brief Typedef for the ntdsAccount struct. /`
un typedef structs bcook says to not typedef structs and just use them as raw structs, so i have made that conversion here MSP-12356 2015-05-06 11:24:06 -05:00			`struct ntdsAccount{`
free utf8 conversion strings and avoid non-null terminated values 2015-06-04 09:00:24 -05:00			`char accountName[ACCOUNT_NAME_SIZE];`
			`char accountDescription[ACCOUNT_DESC_SIZE];`
start migrating ntds code in moving the code chunks from the poc into the actual meterp project 2015-04-22 16:03:30 -05:00			`DWORD accountRID;`
			`BOOL accountDisabled;`
			`BOOL accountLocked;`
			`BOOL noPassword;`
			`BOOL passNoExpire;`
			`BOOL passExpired;`
			`int logonCount;`
			`int numNTHistory;`
			`int numLMHistory;`
			`char expiryDate[30];`
			`char logonDate[30];`
			`char logonTime[30];`
			`char passChangeDate[30];`
			`char passChangeTime[30];`
			`char lmHash[33];`
			`char ntHash[33];`
			`char lmHistory[792];`
			`char ntHistory[792];`
use all unicode for ntds account struct force convert account name and description to unicode for transport over the wire MSP-12356 2015-06-02 12:35:30 -05:00			`unsigned char accountSID[28];`
un typedef structs bcook says to not typedef structs and just use them as raw structs, so i have made that conversion here MSP-12356 2015-05-06 11:24:06 -05:00			`};`
start migrating ntds code in moving the code chunks from the poc into the actual meterp project 2015-04-22 16:03:30 -05:00

			`// UserAccountControl Flags`
			`#define NTDS_ACCOUNT_DISABLED 0x00000002`
			`#define NTDS_ACCOUNT_LOCKED 0x00000010`
			`#define NTDS_ACCOUNT_NO_PASS 0x00000020`
			`#define NTDS_ACCOUNT_PASS_NO_EXPIRE 0x00010000`
			`#define NTDS_ACCOUNT_PASS_EXPIRED 0x00800000`

un typedef structs bcook says to not typedef structs and just use them as raw structs, so i have made that conversion here MSP-12356 2015-05-06 11:24:06 -05:00			`JET_ERR engine_shutdown(struct jetState *ntdsState);`
			`JET_ERR engine_startup(struct jetState *ntdsState);`
			`JET_ERR find_first(struct jetState *ntdsState);`
			`JET_ERR get_column_info(struct jetState ntdsState, struct ntdsColumns accountColumns);`
			`JET_ERR get_PEK(struct jetState ntdsState, struct ntdsColumns accountColumns, struct encryptedPEK *pekEncrypted);`
			`JET_ERR next_user(struct jetState ntdsState, struct ntdsColumns accountColumns);`
			`JET_ERR open_database(struct jetState *ntdsState);`
			`JET_ERR read_user(struct jetState ntdsState, struct ntdsColumns accountColumns, struct decryptedPEK pekDecrypted, struct ntdsAccount userAccount);`
			`JET_ERR read_table(struct jetState ntdsState, struct ntdsColumns accountColumns, struct decryptedPEK *pekDecrypted);`
split off hash history reading moved the hash history read into a seperate sub function to make it easier to read MSP-12356 2015-05-06 13:20:21 -05:00			`JET_ERR read_user_hash_history(struct jetState ntdsState, struct ntdsColumns accountColumns, struct decryptedPEK pekDecrypted, struct ntdsAccount userAccount);`
split off hash reading functions moved the reading o the nt and lm hash records into seperate sub functions. more cleanup/readability work MSP-12356 2015-05-06 13:30:44 -05:00			`JET_ERR read_user_lm_hash(struct jetState ntdsState, struct ntdsColumns accountColumns, struct decryptedPEK pekDecrypted, struct ntdsAccount userAccount);`
			`JET_ERR read_user_nt_hash(struct jetState ntdsState, struct ntdsColumns accountColumns, struct decryptedPEK pekDecrypted, struct ntdsAccount userAccount);`
more cleanup/split up split the date stuff up into their own subfunction tooo MSP-12356 2015-05-06 14:00:15 -05:00			`JET_ERR read_user_dates(struct jetState ntdsState, struct ntdsColumns accountColumns, struct decryptedPEK pekDecrypted, struct ntdsAccount userAccount);`
make jet instance name unique use date and time to make sure the Jet Instance name is unique. Hasn't actually solved our issue, but that name is supposed to be unique anyways. MSP-12356 2015-05-07 12:39:46 -05:00			`void get_instance_name(char *name);`
logon names can actually be up to 104 characters practical limit is 64, this gives us margin 2015-06-04 08:53:09 -05:00			`#endif`